Security

How to change the Splunk Web URL secured by https?

Explorer

Hello,

I like to update/rename the Splunk Web URL which is currently secured with HTTPS

E.g. -> https://localhost:8000
Rename/Update -> https://mysplunkurl.co.in

My plan is to update the DNS entry but I am unsure about what changes I need to make on Splunk.

Really appreciate if you can share some information on the above.

Thank you

1 Solution

SplunkTrust
SplunkTrust

hi @srami , there is 2 ways of doing this

You can do it by creating a web.conf under SPLUNK_HOME/etc/system/local

Add the follwoing stanza

[settings]
httpport = <https port number>
enableSplunkWebSSL = true
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/cert_name.key
caCertPath = $SPLUNK_HOME/etc/auth/splunkweb/cert_name.pem

Restart Splunk service

OR you could go into the GUI and do settings>system>server settings>General settings --> Splunk Web and select 'Enable SSL'

Restart Splunk service, when it starts up, you will need to add https://

You can change the URL name by editing server.conf under SPLUNK_HOME/etc/system/local

Create the stanza

[general]
servername = mysplunkurl.co.in

Restart Splunk service

View solution in original post

Splunk Employee
Splunk Employee

Hi @srami - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post. If no, please leave a comment with more feedback. Thanks.

Communicator

Hello,
If you have a certificate and want to use it, your /opt/splunk/etc/system/local/web.conf to look like this:

[settings]
enableSplunkWebSSL = 1
httpport = 8000
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/your_cert_name.key
caCertPath = $SPLUNK_HOME/etc/auth/splunkweb/your_cert_name.pem
0 Karma

SplunkTrust
SplunkTrust

hi @srami , there is 2 ways of doing this

You can do it by creating a web.conf under SPLUNK_HOME/etc/system/local

Add the follwoing stanza

[settings]
httpport = <https port number>
enableSplunkWebSSL = true
privKeyPath = $SPLUNK_HOME/etc/auth/splunkweb/cert_name.key
caCertPath = $SPLUNK_HOME/etc/auth/splunkweb/cert_name.pem

Restart Splunk service

OR you could go into the GUI and do settings>system>server settings>General settings --> Splunk Web and select 'Enable SSL'

Restart Splunk service, when it starts up, you will need to add https://

You can change the URL name by editing server.conf under SPLUNK_HOME/etc/system/local

Create the stanza

[general]
servername = mysplunkurl.co.in

Restart Splunk service

View solution in original post

Path Finder

Hi @srami and @skoelpin ,
I tried your second approach.
But still after changing the serverName under server.conf, when i restart splunk services, we get

The Splunk web interface is at https://hostname.domain.net:443

Ideally it should give https://splunkurl.co.in and this URL should be accessible.
i have give the httpport = 443 in web.conf also.

0 Karma

Explorer

Hi @skoelpin,

Thank you for the response. Really appreciate it!

I evaluated both the approaches you provided and have some questions on them below:
Approach 1:
a) How does the certificate impact the Splunk URL?
b) Not sure where to add the new URL name using this approach?

Approach 2:
c) Will I need certificates to start using the new URL listed in the server.conf file?
d) How will other systems in the environment resolve this URL?

0 Karma

SplunkTrust
SplunkTrust

I think mis-read the question, I see you already have SSL enabled and want to change the URL and want to know if this will impact the SSL.

I have not tried this, so I cannot give you a 100% accurate answer. BUT, I have enabled SSL and generated certs so I can give you a most likely answer.. When generating the cert/pem file, it's relative to the host, not the URL so any changes to the URL should not be affected

http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Self-signcertificatesforSplunkWeb

So go into your server.conf and modify the name of the URL and this should do the trick (I would test in a sandbox environment first before making changes in production).. The only thing this "should" affect is the URL used to access Splunk. So if you have 10 people using that URL to access Splunk, you will then need to notify 10 people that the URL has changed.

[general]
 servername = mysplunkurl.co.in

Restart the Splunk service on the indexer(s)

0 Karma

SplunkTrust
SplunkTrust

Did this help solve your problem? If so can you close the question and accept the answer

0 Karma

Explorer

Hi @skoelpin,
I updated the server name of my indexer as per the instructions you gave. Unfortunately, when I try to connect to this server via Splunk Web, it gave me a 'page not found' error.
Here are the steps I followed -

1. Updated server.conf
[general]
serverName=mysplunkurl.co.in
2. Restart Splunk
3. Connect to server via Splunk Web
Please let me know if there is any alternatives to this approach?

Thank you

0 Karma

SplunkTrust
SplunkTrust

Now that we confirmed that it's resolving to the correct URL, let's move onto hiding the port number. The browser will interpret port 443 and not show it when keying in the URL. So if you want to hide the port number and only have to type in mysplunkurl.co.in then you will need to change it from port 8000 to port 443. This can be done by going to $SPLUNK_HOME/etc/system/local and adding the following to web.conf and restart the Splunk service

[settings]
enableSplunkWebSSL = 0
httpport = 443

If you do not have a web.conf then go ahead and make it and add that stanza to it.

*To anyone else reading this, I worked with @srami in the IRC and we resolved the error associated with changing the URL name

Ultra Champion

You can follow the following - Turn on encryption (https) with Splunk Web

0 Karma