Security

How to configure Splunk Mgm Port 8089 SSL certificate?

dsfyxcasdcertzu
Explorer

Hello,

we run an Indexer that functions as deployment server as well.

I have already configured it to use our CA-Cert for the Web-UI port 8000 as well as for the input port 9997, both works properly. However, I wasn't able to set our certificate for communication on the mgm port 8089. For each request, it returns the pre-shipped self-signed certificate.

Other solutions from this board didn't work, unfortunately.

We are running splunk enterprise v9.0.3
Configs on the indexer:

server.conf

 

[sslConfig]
enableSplunkdSSL = true
sslVersions = tls1.2
sslRootCAPath = /opt/splunk/etc/auth/<ourcert>.pem
sslVerifyServerName = true
sslVerifyServerCert = true
sslPassword = <PW>
cliVerifyServerName = true

 

 

inputs.conf

 

[splunktcp-ssl:8089]
disabled = 0

[splunktcp-ssl:9997]
disabled = 0


[SSL]
serverCert = /opt/splunk/etc/auth/<ourcert>.pem
sslPassword = <PW>
requireClientCert = false
sslVersions = tls1.2
sslCommonNameToCheck = splunk.domain1,splunk.domain2

 

 

I'd be really happy, if someone could help me out with this! Thank you!

Labels (3)
0 Karma
1 Solution

shivanshu1593
Builder

Looks like you haven't specified the serverCert config in server.conf. It defaults to Splunk's default server certificate server.pem, which is why you always get the default shipped certificate in return to your requests. This cert is what governs the certificate for the management and KVStore ports. Try the following in server.conf (Edit/remove or add lines as per your environment specifications) and RESTART splunk service. Let us know if it worked for you.

 

[sslConfig]
enableSplunkdSSL = true
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCACertificate.pem
serverCert = <Specify the path for your server cert after getting it created for your instance. Defaults to /opt/splunk/etc/auth/server.pem>
sslPassword = mySHCertificatePassword
requireClientCert = true
sslVersions = tls1.2
sslCommonNameToCheck = <Specify yours>

 

++If this helps, please accept as the solution for others running with the same issue finding the solution++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

View solution in original post

CharmiPatel
New Member

Hello,

I hope below step is helpful for you.

Configuring SSL for Splunk Management Port (mgmt port) on port 8089 involves a few steps. 

1. Generate SSL Certificates:
Use a tool like OpenSSL to generate SSL certificates (private key, public key, and certificate signing request).

```bash
openssl req -new -newkey rsa:2048 -keyout splunk.key -out splunk.csr
```

2. Get the Certificate Signed:
Submit the `splunk.csr` to a Certificate Authority (CA) to obtain the signed SSL certificate. Once received, you should have the SSL certificate and CA's intermediate certificate.

3. Create SSL Cert Files:
Combine the private key, signed certificate, and CA intermediate certificate into a single PEM file:

```bash
cat splunk.key splunk.crt ca_intermediate.crt > splunk.pem
```

4. Copy Certificates to Splunk Directory:
Move the `splunk.pem` file to the `$SPLUNK_HOME/etc/auth` directory.

```bash
cp splunk.pem $SPLUNK_HOME/etc/auth
```

5. Configure Splunk Web:
Edit the `web.conf` file in `$SPLUNK_HOME/etc/system/local`:

```ini
[settings]
enableSplunkWebSSL = true
privKeyPath = $SPLUNK_HOME/etc/auth/splunk.pem
serverCert = $SPLUNK_HOME/etc/auth/splunk.pem
```

6. Restart Splunk:
Restart Splunk to apply the changes:

```bash
$SPLUNK_HOME/bin/splunk restart
```

Ensure Splunk starts without errors.

7. Access Splunk via HTTPS:
After the restart, you should be able to access the Splunk Management Port via HTTPS using the URL:

```text
https://your-splunk-server:8089
```

Make sure to replace `your-splunk-server` with the actual server hostname or IP.

Remember to keep backups of any configuration files before making changes and consult Splunk's official documentation for the specific version you are using, as configurations may vary.

0 Karma

lordbanana
Engager

PLEASE stop regurgitating LLM responses without checking. It's not helpful.

0 Karma

dsfyxcasdcertzu
Explorer

Thank you very much! Thats it! 

0 Karma

shivanshu1593
Builder

Looks like you haven't specified the serverCert config in server.conf. It defaults to Splunk's default server certificate server.pem, which is why you always get the default shipped certificate in return to your requests. This cert is what governs the certificate for the management and KVStore ports. Try the following in server.conf (Edit/remove or add lines as per your environment specifications) and RESTART splunk service. Let us know if it worked for you.

 

[sslConfig]
enableSplunkdSSL = true
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCACertificate.pem
serverCert = <Specify the path for your server cert after getting it created for your instance. Defaults to /opt/splunk/etc/auth/server.pem>
sslPassword = mySHCertificatePassword
requireClientCert = true
sslVersions = tls1.2
sslCommonNameToCheck = <Specify yours>

 

++If this helps, please accept as the solution for others running with the same issue finding the solution++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...