Community:SplunkWeb SSL 3rdPartyCA
From Splunk Wiki
Configuring SplunkWeb to use an SSL certificate signed by a third party Certificate Authority
Create a new private key for SplunkWeb and remove its pass phrase
- Generate a new private key:
# openssl genrsa -out mySplunkWebPrivateKey.key 2048
- Note that 1024 bit key length are deprecated and may be phased out by browsers in the future. 2048 bit is a good strength at the moment.
Generate a certificate signature request for a new SplunkWeb server certificate
- Create a new certificate signature request for our new private key using the root certificate we created earlier:
# openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr
- Using that certificate signature request, have your certificate authority create a new server certificate and sign it. This step is in all likelihood specific to how your CA handles a certificate signature request. As a reference, here is how it would be done if you were using the CA private key "myCAKey.key" and the root CA certificate "myCACert.pem" to sign your server certificate "mySplunkWebCert.pem":
# openssl x509 -req -in mySplunkWebCert.csr -CA myCACert.pem -CAkey myCAKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095
Here you would be prompted for the pass phrase for the private key "myCAKey.key" to the signing root CA "myCACert.pem".
- Make sure that the server certificate provided by your CA, as well as the public CA certificate are both in PEM format. They should be readable using the following commands:
# openssl x509 -in myCACert.pem -text # openssl x509 -in mySplunkWebCert.pem -text
Note that the issuer information for "mySplunkWebCert.pem" should be the subject information for "myCACert.pem" (unless you are using intermediary certificates).
If the certificates are not in PEM format, convert them using the openssl command.
- Concatenate the newly created server certificate with the public certificate of your CA into a single file:
# cat mySplunkWebCert.pem myCACert.pem > mySplunkWebCertificate.pem
Complex certificate chains
If you are using a certificate chain, you need to bundle the intermediate and the server certificate into a single certificate, by concatenating the certificates together (the right type, and in the right order) and set that as the server certificate. In addition of course the root CA that signed the intermediate certificate as well as all intermediary certificates must be in the browser certificate stores.
In that case, the contents of the server certificate file (mySplunkWebCertificate.pem in our example) should have a structure similar to this:
-----BEGIN CERTIFICATE----- ... (certificate for your server)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the intermediate certificate)... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... (the root certificate for the CA)... -----END CERTIFICATE-----
Point SplunkWeb to the newly created private key and certificate files
- Copy the server certificate (mySplunkWebCertificate.pem) and the private key (mySplunkWebPrivateKey.key) to $SPLUNK_HOME/etc/auth/splunkweb (or to your own cert repository in $SPLUNK_HOME/etc/auth if you prefer):
# cp $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key $SPLUNK_HOME/etc/auth/splunkweb
- In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using deployment server), make the following changes under the [settings] stanza:
[settings] enableSplunkWebSSL = true privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key caCertPath = etc/auth/splunkweb/mySplunkWebCertificate.pem
Important: As of Splunk 4.2, per the web.conf spec file for Splunk 4.2, the paths to the private key and certificate can be relative to $SPLUNK_HOME or absolute.
If you are using Splunk 4.0.x or 4.1.x, these paths are relative to $SPLUNK_HOME/share/splunk. Check the web.conf spec file for Splunk 4.1 for more details.
"privKeyPath" must point to the private RSA key used by SplunkWeb to encode the data it sends out. Remember that this file should *not* be protected by a pass phrase.
You should be able to read the contents of that file with the following openssl command without being prompted for a pass phrase:
# openssl rsa -in mySplunkWebPrivateKey.key -text
"caCertPath" must point to a PEM file containing the server certificate (here, we generated it in step 2) concatenated with the CA certificate. If there is a certificate chain with intermediate certificates, they should also be concatenated here with the server certificate at the top and the root CA at the bottom of the file. This file should be readable using the following openssl command:
# openssl x509 -in mySplunkWebCertificate.pem -text
- Finally, restart SplunkWeb for the changes to take effect:
# $SPLUNK_HOME/bin/splunk restart splunkweb
If there are any issues, look in web_service.log first. Ideally, tail -f that file while you restart SplunkWeb and watch for SSL configuration warnings:
# tail -f $SPLUNK_HOME/var/log/splunk/web_service.log
For example, if you provide an incorrect path to the server certificate declared in "caCertPath", the following error will appear:
2010-12-21 16:25:02,804 ERROR [4d11455df3182e6710] root:442 - [Errno 2] No such file or directory: '/opt/splunk/share/splunk/mycerts/mySplunkWebCertificate.pem'
...and SplunkWeb will fail to start.
Note that there will be no error printed out if the RSA private key configured with "privKeyPath" is pass phrase-protected, however your browser will be unable to load any page served by SplunkWeb.