Community:SplunkWeb SSL SelfSignedCert NewRootCA
From Splunk Wiki
Configuring SplunkWeb to use an SSL certificate self-signed by a newly generated root certificate
1 - Generate a new root certificate to be our new Certificate Authority :
- First, create a new directory under $SPLUNK_HOME/etc/auth to host your own certificates and keys :
# mkdir $SPLUNK_HOME/etc/auth/mycerts
# export OPENSSL_CNF=$SPLUNK_HOME/openssl/openssl.cnf
# cd $SPLUNK_HOME/etc/auth/mycerts/
- Generate a new RSA private key (DES3, 1024 bit length in our example) for our root certificate/Certificate Authority :
# openssl genrsa -des3 -out myCAKey.key 1024
- Generate a certificate signing request using that key :
# openssl req -new -key myCAKey.key -out myCACert.csr
You will be prompted for the pass phrase to the private key that you created in the previous step.
- Generate a new root certificate from that certificate signature request, and use our new private key to self-sign it :
# openssl x509 -req -in myCACert.csr -signkey myCAKey.key -out myCACert.pem -days 3650
Again, you will be prompted for the pass phrase to the private key that you created previously.
2 - Create a new private key for SplunkWeb and remove its pass phrase :
- Generate a new private key. Pick whatever you want for the pass phrase, as we will remove it next :
# openssl genrsa -des3 -out mySplunkWebPrivateKey.key 1024
- SplunkWeb does not currently support pass phrase-protected private keys. We must get rid of the pass phrase :
# openssl rsa -in mySplunkWebPrivateKey.key -out mySplunkWebPrivateKey.key
- Make sure that you are not prompted for a pass phrase when issuing the following command :
# openssl rsa -in mySplunkWebPrivateKey.key -text
3 - Generate a new self-signed certificate for SplunkWeb :
- Create a new certificate signature request based on our new private key :
# openssl req -new -key mySplunkWebPrivateKey.key -out mySplunkWebCert.csr
- Self-sign that certificate with the root certificate created in step 1 :
# openssl x509 -req -in mySplunkWebCert.csr -CA myCACert.pem -CAkey myCAKey.key -CAcreateserial -out mySplunkWebCert.pem -days 1095
You will be prompted here for the pass phrase to the root certificate private key that you created in the step 0.
- Concatenate the newly created server certificate with the CA certificate :
# cat mySplunkWebCert.pem myCACert.pem > mySplunkWebCertificate.pem
4 - Point SplunkWeb to the newly created private key and certificate files :
- Copy the server certificate (mySplunkWebCertificate.pem) and the private key (mySplunkWebPrivateKey.key) to $SPLUNK_HOME/etc/auth/splunkweb (or to your own cert repository in $SPLUNK_HOME/etc/auth if you prefer) :
# cp $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebCertificate.pem $SPLUNK_HOME/etc/auth/mycerts/mySplunkWebPrivateKey.key $SPLUNK_HOME/etc/auth/splunkweb
- In $SPLUNK_HOME/etc/system/local/web.conf (or any other applicable location, if you are using deployment server), make the following changes under the [settings] stanza :
enableSplunkWebSSL = true
privKeyPath = etc/auth/splunkweb/mySplunkWebPrivateKey.key
caCertPath = etc/auth/splunkweb/mySplunkWebCertificate.pem
Important : As of Splunk 4.2, per the web.conf spec file for Splunk 4.2, the paths to the private key and certificate can be relative to $SPLUNK_HOME or absolute.
If you are using Splunk 4.0.x or 4.1.x, these paths are relative to $SPLUNK_HOME/share/splunk. Check the web.conf spec file for Splunk 4.1 for more details.
"privKeyPath" must point to the private RSA key used by SplunkWeb to encode the data it sends out. Remember that this file should *not* be protected by a pass phrase.
You should be able to read the contents of that file with the following openssl command without being prompted for a pass phrase :
# openssl rsa -in mySplunkWebPrivateKey.key -text
"caCertPath" must point to a PEM file containing the server certificate (here, we generated it in step 2) concatenated with the CA certificate. If there is a certificate chain with intermediate certificates, they should also be concatenated here with the server certificate at the top and the root CA at the bottom of the file.
This file should be readable using the following openssl command :
# openssl x509 -in mySplunkWebCertificate.pem -text
- Finally, restart SplunkWeb for the changes to take effect :
# $SPLUNK_HOME/bin/splunk restart splunkweb
If there are any issues, look in web_service.log first. Ideally, tail -f that file while you restart SplunkWeb and watch for SSL configuration warnings :
# tail -f $SPLUNK_HOME/var/log/splunk/web_service.log
For example, if you provide an incorrect path to the server certificate declared in "caCertPath", the following error will appear :
2010-12-21 16:25:02,804 ERROR [4d11455df3182e6710] root:442 - [Errno 2] No such file or directory: '/opt/splunk/share/splunk/mycerts/mySplunkWebCertificate.pem'
...and SplunkWeb will fail to start.
Note that there will be no error printed out if the RSA private key configured with "privKeyPath" is pass phrase-protected, however your browser will be unable to load any page served by SplunkWeb.