SSSL (Splunk Secure Sockets Layer)

Splunk SSL

The primary reason why SSL is used is to keep sensitive information sent across the internet encrypted so that only the intended recipient can understand it.

This is important because the information you send on the internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames, passwords, Splunk searches and other sensitive information if it is not encrypted.

When an SSL certificate is used, the information should become unreadable to everyone except for the server you are sending the information to. This protects it from possible prying eyes.

It is often important to make sure the connection from Splunk Web to the browser you’re using to search from is encrypted. Using a SSL certificate to do this is a piece of cake. Here’s how.

Create a new private key and certificate signing request

SSL CSR

Before obtaining a certificate you’ll need to obtain a certificate signing request (CSR). Using OpenSSL you can use DigiCert to write an OpenSSL command to generate a CSR.

Once you’ve generated the command just paste this into your terminal. Here’s an example command:

$ openssl req -new -newkey rsa:2048 -nodes -out my_domain.csr -keyout my_domain.key -subj "/C=GB/ST=w9/L=London/O=Splunk/OU=Dept. of Awesome/CN=himynamesdave.com"

You will see both a .csr (CSR) and .key (Private Key) file have been created and stored in the current working directory.

my_domain.csr
my_domain.key

You’ll then want to convert the private key (.key) to an RSA private key by navigating to the directory the key file is stored in and run the command.

$ openssl rsa -in my_domain.key -out my_domain.rsa.key

Purchase the certificate

CSR Content

You can then go ahead and choose a certificate to purchase. During the registration phase you will need to provide the content of the CSR (my_domain.csr) to the certificate authority who will then create a new server certificate and sign it. Most certificate providers will walk you through this process.

Once this is complete the certificate authority will issue your certificate. You’ll probably receive 2 files from them that look something like this:

my_splunk_domain.crt
my_bundle.crt

Sometimes you will also receive intermediate certificates. In this case you need to bundle the intermediate and the server certificate into a single certificate, by concatenating the certificates together (the right type, and in the right order) and set that as the server certificate (my_splunk_domain.crt).

Splunk uses .pem certificate files, not .crt which the certificate authority is probably going to provide. We therefore need to concatenate the .csr files provided by our certificate authority into a single .pem file that Splunk will understand. You can do this by running:

$ cat my_splunk_domain.crt my_bundle.crt > my_splunk_bundle.pem

Configure Splunk SSL

Copy both the .pem and .key file to the following directory in your Splunk instance:

$SPLUNK_HOME/opt/splunk/share/splunk/certs/

Now the keys have been uploaded we now need to tell Splunk to accept connections over SSL and where to find the .pem and .key files. To do this we need to edit web.conf here:

$SPLUNK_HOME/etc/system/local/web.conf

With the following code:

[settings]
httpport = 443
enableSplunkWebSSL = 1
privKeyPath = /certs/my_domain.rsa.key
caCertPath = /certs/my_splunk_bundle.pem

After a quick restart of Splunk the SSL connection over port 443 should now be enabled allowing users accessing Splunk Web via a secure connection.

This should work for most browsers. In some cases certificates provided by unknown authorities may be flagged.

If you run into problems check port 443 is open to receive connections – this stumped me for some time! p.s Splunk Answers is also a fountain of wealth :)