| CARVIEW |
Securing Splunk Enterprise
- Secure and protect your Splunk Enterprise deployment network
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Refresh expiring SAML identity provider certificates
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- Migrate from the Duo Traditional Prompt to the Duo Universal Prompt
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Introduction to securing the Splunk platform with TLS
- Steps for securing your Splunk Enterprise deployment with TLS
- How to obtain certificates from a third-party for inter-Splunk communication
- How to obtain certificates from a third-party for Splunk Web
- How to create and sign your own TLS certificates
- How to prepare TLS certificates for use with the Splunk platform
- Configure Splunk indexing and forwarding to use TLS certificates
- Configure TLS certificates for inter-Splunk communication
- Configure Splunk Web to use TLS certificates
- Test and troubleshoot TLS connections
- Renew existing TLS certificates
- Configure TLS certificate host name validation for secured connections between Splunk software components
- Configure TLS protocol version support for secure connections between Splunk platform instances
- Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Configure communication and bundle download authentication for deployment servers and clients
- Secure Splunk Enterprise services with pass4SymmKey
- Protect PII, PHI, and other sensitive data with field filters
- Plan for field filters in your organization
- Turn on Splunk platform field filters
- Create field filters using Splunk Web
- Optimize field filter performance using Splunk Web
- Exempt certain roles from field filters using Splunk Web
- Create field filters using configuration files
- Optimize field filter performance using configuration files
- Use field filters in searches
- Turn off Splunk platform field filters
- Authorization Token Not Work
- splunk tcp token - how to manage and mixed setup p...
- Unable to authenticate to search heads: "Global ke...
- Splunk Otel smartagent/snmp
- How do I add the "edit_tokens_settings" capability...
- Limiting data from Carbon Black Response - looking...
- Can i restrict permissions for the text box ,drill...
- How to remove search button below the panel and se...
- Not able to see EUM Browser Data for configured Ap...
- EUM stops logging virtual pages when we upgraded t...
Enable or disable token authentication
You can enable token authentication at any time if your Splunk platform account has the appropriate permissions. Token authentication is off by default on the Splunk platform.
You can also disable token authentication at any time if you have enabled it and have the appropriate permissions. If token authentication is disabled, token users cannot authenticate into the instance, even if you have previously defined valid tokens.
Tokens retain their individual validity status regardless of whether token authentication is on or off, and when you re-enable token authentication after disabling it, holders of valid tokens can use them again.
Prerequisites for enabling or disabling token authentication
Before you can enable token authentication, you must satisfy the following requirements:
Splunk Cloud Platform
- You must configure your Splunk Cloud Platform instance to use either the native or the SAML authentication schemes.
- If you configure Splunk Cloud Platform to use the SAML authentication scheme, you must also either configure the instance to use a SAML identity provider (IdP) that supports Attribute Query Requests (AQR) or use authentication extensions. See Configure Splunk Cloud Platform to use SAML for authentication tokens.
- The account that you use to log into the Splunk platform must hold a role that has the
edit_tokens_settingsSplunk platform capability before you can turn token authentication on or off.
Splunk Enterprise
- You must enable Transport Layer Security (TLS)/SSL on your Splunk platform instance. See About securing Splunk Enterprise with SSL for details.
- You must confirm that you have enabled app key value store (KV Store). By default, KV store is enabled on search heads. See About app key value store in the Admin Manual for more information.
- The account that you use to log into the Splunk platform must hold a role that has the
edit_tokens_settingsSplunk platform capability before you can turn token authentication on or off.
Enable token authentication for a Splunk platform instance
You can enable token authentication by using Splunk Web, editing configuration files, or making a call to a Representational State Transfer (REST) endpoint.
At this time, you cannot use the Splunk CLI on Splunk Enterprise to enable or disable token authentication.
Enable token authentication using Splunk Web
When token authentication is off, the following message displays on the "Tokens" page in Splunk Web:
Token authentication is currently disabled To enable token authentication, click Enable Token Authentication.
Perform this procedure on the instance where you want to enable token authentication.
- Log in to the Splunk platform instance as an administrator-level user, or a user that can manage tokens settings.
You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.
- After you log in successfully, in the system bar, select Settings > Tokens.
- Click Enable Token Authentication. The Splunk platform instance enables token authentication immediately, and there is no need to restart the instance.
Enable token authentication using REST
The curl command does not come standard on Windows PowerShell. Instead, you can use the Invoke_RestMethod PowerShell cmdlet on PowerShell versions 3.0 and higher.
- Open a shell prompt.
- Run the following command
curl -k -u <splunk_username>:<password> -X POST https://<servername>:<port>/services/admin/token-auth/tokens_auth -d disabled=false
The Splunk platform enables token authentication immediately. On Splunk Enterprise instances, there is no need to restart.
Enable token authentication using configuration files
Perform this procedure on the Splunk Enterprise instance where you want to enable token authentication. This option is not available on Splunk Cloud instances.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/localdirectory. - Use a text editor to open the
authorize.conffile for editing. - In the
authorize.conffile, add the following lines of text:
[tokens_auth] disabled = false
- Save the
authorize.conffile and close it. - Restart the Splunk platform.
Set a default relative token expiration time using configuration files
Optionally, to set a default relative time expiration for any tokens on the Splunk Enterprise instance, use this procedure. Expiration times that you specify in the token creation dialog override the default setting. You cannot perform this operation in Splunk Cloud or on Splunk Web, and you cannot set an expiration time in the past.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/localdirectory. - Use a text editor to open the
authorize.conffile for editing. - In the
tokens_authstanza, add the following line of text, substituting<relative time>with a string that represents an amount of time from the time that you create a token:
expiration=<relative time>
For example, if you want to specify a default expiration time of 5 days for a token after you create it, set
<relative time>to+5d.
- Save the file and close it.
- Restart the Splunk platform.
See Time modifiers in the Search Reference manual for more information on time modifier syntax.
Disable token authentication on a Splunk platform instance
On Splunk Cloud instances, you can disable token authentication by using Splunk Web. On Splunk Enterprise instances, you can disable token authentication by using Splunk Web, editing configuration files, or making a call to a REST endpoint.
Disable token authentication using Splunk Web
Perform this procedure on the instance where you want to disable token authentication. You can use Splunk Web to disable token authentication on either Splunk Cloud or Splunk Enterprise instances
- Log in to the Splunk platform instance as a user that can edit token settings.
You cannot use a token to log in to Splunk Web. You must provide a valid user name and password.
- After you log in, in the system bar, select Settings > Tokens.
- Click Disable Token Authentication. The instance disables token authentication immediately, and there is no need to restart the instance.
Disable token authentication using REST
The curl command does not come standard on Windows PowerShell. Instead, you can use the Invoke_RestMethod PowerShell cmdlet.
- Open a shell prompt.
- Run the following command
curl -k -u <splunk_username>:<password> -X POST https://<servername>:<port>/services/admin/token-auth/tokens_auth -d disabled=true
The instance disables token authentication immediately, and there is no need to restart the instance.
Disable token authentication using configuration files
Perform this procedure on the Splunk Enterprise instance where you want to disable token authentication. This option is not available for Splunk Cloud instances.
- Open a shell prompt or PowerShell window.
- Change to the
$SPLUNK_HOME/etc/system/localdirectory. - Use a text editor to open the
authorize.conffile. - In the
authorize.conffile, edit the following lines of text:
[tokens_auth] disabled = true
- Save the
authorize.conffile and close it. - Restart Splunk Enterprise.
Create, use, manage, and delete tokens
After you enable token authentication, you can do the following with authentication tokens:
- Create tokens. See Create authentication tokens.
- Manage or delete tokens. See Manage or delete authentication tokens.
- Use tokens to authenticate. See Use authentication tokens.
If you disable token authentication, any tokens that are on the instance become inaccessible immediately, and you must enable token authentication again to restore access to tokens that are valid.
| Configure Splunk Cloud Platform to use SAML for authentication tokens | Create authentication tokens |
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
Download manual
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!