How-To Enable SSL/TLS Encryption for the Splunk Web UI Port (8000)
The most straightforward/lowest risk encryption to configure and enable in the Splunk Environment is standard HTTPS (TLS) encryption to the Splunk Web GUI. I say that this is the lowest risk as any failure in implementation results only in a certificate error or webpage not loading and not an interruption to traffic forwarding or core management functionality.
Note: We will not cover obtaining a 3rd party Certificate Authority (CA) signed certificate. Numerous posts on the subject exist online and specifically on the various CA websites as well as the Splunk Docs site.
Note: HTTPS encryption of traffic inbound to the Splunk UI may also be accomplished via a front-end load balancer. This is a recommended configuration for nodes in a search head cluster. Load balancer configuration/integration with Splunk is beyond the scope of this article.
To configure a Splunk instance to use TLS encryption at the search head, perform the following steps:
1) Upload the public key, private key, and intermediate certificate to Splunk.
Splunk Docs recommends the following location and for standardization purposes, I recommend the same.
$SPLUNK_HOME/etc/auth/insert-org-here/
Modify "insert-org-here" to instead reference a short unique identifier for your organization.
Splunk, by default, uses cert.pem and privkey.pem as the file names for the public and private keys. I will use the same here although there is no requirement to do so.
Note that although not required, providing the intermediate certificate (excluding the root CA cert) is a best practice. The intermediate certificates are provided as a bundle from the CA and should be appended to the public key in the following order:
-----BEGIN CERTIFICATE----- # Your public key here #\MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G...truncated...-----END CERTIFICATE----------BEGIN CERTIFICATE----- # Your lowest level intermediate here #MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G...truncated...-----END CERTIFICATE----------BEGIN CERTIFICATE----- # highest level (closest to root CA cert) here #MIIFqjCCBJKgAwIBAgIQT0eb7D7qe0Fv+IPt8WRkPTANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G...truncated...-----END CERTIFICATE-----
For reference, the private key looks like this:
-----BEGIN PRIVATE KEY-----MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmPQfkbtXcvaxI...truncated...-----END PRIVATE KEY-----
When the certs have been uploaded, we should see the following in place:
[splunk@lab01 ~]# ll $SPLUNK_HOME/etc/auth/insert-org-here/total 8-rw-r--r-- 1 splunk splunk 1704 Apr 23 20:18 privkey.pem-rw-r--r-- 1 splunk splunk 2025 Apr 23 20:29 cert.pem
2) Add the following attributes to your web.conf file:
vi $SPLUNK_HOME/etc/system/local/web.conf[settings]enableSplunkWebSSL = 1privKeyPath = /opt/splunk/etc/auth/insert-org-here/privkey.pemserverCert = /opt/splunk/etc/auth/insert-org-here/cert.pemhttpport = 8000
3) Finally, restart splunkd:
via systemd:
sudo systemctl restart Splunkd
or via initd:
$SPLUNK_HOME/bin/splunk restart
4) In the event of an issue after splunkd restart (web service does not start etc.) check the following:
netstat -an | grep 8000 (insert your expected web port here)tail (-f) $SPLUNK_HOME/var/log/splunk/web_services.logopenssl s_client -connect my.hostname.com:8088
The first command lets us know if Splunk made it to the point that it is listening on the web port at all or not. web_services.log provides a more conclusive view into the nature of the error and will call out if a certificate file could not be found or read. OpenSSL simulates a connection to the HEC port and validates the SSL handshake and configuration.
Resources
(1) Splunk Docs: Secure Splunk Web Using a Signed Certificate
https://docs.splunk.com/Documentation/Splunk/latest/Security/SecureSplunkWebusingasignedcertificate
(2) Splunk Docs: Get Third-Party Certificates for Splunk Web
https://docs.splunk.com/Documentation/Splunk/latest/Security/Getthird-partycertificatesforSplunkWeb