Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to secure the Splunk platform with SSL

BRFZ
Path Finder
‎11-12-2024 05:21 AM

Hello,

I have a distributed Splunk architecture with a single search head, two indexers, and management tier : License Master, Monitoring Console, and Deployment Server, in addition to the forwarders. SSL has already been configured for the web interfaces, but I would now like to secure the remaining components and establish SSL-encrypted connections between them as well.

The certificates we are using are self-generated. Could you please guide me on how to proceed with securing all internal communications in this setup? Specifically, I would like to know if I should auto-generate a new certificate for each component and each connection or if there’s an efficient way to manage SSL across the entire environment.

Thank you in advance for your help!

Tags (3)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
Wednesday
This explains things more easily than those docs if you haven’t earlier experience about TLS https://conf.splunk.com/files/2023/slides/SEC1936B.pdf
Reply

inventsekar
SplunkTrust
SplunkTrust
Wednesday

Hi @BRFZ 

(As others have not mentioned it yet) maybe pls have a look at this doc,.. it got pretty good details:

https://docs.splunk.com/Documentation/Splunk/9.4.0/Security/WhatyoucansecurewithSplunk

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

BRFZ
Path Finder
Wednesday

Thank you for your response and the provided documentation.
I’ve already followed the steps, but encountered communication issues and I had to reset the configuration in order to restore connectivity.

Could you please provide a more detailed procedure or tailored guidance for my case to help me securely configure TLS/SSL?

0 Karma
Reply

dural_yyz
Builder
‎11-12-2024 06:07 AM

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Securing_the_Splunk_platform_...

 

These articles can explain it much better than I can and it is coming straight from the source.

Reply

BRFZ
Path Finder
‎11-12-2024 06:42 AM

Thank you @dural_yyz for your prompt response and for providing the documentation. However, I need further assistance regarding the SSL certificates that need to be generated for my Splunk environment.

Could you please clarify whether I need to generate a separate certificate for each component (e.g., search head, indexers, forwarders, etc.)? Additionally, do I need to create different certificates for the various connections between these components?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-12-2024 07:03 AM

As a general rule, you should _always_ create separate certificates for separate entities (in your case - for separate components).

Also remember that if you decide to enable client authentication, certificate must be issued with proper key usage.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...