Community:SplunkWeb SSL DefaultCerts
From Splunk Wiki
Configuring SplunkWeb to use the default SSL certificates that ship with Splunk
This is the simplest configuration to set up SplunkWeb to send encrypted but non-secure information.
Important: If the confidentiality of data transmission between Splunkweb and its clients is very important to you. Splunk STRONGLY recommends that you DO NOT use the default SplunkWeb certificate.
1 - Point SplunkWeb to the default private key and certificate files :
- In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using deployment server), make the following changes under the [settings] stanza :
enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/privkey.pem
caCertPath = etc/auth/splunkweb/cert.pem
"privKeyPath" points to the private RSA key used by SplunkWeb to encode the data it sends out. Remember that this key is *not* and should not be protected by a pass phrase.
"caCertPath" points to a PEM file containing the server certificate concatenated with the CA certificate.
Important : As of Splunk 4.2, per the web.conf spec file for Splunk 4.2, the paths to the private key and certificate can be relative to $SPLUNK_HOME or absolute.
If you are using Splunk 4.0.x or 4.1.x, these paths are relative to $SPLUNK_HOME/share/splunk. Check the web.conf spec file for Splunk 4.1 for more details.
2 - Restart SplunkWeb for the changes to take effect :
# $SPLUNK_HOME/bin/splunk restart splunkweb
If there are any issues, look in web_service.log first. Ideally, tail -f that file while you restart SplunkWeb and watch for SSL configuration warnings :
# tail -f $SPLUNK_HOME/var/log/splunk/web_service.log
For example, if you provide an incorrect path to the server certificate declared in "caCertPath", the following error will appear :
2010-12-21 16:25:02,804 ERROR [4d11455df3182e6710] root:442 - [Errno 2] No such file or directory: '/opt/splunk/share/splunk/mycerts/mySplunkWebCertificate.pem'
...and SplunkWeb will fail to start.
Note that there will be no error printed out if the RSA private key configured with "privKeyPath" is pass phrase-protected, however your browser will be unable to load any page served by SplunkWeb.