topic Re: SSL certificate in Splunk web in Security

SSL certificate in Splunk web

Dharani — Mon, 08 Feb 2021 11:31:03 GMT

Hi Splunkers,

I have clustered environment. One of indexer got SSL expired. I have created csr and pem file. Bu submitting that csr I got new SSL certificate from my organization.

Now I logged in to that indexer , i downloaded the new SSL certificate to the same folder where my pem key is there.

went to , etc/system/local and updated the web.conf file as below.

[settings]

startwebserver = 1

caCertPath = etc/auth/cert/sra-index-01-cert.pem
privKeyPath = etc/auth/cert/sra-index-01-PassKey.pem

sendStrictTransportSecurityHeader = true
enableSplunkWebSSL = true

allowSslRenegotiation = false
allowSslCompression = false

now , I need to verify SSL is properly applied to Splunk server or not. When I logged in web UI, I am not able to see valid certificate date , it is still showing previous expired certificate date.

How to verify it or Am I missing anything?

Re: SSL certificate in Splunk web

jacobpevans — Tue, 09 Feb 2021 14:00:00 GMT

Silly question, but did you restart Splunk after making the changes?

Re: SSL certificate in Splunk web

Dharani — Tue, 09 Feb 2021 11:17:25 GMT

Hi Jacob,

I am not expecting this stupid answer.

Cheers !

Re: SSL certificate in Splunk web

splunkyj — Fri, 26 Feb 2021 23:36:57 GMT

web.conf if for Splunk Web. In order to use this, your private key must be decrypted. Which means, you are able to verify the certificate using ssl and it doesn't prompt you for a password.

But I doubt you need to access your indexer in Splunk Web. When I changed our certificates system-wide these were my notes for Indexers:

---To prevent server from trying to reach Splunk Base for updates--

Etc/system/local/server.conf

[applicationsManagement]

allowInternetAccess = false

---without this, mongod will fail to start.

[kvstore]

serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>.pem

sslPassword = <password_of_serverCert>

[sslConfig]

serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>_.pem

sslPassword = <password_of_serverCert>

sslRootCAPath = $SPLUNK_HOME/etc/auth/rootca/Root_CA.pem

Etc/system/local/inputs.conf

[SSL]

serverCert = $SPLUNK_HOME/etc/auth/receiver/receiver_cert.pem

sslPassword = <password >

sslVersions = -all, tls1.2

Now, if you must access Splunk Web into the indexer:

Etc/system/local/web.conf

Note: Splunk Web will not work with encrypted private key. Ensure you are using decrypted private key and certificate for this configuration.

[settings]

privKeyPath = $SPLUNK_HOME/etc/auth/<servername>/<webServerCert>_webServerCert_priv.key

serverCert = $SPLUNK_HOME/etc/auth/<servername>/< webServerCert>_webServerCert_cert.pem

To export private key decrypted for us in Splunk Web web.conf, you can use the following:

Export private key, you will need the pass phrase:
- openssl rsa -in server_priv.key -out web_server_priv.key
- you can copy this contents and replace the key on your original servercert.pem and save it as whatever name you like: web_servercert.pem
Test your certificate to ensure you are not prompted for passphrase: openssl rsa -in web_servercert.pem –text (Remember, you will only use this for web.conf, if you try to use this in server.conf - mongod will not start due to no passphrase)