| CARVIEW |
Securing Splunk Enterprise
- Secure and protect your Splunk Enterprise deployment network
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Refresh expiring SAML identity provider certificates
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- Migrate from the Duo Traditional Prompt to the Duo Universal Prompt
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Introduction to securing the Splunk platform with TLS
- Steps for securing your Splunk Enterprise deployment with TLS
- How to obtain certificates from a third-party for inter-Splunk communication
- How to obtain certificates from a third-party for Splunk Web
- How to create and sign your own TLS certificates
- How to prepare TLS certificates for use with the Splunk platform
- Configure Splunk indexing and forwarding to use TLS certificates
- Configure TLS certificates for inter-Splunk communication
- Configure Splunk Web to use TLS certificates
- Test and troubleshoot TLS connections
- Renew existing TLS certificates
- Configure TLS certificate host name validation for secured connections between Splunk software components
- Configure TLS protocol version support for secure connections between Splunk platform instances
- Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Configure communication and bundle download authentication for deployment servers and clients
- Secure Splunk Enterprise services with pass4SymmKey
- Protect PII, PHI, and other sensitive data with field filters
- Plan for field filters in your organization
- Turn on Splunk platform field filters
- Create field filters using Splunk Web
- Optimize field filter performance using Splunk Web
- Exempt certain roles from field filters using Splunk Web
- Create field filters using configuration files
- Optimize field filter performance using configuration files
- Use field filters in searches
- Turn off Splunk platform field filters
How to obtain certificates from a third-party for Splunk Web
Transport layer security (TLS) certificates that come from third parties are the most secure way to protect communications that involve Splunk Web from potential security breaches. There are a number of options available to obtain a valid TLS certificate from a third party certificate authority (CA) for use with Splunk Web.
| Option | Description | Advantages | Caveats | Learn more |
|---|---|---|---|---|
| Get a certificate from a CA | You can request and download a certificate that a CA signs and prepares for you. | Fastest, simplest, most secure way to secure your Splunk platform infrastructure | Almost always involves a cost; CAs might attempt to bundle additional, unnecessary services | Learn more |
| Create a certificate signing request (CSR) to send to a CA | You generate the certificate signing request, and the CA signs the certificate with that request and returns the signed certificate. | Free, or lower cost than buying a certificate from a CA directly | Requires technical skill and experience using command line tools | Learn more |
If you already have third-party certificates for Splunk Web
If you already have the third-party certificates, proceed to the Next Steps section of this topic for a link to certificate installation and configuration instructions.
If you need third-party certificates for inter-Splunk communication
If you need third-party certificates for use with securing inter-Splunk communications, the process is similar, but slightly different. See How to obtain certificates from a third-party for inter-Splunk communication for an explanation and the procedure.
Prerequisites for obtaining certificates for Splunk Web
Before you can get certificates from a third party, you must have the following:
- A decision on the method you want to use to get the third-party certificates.
- Administrative access to the Splunk Enterprise instance on which you want to generate the files that you need to acquire the third party certificates.
- An internet connection to upload files to the CA and download the certificates from the CA. It is not necessary that the Splunk Enterprise instance has direct Internet access.
- Access to a shell prompt, command line, or Terminal window. You can only create certificate signing requests from the command line.
Steps to obtain a third-party certificate for Splunk Web
The process you use to get certificates from a third party depends on how you want to get the certificates, as described earlier in this topic.
Get certificates from a CA
This is the fastest option for obtaining third-party certificates, but almost always involves a cost, depending on the kind of certificate you need. Many certificate authorities let you purchase and download the certificate immediately.
- Visit the certificate authority where you want to get the certificate.
- Provide information about the domains that the certificate is to protect.
- Pay for the certificate.
- Download the certificate when it is available.
- Proceed to the Next Steps section in this topic for a link to instructions on how to install and configure the certificate.
Create a certificate signing request to send to a CA
You can create and sign a CSR to send to a CA to acquire a third-party certificate. The CSR is based on the private key and certificate signing request file that you create in the procedures that follow. The CA takes the CSR, generates your certificate, and signs it. Some CAs do not charge for this, but might limit the kinds of certificates they issue for free.
In general, submitting a CSR involves visiting the certificate authority website, filling out a form, possibly paying a fee, then sending or uploading the CSR file. Because each CA has their own process for accepting this information, there is no specific process for providing the necessary information to get a TLS certificate.
All of the certificates that you download must be in privacy-enhanced mail (PEM) format. If your certificate authority does not provide you with certificates in this format, you must convert them to PEM using the OpenSSL binary that comes with the Splunk platform installation. The program must be able to read the existing file format and write to PEM format. Consult the OpenSSL documentation for more information about converting certificate file formats.
- Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
- Connect to the Splunk platform instance where you want to generate the CSR.
- Create a new directory within the Splunk platform instance installation for the certificates.
*nix command Windows command mkdir $SPLUNK_HOME/etc/auth/mycerts
mkdir %SPLUNK_HOME%\etc\auth\mycerts
- Create a private key for your certificates. The following example uses Advanced Encryption Standard (AES) encryption and a 2048-bit key length.
*nix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048
%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out mySplunkWebPrivateKey.key 2048
- When the OpenSSL command prompts for a password, type in one. The OpenSSL command then creates a file
myServerPrivateKey.key. - (Optional) Remove the password from the private key.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key
$SPLUNK_HOME\bin\splunk cmd openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key
- (Optional) If you removed the password from the private key, confirm that the password was successfully removed:
# openssl rsa -in mySplunkWebPrivateKey.key -text
If the password was successfully removed, you can view the certificate contents without providing a password.
There is no requirement to remove the password from the private key. However, if you choose not to remove the password, you must configure the password in the web.conf configuration file when you configure Splunk Web to use certificates. If you don't, then Splunk Web can't read the private key for the certificate.
- Use the private key
myServerPrivateKey.keyto generate a CSR for your certificate:Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCertificate.csr
$SPLUNK_HOME\bin\splunk cmd openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCertificate.csr
- When prompted, type in the password you created for your private key
myServerPrivateKey.key. - The OpenSSL program asks for several different fields. At a minimum, provide values for the following:
- Country Name
- State or Province Name (full name)
- Locality Name (eg, city)
- Organization Name (eg, company)
- Organizational Unit Name (eg, section)
- Common Name (e.g. server FQDN or YOUR name)
- Email Address
If you want to specify a wildcard certificate, when the program asks for the Common Name, prepend a
After you enter the information, the OpenSSL program creates a new CSR file called*.to the top-level domain name that you want the certificate to protect as the response. For example, if your top level domain name ismycompany.com, enter*.mycompany.com. The certificate protects any machine within that domain level, but not domains on different subdomain levels. For examplesplunkserver1.mycompany.comorsplunkserver2.mycompany.com. It does not protectsplunkserver1.eng.mycompany.com, you need a certificate with a Common Name of*.eng.mycompany.comfor that.
Additionally, you can provide one or more Subject Alternate Names which the certificate will also protect when you install and configure the Splunk platform to use it and check those Subject Alternate Names.myServerCertificate.csr. - Visit the website of a certificate authority that can generate a certificate from a CSR.
- Provide information about the certificate, including the domains that the certificate is to protect.
- (Optional) If necessary, pay for the certificate.
- Upload the CSR file to the CA website.
- Download the certificate when it is available.
- Download the CA public certificate authority certificate.
- View the contents of the certificate to confirm it meets your needs.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl x509 -in mySplunkWebCertificate.pem -text
%SPLUNK_HOME%/bin/splunk cmd openssl x509 -in mySplunkWebCertificate.pem -text
- The "Issuer" entry must refer to the information that the CA provides.
- The "Subject" entry must show the information that you entered when you created the CSR, including country name, organization name, Common Name, and so on.
- If you can successfully verify the certificate, proceed to the Next Steps section in this topic for a link to instructions on how to install and configure the certificate.
Next step
Now that you have certificates, you must prepare them, including appending any intermediate certificates. This step must happen before you can configure Splunk Enterprise to find and use the certificates.
- See How to prepare certificates for use with the Splunk platform to learn how to set up your certificates to work with the Splunk platform.
| How to obtain certificates from a third-party for inter-Splunk communication | How to create and sign your own TLS certificates |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
How to obtain certificates from a third-party for Splunk Web
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!