Security

Custom Certificate for Port 8089

tmontney
Builder

I've just reconfigured Splunk to use our own certificate for the web management, and it worked great. However, I also need that same cert for 8089. It seems like a different process. From the server.conf example...

[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
certCreateScript = genMyServerCert.sh

First off, web.conf asked for private key and server cert. Why in this case are the parameters different? Why can't I point to a privatekey file? And is certCreateScript mandatory? It seems like it's for auto generating certificates, but I'm providing my own.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You shouldnt use the same web cert for splunkd communications.

The web cert is not encrypted with a key, whereas the splunkd cert should be.

If you encrypt the web cert with a key, then the browser will have to present the key to splunk web in order to open splunk web (its not a very common configuration, although there are some institutions/regulations that may require the web cert to be encrypted - it doesnt sound like this is one of them because you say "I dont have an sslPassword")

0 Karma

starcher
SplunkTrust
SplunkTrust

A good place to start is review the April 2016 recording and pdf.
https://wiki.splunk.com/Virtual_.conf

jkat54
SplunkTrust
SplunkTrust

April 2016
When: April 28th
Who: George Starcher and Duane Waddle, Defense Point Security
What: Avoid the SSLippery SSLope of Default SSL
Recording: https://splunk.webex.com/splunk/lsr.php?RCID=da90ccae281af46da9e4a3b46c076a0b
Slides: Media:SplunkTrustApril-SSLipperySlopeRevisited.pdf

tmontney
Builder

This webex refers to a lot of deprecated properties. If you compare their sample vs 7.0.0, it's not even close.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Its true things have been deprecated but they're easy to map from the presentation to the new field names. The .spec files even show the correct setting:

 sslKeysfilePassword = <password>
 * DEPRECATED; use '**sslPassword**' instead.

In the end its the same concept for generating certs and securing the environment.

0 Karma

tmontney
Builder

Yes, but I don't have an sslPassword. Do I just leave it empty?

jkat54
SplunkTrust
SplunkTrust

Splunk Web certs don’t have passwords but backend connections do. So you’ll need to key encrypt the web Cert to use it on the backend...

openssl x509 -in /path/to/your/web/cert -out cert.pem -keyout cert.key

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...