I just got done setting this up, so I'll post my full SSL setup. It might be a little more than needed, but this is the first Google result I saw for multiple Splunk SSL searches. So, use as much or as little as you like, and lets hope it helps some other poor schlub like myself. 🙂
This was done on a Red Hat system. Since linux considers ports under 1024 sacred, you need to use a higher port when running as a non-root user. Otherwise, you have to run Splunk as root, which is a NO NO. In order to fix that, I used iptables and redirected from 8443 to 443. So, some commands are Red Hat specific, but usually it's pretty easy to Google the distro specific method.
Setup Splunk to run using SSL with Apache redirects
1) Transfer your cert and private key files to ${SPLUNK_HOME}/etc/auth/splunkweb/. They have to be in PEM format. Make note of the file names for the next step.
2) Edit /opt/splunk/etc/system/local/web.conf replace any lines with the ones below:
[settings]
enableSplunkWebSSL = 1
httpport = 8443
privKeyPath = etc/auth/splunkweb/${splunkPrivateKeyFile}
caCertPath = etc/auth/splunkweb/${splunkCertificateFile}
Obviously, you can use whatever SSL port you want. Don't forget to substitute the key and cert filenames too. Finally, that's not a typo, the paths are relative to ${SPLUNK_HOME}.
3) Use IP tables to redirect port 8443 to 443
I think the method to permanently save your iptables lines differs for other distros. So, do some googling if you're not using Red Hat.
iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
/sbin/service iptables save
4) Setup an Apache redirect for common ports
This might be overkill, but I started my two Splunk servers on the default port (8000). So, having a bunch of people thinking Splunk is down, or having to help them update bookmarks sounded like a drag. So, since an Apache redirect is so easy, I just took anyone going to port 8000 and shot them over to port 443. I also included port 80 just because I could. If you have something running on port 80, just remove that VirtualHost.
Make a new conf file in your apache dir, I called mine: /etc/httpd/conf.d/splunkRedirect.conf
Put this in that file:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName splunk.integral7.com
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</VirtualHost>
Listen 8000
NameVirtualHost *:8000
<VirtualHost *:8000>
ServerName splunk.integral7.com
RewriteEngine On
RewriteCond %{SERVER_PORT} ^8000$
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</VirtualHost>
5) Restart Splunk, then Apache
The order is important here, you need Splunk to let go of port 8000 so Apache can grab it for the redirect.
service splunk restart
service httpd restart
And, you're done! Since the redirect is done using mod_rewrite, any bookmarked pages should work the same, but use HTTPS instead of HTTP.
... View more