Security

SSL certificate in Splunk web

Dharani
Explorer

Hi Splunkers,

I have clustered environment. One of indexer got SSL expired. I have created csr and pem file. Bu submitting that csr I got new SSL certificate from my organization.

Now I logged in to that indexer , i downloaded the new SSL certificate to the same folder where my pem key is there. 

went to , etc/system/local and updated the web.conf file as below. 

[settings]

startwebserver = 1

caCertPath = etc/auth/cert/sra-index-01-cert.pem
privKeyPath = etc/auth/cert/sra-index-01-PassKey.pem

sendStrictTransportSecurityHeader = true
enableSplunkWebSSL = true
 
allowSslRenegotiation = false
allowSslCompression = false

 

now , I need to verify SSL is properly applied to Splunk server or not. When I logged in web UI, I am not able to see valid certificate date , it is still showing previous expired certificate date.

 

How to verify it or Am I missing anything?

Labels (4)
0 Karma

splunkyj
Path Finder

web.conf if for Splunk Web. In order to use this, your private key must be decrypted. Which means, you are able to verify the certificate using ssl and it doesn't prompt you for a password.

But I doubt you need to access your indexer in Splunk Web. When I changed our certificates system-wide these were my notes for Indexers:

---To prevent server from trying to reach Splunk Base for updates--

Etc/system/local/server.conf 

[applicationsManagement] 

allowInternetAccess = false 

 ---without this, mongod will fail to start. 

[kvstore]

serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>.pem 

sslPassword = <password_of_serverCert> 

 

[sslConfig] 

serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>_.pem 

sslPassword = <password_of_serverCert> 

sslRootCAPath = $SPLUNK_HOME/etc/auth/rootca/Root_CA.pem

 

Etc/system/local/inputs.conf 

 

[SSL] 

serverCert = $SPLUNK_HOME/etc/auth/receiver/receiver_cert.pem 

sslPassword = <password >

sslVersions = -all, tls1.2

 

Now, if you must access Splunk Web into the indexer:

Etc/system/local/web.conf 

Note: Splunk Web will not work with encrypted private key. Ensure you are using  decrypted private key and certificate for this configuration.  

 [settings] 

privKeyPath = $SPLUNK_HOME/etc/auth/<servername>/<webServerCert>_webServerCert_priv.key 

serverCert = $SPLUNK_HOME/etc/auth/<servername>/< webServerCert>_webServerCert_cert.pem 

 

To export private key decrypted for us in Splunk Web web.conf, you can use the following:

  1. Export private key, you will need the pass phrase:
    • openssl rsa -in server_priv.key -out web_server_priv.key
    • you can copy this contents and replace the key on your original servercert.pem and save it as whatever name you like: web_servercert.pem
  2. Test your certificate to ensure you are not prompted for passphrase:  openssl rsa -in web_servercert.pem –text (Remember, you will only use this for web.conf, if you try to use this in server.conf - mongod will not start due to no passphrase)

 

0 Karma

jacobpevans
Motivator

Silly question, but did you restart Splunk after making the changes?

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

Dharani
Explorer

Hi Jacob,

I am not expecting this stupid answer.

 

Cheers !

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...