Secure Your Splunk Enterprise: A Step-by-Step SSL Configuration Guide for RHEL 9 & CentOS 9
In today’s data-driven landscape, securing your Splunk Enterprise instance isn’t just a best practice—it’s a necessity. Unencrypted communication leaves sensitive log data, user credentials, and administrative sessions vulnerable to interception. By implementing SSL/TLS, you encrypt all data in transit between users and the Splunk Web interface, ensuring confidentiality and integrity.
This comprehensive guide will walk you through the essential steps to configure SSL for Splunk Web on Red Hat Enterprise Linux (RHEL) 9 and CentOS 9. Following these instructions will help you fortify your Splunk deployment and meet critical security compliance standards.
Prerequisites: Before You Begin
Before diving into the configuration, ensure you have the following in place:
- Splunk Enterprise Installed: A functioning Splunk instance is running on your RHEL 9 or CentOS 9 server.
- Root or Sudo Access: You will need elevated privileges to generate certificates and modify configuration files.
- A Fully Qualified Domain Name (FQDN): Your Splunk server should be accessible via a domain name (e.g.,
splunk.yourcompany.com) that you control.
Step 1: Generate a Private Key and Certificate Signing Request (CSR)
The first step is to create a private key and a Certificate Signing Request (CSR). The private key remains securely on your server, while the CSR is a block of encoded text you provide to a Certificate Authority (CA) to obtain your official SSL certificate.
Log in to your server via SSH and gain root privileges.
Navigate to a secure directory where you intend to store your SSL files, such as
/opt/splunk/etc/auth/.Execute the following OpenSSL command to generate both a 2048-bit RSA private key and your CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout splunk.key -out splunk.csr-newkey rsa:2048: Creates a new 2048-bit RSA key.-nodes: “No DES,” meaning the private key will not be encrypted with a passphrase. While a passphrase adds security, it requires manual entry on every Splunk restart, making it unsuitable for most automated environments.-keyout splunk.key: Specifies the output file for your private key.-out splunk.csr: Specifies the output file for your CSR.
You will be prompted to enter information for your certificate. Pay close attention to the “Common Name (CN)” field. This must exactly match the FQDN that users will use to access your Splunk instance.
Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:San Francisco Organization Name (eg, company) [Default Company Ltd]:My Company Organizational Unit Name (eg, section) []:IT Department Common Name (eg, your name or your server's hostname) []:splunk.yourcompany.com Email Address []:[email protected]
You will now have two files: splunk.key (your private key) and splunk.csr (your CSR).
Step 2: Obtain Your SSL Certificate from a Certificate Authority (CA)
With your CSR in hand, you must now get a certificate from a trusted CA like DigiCert, Sectigo, or the free service Let’s Encrypt. The process generally involves:
- Purchasing an SSL certificate from a provider.
- Submitting the content of your
splunk.csrfile during the certificate activation process. - Completing the domain validation process to prove you own the domain.
Once approved, the CA will provide you with several certificate files, typically including your server certificate and one or more intermediate certificates (also known as a chain or bundle).
Step 3: Prepare and Combine the Certificate Files for Splunk
Splunk requires the server certificate and any intermediate certificates to be combined into a single file. This is often called a “full chain” or “chained” certificate.
Download your server certificate (e.g.,
splunk_yourcompany_com.crt) and the CA’s intermediate bundle (e.g.,ca-bundle.crt) to your server.Use the
catcommand to concatenate them into a single.pemfile. The order is crucial: your server certificate must come first, followed by the intermediate certificates.cat splunk_yourcompany_com.crt ca-bundle.crt > splunk_chain.pemMove the final
splunk_chain.pemand yoursplunk.keyfile into a permanent, secure location within your Splunk directory, such as/opt/splunk/etc/auth/mycerts/.Actionable Security Tip: It is critical to set proper file permissions to protect your private key. Only the user that Splunk runs as should be able to read these files.
chown -R splunk:splunk /opt/splunk/etc/auth/mycerts/ chmod 600 /opt/splunk/etc/auth/mycerts/splunk.key chmod 644 /opt/splunk/etc/auth/mycerts/splunk_chain.pem
Step 4: Configure Splunk to Use SSL
Now, you need to tell Splunk where to find your new key and certificate. This is done by editing the web.conf file. It’s best practice to create a local version of this file to avoid your changes being overwritten during an upgrade.
Create or edit the local configuration file:
/opt/splunk/etc/system/local/web.conf.Add the following stanza to the file, updating the paths to match your file locations:
[settings] enableSplunkWebSSL = true privKeyPath = /opt/splunk/etc/auth/mycerts/splunk.key serverCert = /opt/splunk/etc/auth/mycerts/splunk_chain.pemenableSplunkWebSSL = true: This is the master switch that enables HTTPS for the Splunk Web interface.privKeyPath: The absolute path to your private key (.key) file.serverCert: The absolute path to your combined certificate chain (.pem) file.
Step 5: Restart Splunk and Verify the Configuration
The final step is to apply the changes and verify that your secure connection is working correctly.
Restart the Splunk service to load the new configuration:
/opt/splunk/bin/splunk restartOnce Splunk is back online, open a web browser and navigate to your instance using HTTPS:
https://splunk.yourcompany.com:8000.Confirm the secure connection. You should see a padlock icon in your browser’s address bar. Clicking it should show that the connection is secure and the certificate is valid and issued to your domain. If you see any certificate warnings, double-check that your combined certificate file (
splunk_chain.pem) was created in the correct order.
By following these steps, you have successfully enabled SSL/TLS on your Splunk Enterprise instance, encrypting all web traffic and significantly enhancing its overall security posture. Regularly monitor your certificate’s expiration date to ensure continuous protection.
Source: https://infotechys.com/configure-ssl-for-splunk-enterprise-on-rhel-9/
