How-To Enable SSL/TLS Encryption for the Splunk Web UI Port (tcp/8000)

The most straightforward/lowest risk encryption to configure and enable in the Splunk Environment is standard HTTPS (TLS) encryption to the Splunk Web GUI. I say that this is the lowest risk as any failure in implementation results only is a certificate error or webpage not loading and not is an interruption to traffic forwarding or core management functionality.

Note: We will not cover obtaining a 3rd party Certificate Authority (CA) signed certificate. Numerous posts on the subject exist online and specifically on the various CA websites as well as the Splunk Docs site.

Note: HTTPS encryption of traffic inbound to the Splunk UI may also be accomplished via a front end load balancer. This is a recommended configuration for nodes in a search head cluster. Load balancer configuration/integration with Splunk is beyond the scope of this article.

To configure a Splunk instance to use TLS encryption at the search head, perform the following steps:

1) Upload the public key, private key, and intermediate certificate to Splunk.

Splunk Docs recommends the following location as an example. I will use the same location although the folder name can be changed as desired.

$SPLUNK_HOME/etc/auth/mycerts/

Modify "mycerts" to instead reference a short unique identifier for your organization.

Splunk, by default, uses cert.pem and privkey.pem as the file names for the public and private keys. I will use the same here although there is no requirement to do so.

Note that although not required, providing the intermediate certificate (excluding the root CA cert) is a best practice. The intermediate certificates are provided as a bundle from the CA and should be appended to the public key in the following order:

-----BEGIN CERTIFICATE----- # Your public key here #\
MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
...truncated...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- # Your lowest level intermediate here #
MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
...truncated...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- # highest level (closest to root CA cert) here #
MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
...truncated...
-----END CERTIFICATE-----

For reference, the private key looks like this:

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmPQfkbtXcvaxI
...truncated...
-----END PRIVATE KEY-----

When the certs have been uploaded, we should see the following in place:

[splunk@lab01 ~]# ll $SPLUNK_HOME/etc/auth/mycerts/
total 8
-rw-r--r-- 1 splunk splunk 1704 Apr 23 20:18 privkey.pem
-rw-r--r-- 1 splunk splunk 2025 Apr 23 20:29 cert.pem

2) Add the following attributes to your web.conf file:

vi $SPLUNK_HOME/etc/system/local/web.conf

[settings]
enableSplunkWebSSL = 1
privKeyPath = /opt/splunk/etc/auth/mycerts/privkey.pem
serverCert = /opt/splunk/etc/auth/mycerts/cert.pem
httpport = 8000

3) Finally, restart splunkd:

via systemd:

systemctl restart Splunkd

or via initd:

$SPLUNK_HOME/bin/splunk restart

4) In the event of an issue after splunkd restart (web service does not start etc.) check the following:

netstat -an | grep 8000 (insert your expected web port here)
tail (-f) $SPLUNK_HOME/var/log/splunk/web_services.log
openssl s_client -connect my.hostname.com:8088

The first command lets us know if Splunk made it to the point that it is listening on the web port at all or not. web_services.log provides a more conclusive view into the nature of the error and will call out if a certificate file could not be found or read. OpenSSL simulates a connection to the HEC port and validates the SSL handshake and configuration.

Resources

(1) Splunk Docs: Secure Splunk Web Using a Signed Certificate

https://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate

(2) Splunk Docs: Get Third Party Certificates for Splunk Web

https://docs.splunk.com/Documentation/Splunk/latest/Security/Getthird-partycertificatesforSplunkWeb



John McGovern

John McGovern

San Diego, CA