InfoSec requires us to use a cert signed by them. I got the cert signed and setup in
web.conf (See below).. I had them rescan the setup and he says that it passes on port 8000 but now fails on port 8089 due to Splunk using a self-signed certificate. Where can I make the changes so port 8089 uses our certificate rather than Splunk self-signed certificate?
[settings] enableSplunkWebSSL = 1 privKeyPath = /opt/splunk/etc/auth/splunkweb/mySplunkWebPrivateKey.key caCertPath = /opt/splunk/etc/auth/splunkweb/splunk-emc01.pem sslVersions = tls1.1, tls1.2
This past post looks like it might help with your question. It discusses making splunkd certificate configurations in the server.conf file.
You can also check out the "Securing Splunk Enterprise" manual for more info.
Hope this helps!
Thanks for the answer but I've already read this answer and it didn't solve my issue or address how to set the cert for port 8089. Can you provide the stanza I should include in
server.conf for port 8089?
You we're correct, I had it set in
web.conf but not
server.conf. I was unaware that I needed it in both
.confs. Thanks for your help!
For those reading this answer in the future..
web.conf is configuration changes for port 8000 and
server.conf is for changes on port 8089 which is the management port that controls the Deployment server, license Master, Cluster Master, Deployer and REST API access. If you disable port 8089 then Splunk will be unusable
We don't have a specific topic dedicated to this question in the docs right now, but the following topic might help answer your question about where to set the server.conf stanza:
enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key
serverCert = etc/auth/splunkweb/mySplunkWebCertificate.pem
You might also find the server.conf topic helpful: http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Serverconf
SSL Configuration details
* Set SSL for communications on Splunk back-end under this stanza name.
* NOTE: To set SSL (eg HTTPS) for Splunk Web and the browser, use
* Follow this stanza name with any number of the following attribute/value
* If you do not specify an entry for each attribute, Splunk will use the
* Enables/disables SSL on the splunkd management port (8089) and KV store
* Defaults to true.
* Note: Running splunkd without SSL is not generally recommended.
* Distributed search will often perform better with SSL enabled.
So I still cannot get this working and the info in here is a little misleading. so here is what I have in my server.conf and web.conf. What am I doing wrong?
enableSplunkdSSL = true
sslVersions = "*,-ssl2"
serverCert = /opt/splunk/etc/auth/mycerts/myServerCertificate.pem
sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCACertificate.pem
sslPassword = "hidden"
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/splunkweb/mySplunkWebPrivateKey.key
serverCert = /opt/splunk/etc/auth/splunkweb/mySplunkWebCertificate.pem
sslVersions = tls1.1, tls1.2