Solved: How to configure Splunk Mgm Port 8089 SSL certific...

dsfyxcasdcertzu · ‎01-30-2023

Hello,

we run an Indexer that functions as deployment server as well.

I have already configured it to use our CA-Cert for the Web-UI port 8000 as well as for the input port 9997, both works properly. However, I wasn't able to set our certificate for communication on the mgm port 8089. For each request, it returns the pre-shipped self-signed certificate.

Other solutions from this board didn't work, unfortunately.

We are running splunk enterprise v9.0.3
Configs on the indexer:

server.conf

[sslConfig]
enableSplunkdSSL = true
sslVersions = tls1.2
sslRootCAPath = /opt/splunk/etc/auth/<ourcert>.pem
sslVerifyServerName = true
sslVerifyServerCert = true
sslPassword = <PW>
cliVerifyServerName = true

inputs.conf

[splunktcp-ssl:8089]
disabled = 0

[splunktcp-ssl:9997]
disabled = 0


[SSL]
serverCert = /opt/splunk/etc/auth/<ourcert>.pem
sslPassword = <PW>
requireClientCert = false
sslVersions = tls1.2
sslCommonNameToCheck = splunk.domain1,splunk.domain2

I'd be really happy, if someone could help me out with this! Thank you!

shivanshu1593 · ‎01-30-2023

Looks like you haven't specified the serverCert config in server.conf. It defaults to Splunk's default server certificate server.pem, which is why you always get the default shipped certificate in return to your requests. This cert is what governs the certificate for the management and KVStore ports. Try the following in server.conf (Edit/remove or add lines as per your environment specifications) and RESTART splunk service. Let us know if it worked for you.

[sslConfig]
enableSplunkdSSL = true
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCACertificate.pem
serverCert = <Specify the path for your server cert after getting it created for your instance. Defaults to /opt/splunk/etc/auth/server.pem>
sslPassword = mySHCertificatePassword
requireClientCert = true
sslVersions = tls1.2
sslCommonNameToCheck = <Specify yours>

++If this helps, please accept as the solution for others running with the same issue finding the solution++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

CharmiPatel · ‎02-05-2024

Hello,

I hope below step is helpful for you.

Configuring SSL for Splunk Management Port (mgmt port) on port 8089 involves a few steps.

1. Generate SSL Certificates:
Use a tool like OpenSSL to generate SSL certificates (private key, public key, and certificate signing request).

```bash
openssl req -new -newkey rsa:2048 -keyout splunk.key -out splunk.csr
```

2. Get the Certificate Signed:
Submit the `splunk.csr` to a Certificate Authority (CA) to obtain the signed SSL certificate. Once received, you should have the SSL certificate and CA's intermediate certificate.

3. Create SSL Cert Files:
Combine the private key, signed certificate, and CA intermediate certificate into a single PEM file:

```bash
cat splunk.key splunk.crt ca_intermediate.crt > splunk.pem
```

4. Copy Certificates to Splunk Directory:
Move the `splunk.pem` file to the `$SPLUNK_HOME/etc/auth` directory.

```bash
cp splunk.pem $SPLUNK_HOME/etc/auth
```

5. Configure Splunk Web:
Edit the `web.conf` file in `$SPLUNK_HOME/etc/system/local`:

```ini
[settings]
enableSplunkWebSSL = true
privKeyPath = $SPLUNK_HOME/etc/auth/splunk.pem
serverCert = $SPLUNK_HOME/etc/auth/splunk.pem
```

6. Restart Splunk:
Restart Splunk to apply the changes:

```bash
$SPLUNK_HOME/bin/splunk restart
```

Ensure Splunk starts without errors.

7. Access Splunk via HTTPS:
After the restart, you should be able to access the Splunk Management Port via HTTPS using the URL:

```text
https://your-splunk-server:8089
```

Make sure to replace `your-splunk-server` with the actual server hostname or IP.

Remember to keep backups of any configuration files before making changes and consult Splunk's official documentation for the specific version you are using, as configurations may vary.

lordbanana

PLEASE stop regurgitating LLM responses without checking. It's not helpful.

dsfyxcasdcertzu · ‎01-30-2023

Thank you very much! Thats it!

shivanshu1593 · ‎01-30-2023

Looks like you haven't specified the serverCert config in server.conf. It defaults to Splunk's default server certificate server.pem, which is why you always get the default shipped certificate in return to your requests. This cert is what governs the certificate for the management and KVStore ports. Try the following in server.conf (Edit/remove or add lines as per your environment specifications) and RESTART splunk service. Let us know if it worked for you.

[sslConfig]
enableSplunkdSSL = true
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCACertificate.pem
serverCert = <Specify the path for your server cert after getting it created for your instance. Defaults to /opt/splunk/etc/auth/server.pem>
sslPassword = mySHCertificatePassword
requireClientCert = true
sslVersions = tls1.2
sslCommonNameToCheck = <Specify yours>

++If this helps, please accept as the solution for others running with the same issue finding the solution++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

How to configure Splunk Mgm Port 8089 SSL certificate?

access control

encryption

SSL

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)