Security

How to configure certificate on port 8089?

skoelpin
SplunkTrust
SplunkTrust

InfoSec requires us to use a cert signed by them. I got the cert signed and setup in web.conf (See below).. I had them rescan the setup and he says that it passes on port 8000 but now fails on port 8089 due to Splunk using a self-signed certificate. Where can I make the changes so port 8089 uses our certificate rather than Splunk self-signed certificate?

[settings]
 enableSplunkWebSSL = 1
 privKeyPath = /opt/splunk/etc/auth/splunkweb/mySplunkWebPrivateKey.key
 caCertPath = /opt/splunk/etc/auth/splunkweb/splunk-emc01.pem
 sslVersions = tls1.1, tls1.2
Labels (1)
0 Karma
1 Solution

frobinson_splun
Splunk Employee
Splunk Employee

Hi @skoelpin,

This past post looks like it might help with your question. It discusses making splunkd certificate configurations in the server.conf file.

https://answers.splunk.com/answers/54133/how-do-i-set-the-ssl-cert-for-the-management-port-8089.html

You can also check out the "Securing Splunk Enterprise" manual for more info.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/WhatyoucansecurewithSplunk

Hope this helps!

View solution in original post

toddhawkins
New Member

So I still cannot get this working and the info in here is a little misleading. so here is what I have in my server.conf and web.conf. What am I doing wrong?

server.conf
[sslConfig]
enableSplunkdSSL = true
sslVersions = "*,-ssl2"
serverCert = /opt/splunk/etc/auth/mycerts/myServerCertificate.pem
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCACertificate.pem
sslPassword = "hidden"

web.conf
[settings]
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/splunkweb/mySplunkWebPrivateKey.key
serverCert = /opt/splunk/etc/auth/splunkweb/mySplunkWebCertificate.pem
sslVersions = tls1.1, tls1.2

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @skoelpin,

This past post looks like it might help with your question. It discusses making splunkd certificate configurations in the server.conf file.

https://answers.splunk.com/answers/54133/how-do-i-set-the-ssl-cert-for-the-management-port-8089.html

You can also check out the "Securing Splunk Enterprise" manual for more info.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/WhatyoucansecurewithSplunk

Hope this helps!

skoelpin
SplunkTrust
SplunkTrust

Thanks for the answer but I've already read this answer and it didn't solve my issue or address how to set the cert for port 8089. Can you provide the stanza I should include in server.conf for port 8089?

0 Karma

jworthington_sp
Splunk Employee
Splunk Employee

We don't have a specific topic dedicated to this question in the docs right now, but the following topic might help answer your question about where to set the server.conf stanza:

http://docs.splunk.com/Documentation/Splunk/6.5.0/Security/Securingyourdeploymentserverandclients

[settings]
enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key
serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem
cipherSuite =

You might also find the server.conf topic helpful: http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Serverconf

SSL Configuration details

[sslConfig]
* Set SSL for communications on Splunk back-end under this stanza name.
* NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use
web.conf.
* Follow this stanza name with any number of the following attribute/value
pairs.
* If you do not specify an entry for each attribute, Splunk will use the
default value.

enableSplunkdSSL =
* Enables/disables SSL on the splunkd management port (8089) and KV store
port (8191).
* Defaults to true.
* Note: Running splunkd without SSL is not generally recommended.
* Distributed search will often perform better with SSL enabled.

tashdid
Explorer

This is the real answer. Thanks

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I wish I read this answer before discovering the solution. Thanks for the help!

frobinson_splun
Splunk Employee
Splunk Employee

Check the [sslConfig] stanza in server.conf

skoelpin
SplunkTrust
SplunkTrust

You we're correct, I had it set in web.conf but not server.conf. I was unaware that I needed it in both .confs. Thanks for your help!

For those reading this answer in the future.. web.conf is configuration changes for port 8000 and server.conf is for changes on port 8089 which is the management port that controls the Deployment server, license Master, Cluster Master, Deployer and REST API access. If you disable port 8089 then Splunk will be unusable

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...