Configure mutually authenticated transport layer security (mTLS) on the Splunk platform
Beginning with version 10.0.0 of Splunk Enterprise, you can configure mutually authenticated transport layer security (otherwise known as mTLS) on certain networked connections on the Splunk platform. mTLS provides an increased level of security between Splunk platform nodes by ensuring, among other things, that both sides of the network connection share the same private encryption key. TLS certificates on both sides provide additional verification and further establish that both ends of the connection are who they claim to be. This significantly reduces the attack surface for common vulnerabilities such as machine-in-the-middle (MITM) or ransomware attacks.
Splunk component network connections that you can secure with mTLS
On Splunk Enterprise, you can secure the following types of network connections with mTLS:
| Client node | Server node | Method | Network port |
|---|---|---|---|
| HTTP Event Collector (HEC) | Indexer - HEC | httpout over Transmission Control Protocol (TCP) | 8088 |
| Forwarder | Indexer | Splunk-to-Splunk (S2S) over TCP | 9997 |
| Web user (through Common Identification Card / Personal Identity Verification (CAC/PIV) | Search head | HTTP over TCP | 443 |
| Search head cluster member replication | Search head cluster member replication | TCP | 8081, 8181, 9887 |
| Indexer cluster peer node replication | Indexer cluster peer Node replication | TCP | 8080, 9887 |
| Indexer cluster manager | Indexer cluster peer node | S2S over TCP | 8089 |
| Enterprise Security / Behavior Analytics (ESBA) client | Splunk Cloud Services (SCS) server | S2S over TCP | N/A |
| App Key Value Store (KV Store) | Search head cluster member | S2S over TCP | 8089 |
| Indexer (REST API) | Search head (REST API) | S2S over TCP | 8089 |
| Federated Search (REST API) | Splunk management port (REST API) | S2S over TCP | 8089 |
After you configure both sides of the network connection with mTLS, the connections are secured for as long as the TLS certificates that each member presents are valid. When TLS certificates expire, you can renew them.
Prerequisites for configuring mTLS on Splunk platform nodes
Before you try to configure your Splunk platform nodes for mutual TLS, you must have the following items in place in your Splunk platform deployment:
- One or more TLS certificates for the client and the server side of the connection.
- You can either obtain third-party certificates, or generate them yourself
- You can use the same certificates for each side of the connection
- After you get the certificates, you must prepare the certificates for use with Splunk platform instances
- The certificate files must be in Privacy-Enhanced Mail (PEM) format and comply with the X.509 public key certificate standard
- You must have a private key file for each certificate file. The certificates must share the same private key.
- The key files that come with the certificates must be in RSA security format.
- At least one client and one server connection where you want to turn on mTLS
- There is support only for the Splunk components that appear in the table in the previous section
Configure mTLS for Splunk platform nodes
The following procedure is a general one for turning on mTLS. The specific tasks that are required to turn on mTLS depend on your specific configuration.
The requireClientCert setting is the main setting that turns on mTLS for supported network connections. The setting determines whether or not the Splunk platform instance requires that a connecting client present a valid TLS certificate before the connection can succeed.
A value of "true" for the setting means that the receiving instance must see a valid certificate to let the client authenticate. If the value is "true" for both sides of a network connection between Splunk platform nodes, then mTLS is active for that connection. A value of "false" means that clients can connect without presenting a certificate.
Configure this setting to "true" on the client (the node that is making a connection) to turn on mTLS for that connection. Then, do the same task on the server (the node that is receiving the connection). if you want your receivers to require authentication with certificates. When both the forwarder and receiver have a "true" value for this setting, mutually authenticated TLS or mTLS is active.
- Confirm that your certificates have been properly formatted for use on The Splunk platform and have been concatenated. See How to prepare TLS certificates for use with The Splunk platform.
- Install the certificates into the correct directory in your Splunk platform installation on both nodes whose connection you want to secure with mTLS.
Note: You can also install certificates in the operating system local certificate store.
- For each node in the connection, configure the Splunk platform to use the new certificates and turn on mTLS.
- Open the $SPLUNK_HOME/etc/system/local/server.conf file for editing.
- In the [sslConfig] stanza for the file, add the following line to the configuration:
requireClientCert = true - (Optional) If you have not already, reference the TLS certificate that you installed using the
sslRootCAPathsetting:sslRootCAPath = <location of certificates in PEM format> - Save the file and close it.
- Restart the Splunk platform instance.