CARVIEW |
Securing Splunk Enterprise
- Secure and protect your Splunk Enterprise deployment network
- Install Splunk Enterprise securely
- Create secure administrator credentials
- About TLS encryption and cipher suites
- Harden the Splunk Enterprise installation directory on Windows
- Secure Splunk Enterprise on your network
- Disable unnecessary Splunk Enterprise components
- Secure Splunk Enterprise service accounts
- Deploy secure passwords across multiple servers
- Harden the network port that App Key Value Store uses
- Use network access control lists to protect your deployment
- Use access control to secure Splunk data
- About user authentication
- About configuring role-based user access
- Define roles on the Splunk platform with capabilities
- Create and manage users with Splunk Web
- Create and manage roles with Splunk Web
- Find existing users and roles
- Secure access for Splunk knowledge objects
- Password best practices for administrators
- Configure Splunk password policies
- Configure a Splunk Enterprise password policy using the Authentication.conf configuration file
- Password best practices for users
- Unlock a user account
- Change a user password
- Manage out-of-sync passwords in a search head cluster
- Set up user authentication with LDAP
- Manage Splunk user roles with LDAP
- LDAP prerequisites and considerations
- Secure LDAP authentication with transport layer security (TLS) certificates
- How the Splunk platform works with multiple LDAP servers for authentication
- Configure LDAP with Splunk Web
- Map LDAP groups to Splunk roles in Splunk Web
- Configure single sign-on with SAML
- Configure SSO with PingIdentity as your SAML identity provider
- Configure SSO with Okta as your identity provider
- Configure SSO with Microsoft Azure AD or AD FS as your Identity Provider
- Configure SSO with OneLogin as your identity provider
- Configure SSO with Optimal as your identity provider
- Configure SSO in Computer Associates (CA) SiteMinder
- Secure SSO with TLS certificates on Splunk Enterprise
- Configure Ping Identity with leaf or intermediate SSL certificate chains
- Configure SAML SSO for other IdPs
- Configure authentication extensions to interface with your SAML identity provider
- Configure advanced settings for SSO
- Map groups on a SAML identity provider to Splunk roles
- Modify or remove role mappings
- Refresh expiring SAML identity provider certificates
- Troubleshoot SAML SSO
- About multifactor authentication with Duo Security
- Configure Splunk Enterprise to use Duo Security multifactor authentication
- Configure Duo multifactor authentication for Splunk Enterprise in the configuration file
- Migrate from the Duo Traditional Prompt to the Duo Universal Prompt
- About multifactor authentication with RSA Authentication Manager
- Configure RSA authentication from Splunk Web
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication via the REST endpoint
- Configure Splunk Enterprise to use RSA Authentication Manager multifactor authentication in the configuration file
- User experience when logging into a Splunk instance configured with RSA multifactor authentication
- Introduction to securing the Splunk platform with TLS
- Steps for securing your Splunk Enterprise deployment with TLS
- How to obtain certificates from a third-party for inter-Splunk communication
- How to obtain certificates from a third-party for Splunk Web
- How to create and sign your own TLS certificates
- How to prepare TLS certificates for use with the Splunk platform
- Configure Splunk indexing and forwarding to use TLS certificates
- Configure TLS certificates for inter-Splunk communication
- Configure Splunk Web to use TLS certificates
- Test and troubleshoot TLS connections
- Renew existing TLS certificates
- Configure TLS certificate host name validation for secured connections between Splunk software components
- Configure TLS protocol version support for secure connections between Splunk platform instances
- Configure and install certificates in Splunk Enterprise for Splunk Log Observer Connect
- Configure secure communications between Splunk instances with updated cipher suite and message authentication code
- Securing distributed search heads and peers
- Secure deployment servers and clients using certificate authentication
- Configure communication and bundle download authentication for deployment servers and clients
- Secure Splunk Enterprise services with pass4SymmKey
- Protect PII, PHI, and other sensitive data with field filters
- Plan for field filters in your organization
- Turn on Splunk platform field filters
- Create field filters using Splunk Web
- Optimize field filter performance using Splunk Web
- Exempt certain roles from field filters using Splunk Web
- Create field filters using configuration files
- Optimize field filter performance using configuration files
- Use field filters in searches
- Turn off Splunk platform field filters
- Is anyone using the same TLS internally signed cer...
- installing CA signed cert - TLS certificate is mis...
- Creating and installing TLS Certificates on Window...
- Limiting data from Carbon Black Response - looking...
- When trying to create a self-sign certificate, why...
- Splunk Self-signed Certificate Error. Error settin...
- Why am I having trouble with TLS?
- Using existing Splunkweb certificate to secure an ...
- TCP-SSL ERROR SSL context not found. Splunk not li...
- What are the defined steps to take to create and u...
How to create and sign your own TLS certificates
Transport layer security (TLS) certificates that come from third parties are the most secure way to protect communications between your Splunk platform infrastructure from potential security breaches. Splunk uses TLS certificates to protect Splunk Cloud Platform deployments and forwarders that connect to those deployments. It's a Splunk best practice to use third-party TLS certs on the Splunk platform infrastructure that you manage.
If you are not able to acquire certificates from a third party, or your Splunk platform deployment receives protection from firewalls or other network infrastructure, you can secure the contact points in the deployment by creating and signing TLS certificates yourself.
As you are the certificate authority in this scenario, there is no cost to creating and signing certificates on your own. Additionally, you can create the certificates whenever you need and they are ready for use immediately after you create them, for as long as you need them.
There are caveats to this method. Because you sign these certificates yourself, third parties can't validate them. This means that even though they can protect communications, even across multiple sites that you or trusted parties control, and are better than the default certificates that Splunk software provides, they are not as secure as those which you obtain from a third-party CA. You can use certificates you create for advanced security efforts like TLS certificate host name validation and mutually authenticated TLS (mTLS), but if you use them for Splunk Web, your browser will display warnings whenever you access Splunk Web because your self-signed certificate won't be in your browser certificate store.
As a reminder, Splunk best practice is to get certificates from a third party to secure your Splunk platform deployment, regardless of whether a firewall protects that deployment, and especially if your deployment communicates with parties that you don't know.
Generate and distribute multiple self-signed certificates
You can distribute certificates that you create and sign yourself to any type of Splunk platform instance. This includes but is not limited to the following:
- Forwarders and indexers
- Search heads and search peers
- Search head cluster nodes
- Indexer cluster nodes
- License managers and peers
- Deployment servers and clients
- Splunk Web and your browser
- Search head clusters and the App Key Value Store service
If you want to use a different common name, or fully-qualified domain name, for each machine or instance type, you can create different certificates that contain a different common name. Repeat the "Create server certificates and sign them with the root certificate authority certificate" process in this topic to create the additional certificates. As long as you sign each certificate using the same certificate authority certificate, connections using the certificates work.
You can create "wildcard" certificates that protect multiple instances within a domain at once. You can also add Subject Alternative Name fields to a certificate to protect groups of individual instances.
If you already have self-signed certificates
If you already have certificates that you have created, proceed to the Next Steps section of this topic for a link to certificate installation and configuration instructions.
Prerequisites to creating and signing your own TLS certificates
Before you can create and sign your own certificates, you must have the following:
- Administrative access to the Splunk Enterprise instance on which you want to generate and sign the certificates.
- Access to a shell prompt, command line, or Terminal window. You can only create and sign certificates from the command line.
Create and self-sign a TLS certificate
There are several steps to creating and signing certificates on your own:
- Create a root certificate authority certificate.
- Create server certificates and sign them with the root certificate authority certificate.
Create the root certificate authority certificate
The root certificate authority certificate serves as the base certificate that you use to sign additional certificates that you'll distribute to the Splunk platform instances in your deployment. It's called the "root certificate authority certificate" for this reason: You, as the certificate authority, establish that you trust any certificates that are based on this root certificate.
You only need to create one root certificate authority certificate.
When you create the root certificate authority certificate, back up both the certificate file and the private key to a safe offline location where possible. If you lose either, you won't be able to create new certificates based on this root certificate and must generate a new root certificate. You must also replace any existing client and server certificates which are based on the lost root certificate. This can result in significant periods of downtime.
- Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
- Connect to the Splunk platform instance where you want to generate the certificate signing request (CSR).
- Create a new directory within the Splunk platform instance installation for the certificates.
*nix command Windows command mkdir $SPLUNK_HOME/etc/auth/mycerts
mkdir %SPLUNK_HOME%\etc\auth\mycerts
- Create a private key for your root certificate authority certificate.
*nix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myCertAuthPrivateKey.key 2048
%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myCertAuthPrivateKey.key 2048
- When the OpenSSL program prompts you, enter a password for the key. The OpenSSL program then creates a file
myCertAuthPrivateKey.key
. - Use the private key
myCertAuthPrivateKey.key
to generate a CSR for your certificate:Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl req -new -key myCertAuthPrivateKey.key -out myCertAuthCertificate.csr
%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key myCertAuthPrivateKey.key -out myCertAuthCertificate.csr
- When the OpenSSL program prompts you, enter the password you created for your private key
myCertAuthPrivateKey.key
. - The OpenSSL program asks for several different fields. At a minimum, provide values for the following:
- Country Name
- State or Province Name (full name)
- Locality Name (eg, city)
- Organization Name (eg, company)
- Organizational Unit Name (eg, section)
- Common Name (e.g. server FQDN or YOUR name)
- Email Address
If you want to specify a wildcard certificate, when the program asks for the Common Name, prepend a
After you enter the information, the OpenSSL program creates a new CSR file called*.
to the top-level domain name that you want the certificate to protect as the response. For example, if your top level domain name ismycompany.com
, enter*.mycompany.com
. The certificate protects any machine within that domain level, but not domains on different subdomain levels. For examplesplunkserver1.mycompany.com
orsplunkserver2.mycompany.com
. It does not protectsplunkserver1.eng.mycompany.com
, you need a certificate with a Common Name of*.eng.mycompany.com
for that.
Additionally, you can provide one or more Subject Alternative Names which the certificate will also protect when you install and configure the Splunk platform to use it and check those Subject Alternative Names.myCertAuthCertificate.csr
. - Use the CSR file you created and sign it with the private key you created previously to create the root certificate authority certificate.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512 -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095
%SPLUNK_HOME%\bin\splunk cmd openssl x509 -req -in myCertAuthCertificate.csr -sha512 -signkey myCertAuthPrivateKey.key -CAcreateserial -out myCertAuthCertificate.pem -days 1095
- When the OpenSSL program prompts you, enter the password you created for your private key
myCertAuthPrivateKey.key
again. The OpenSSL program creates the root certificate authority certificate file called myCertAuthCertificate.pem.
Create server certificates and sign them with the root certificate authority certificate
After you have created the root certificate authority certificate, you can create additional certificates and then sign them with your root CA certificate.
Similar to a root CA certificate, you have to create a private key and a certificate signing request to generate a certificate for a Splunk server.
- Create a private key for the server certificate.
*nix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
%SPLUNK_HOME%\bin\splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048
- When the OpenSSL program prompts you, enter a password for the key. The OpenSSL program then creates a file
myServerPrivateKey.key
.Do not use the same password you used to sign the private key for the certificate authority certificate.
- Use the private key
myServerPrivateKey.key
to generate a CSR for your certificate:Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
%SPLUNK_HOME%\bin\splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr
- When the OpenSSL program prompts you, enter the password you created for the private key
myServerPrivateKey.key
. - Provide the requested information for your certificate. The OpenSSL program creates a new CSR file called
myServerCertificate.csr
.
The information that you provide for the Common Name field is what the Splunk platform uses for TLS certificate host name validation.
- Use the CSR file you created and sign it with the private key you created previously, the certificate authority certificate, and its private key to create the server certificate.
Unix command Windows command $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCertAuthCertificate.pem -CAkey myCertAuthPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
%SPLUNK_HOME%\bin\splunk cmd openssl x509 -req -in myServerCertificate.csr -SHA256 -CA myCertAuthCertificate.pem -CAkey myCertAuthPrivateKey.key -CAcreateserial -out myServerCertificate.pem -days 1095
- When the OpenSSL program prompts you, enter the password you created for the private key
myCertAuthPrivateKey.key
again. The OpenSSL program creates the server certificate file called myServerCertificate.pem.
Next steps
Now that you have the certificate authority certificate and at least one server certificate, you can prepare the certificates for use on The Splunk platform, including concatenating any intermediate certificates.
- Back up the certificate authority certificate and private key files to a safe place. If you lose either, you will have to recreate a new certificate authority certificate and key, and regenerate and distribute new certificates based on the new root certificate and key.
- If you need to create additional server certificates, for example, for additional domain levels or for single or groups of IP addresses, repeat the "Create server certificates and sign them with the root certificate authority certificate" section of this topic for as many certificates as you need.
- See How to prepare TLS certificates for use with the Splunk platform to learn how to set up your certificates to work with the Splunk platform.
How to obtain certificates from a third-party for Splunk Web | How to prepare TLS certificates for use with the Splunk platform |
This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Comments
How to create and sign your own TLS certificates
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
Your Comment Has Been Posted Above
Feedback submitted, thanks!