If you currently use the Splunk platform in a FIPS-compliant environment and want to upgrade from the current, soon-to-be-deprecated version of the FIPS module to the new FIPS module, read on. The topic covers the following information:

• The prerequisites for performing this upgrade
• The scenarios in which you plan and perform the upgrade
• The procedures you must follow to remain FIPS compliant while you upgrade to Splunk 10, and
• The migration steps you must take to turn on and use the FIPS 140-3 module throughout your environment before the deprecation deadline

The following procedures and concepts are out of scope for upgrading and migrating your Splunk Enterprise deployment to FIPS 140-3 compliance.

• Generic upgrade information and procedures. See How to upgrade Splunk Enterprise and the Splunk Enterprise About upgrading: READ THIS FIRST.
• Generic system requirements that are outside the scope of the specific upgrade and migration scenario for FIPS. See System requirements.
• Installation and configuration of TLS certificates, which is a requirement for FIPS. See Steps for securing your Splunk Enterprise deployment with TLS.
• Turning FIPS mode on or off. See Secure Splunk Enterprise with FIPS.

When you upgrade to Splunk 10 in FIPS mode, pay attention to the following key upgrade considerations:

• The upgrade to Splunk 10 and FIPS 140-3 happens in two phases:
  • The initial upgrade to Splunk 10 is Phase 1. Completing this phase upgrades your deployment to Splunk 10 and gives access to, but does not turn on, the FIPS 140-3 module
  • The migration from FIPS 140-2 to FIPS 140-3 is Phase 2. Completing this phase turns on the FIPS 140-3 module and gives your Splunk 10 deployment full compliance with FIPS beyond September 2026
  • You must complete Phase 1 of the upgrade by March 8, 2026 to remain compliant with FIPS at version FIPS 140-2
  • You must complete both phases of the upgrade by September 21, 2026 to remain FIPS compliant beyond then
• Pay attention to the specific requirements for upgrading to Splunk 10:
  • There are specific computing architecture requirements, including the need for Advanced Vector Extensions (AVX) on most computers and virtual computing environments.
  • There are specific operating system requirements. The target OS must support FIPS and already be in FIPS mode. A smaller subset of OSs that support Splunk 10 also support Splunk 10 in FIPS 140-3 mode.
  • There are specific Splunk component requirements. In particular, App Key Value Store (KV Store) must run at a certain version for upgrades to work, and must run at a certain version after the upgrade is complete.
  • Splunk 10 is a requirement for environments that make use of the transport layer security Extended Master Key (TLS EMS) extension, which significantly improves security during a TLS handshake when two nodes connect to one another over TLS.
  • In the context of this upgrade scenario, your Splunk Enterprise environment consists of two infrastructure tiers:

• You must complete the two phases of the upgrade in the proper sequence.
  • When performing Phase 1 of the upgrade, do the indexing tier first, then the forwarding tier.
  • When performing Phase 2 of the upgrade, do the forwarding tier first, then the indexing tier.
• Between upgrade phases:
  • Splunk forwarders lower than version 10 that do not run in FIPS mode can connect to Splunk 10 indexers that run in any FIPS mode, but you must upgrade the forwarders to version 10 to gain support for TLS EMS and OpenSSL version 3.
  • Splunk forwarders lower than version 10 that do run in FIPS 140-2 mode can connect to Splunk 10 indexers that run in any FIPS mode
  • Splunk 10 forwarders can connect to Splunk 10 indexers run in any FIPS mode

Before you can use the new FIPS 140-3 mode in your Splunk platform deployment, the entirety of the deployment must run version 10.0.0 or higher. Until then, the deployment continues to operate in FIPS 140-2 mode.

When you upgrade the deployment to Splunk 10, the software installs an updated FIPS 140-2 module. This module is almost identical to the existing FIPS 140-2 module, but uses OpenSSL version 3.0 instead of the deprecated OpenSSL version 1.0.2.

Follow this general procedure to upgrade your Splunk Enterprise environment to version 10:

• Read the upgrade prerequisites. If you don't meet them all, stop. You can't upgrade until you do.
• Collect information about your existing environment using the Monitoring Console and the Splunk Health Assistant Add-on.
• Plan the upgrade. Identify a time when it will happen, advise stakeholders, and make and verify data and configuration backups.
• When the maintenance window arrives, communicate with customers and implement the upgrade on the indexing tier within the window.
• Validate that indexing and search works as you expect, and the forwarding tier continues to connect and send data to the indexing tier. If either doesn't, that's a problem, and you should engage with Splunk Support.
• Next, implement the upgrade on the forwarding tier. Schedule one or more maintenance windows as required by your organization's downtime policy to perform the work.
• Validate that nodes you have upgraded in the forwarding tier continue to send data to the indexing tier. If they don't, that's a problem, and you should engage with Splunk Support.

Following are the list of requirements to upgrade a Splunk platform deployment that currently operates in FIPS mode to Splunk 10.

This set of requirements applies only for upgrading to Splunk 10. It does not apply to transitioning from FIPS 140-2 mode to FIPS 140-3 mode.

Do not attempt an upgrade to Splunk 10 if your Splunk platform deployment does not meet all of these requirements.

Following is the list of steps you must perform to upgrade Splunk Enterprise to version 10 and complete Phase 1 of the upgrade.

After you complete Phase 1, both tiers of the deployment will operate in FIPS 140-2 mode. The indexing tier will use the updated FIPS 140-2 module while the forwarders will use the existing older version of the module.

1. Collect information about the deployment using Monitoring Console and the Splunk Health Assistant Add-on.
   • Download and install the Splunk Health Assistant Add-on
   • Run the Health Check and review the Health Check in Monitoring Console for information on security issues that the Health Check finds. Category is Security, tags are "ssl", "upgrades".
2. Identify a maintenance window.
   • Determine the date and time when you want to run Phase 1 of the upgrade.
   • Determine whether you will upgrade all tiers of the deployment at the same time or if you will upgrade the forwarding tier later.
   • Identify stakeholders and customers who will be affected by the upgrade.
3. Notify stakeholders
   • Communicate with stakeholders and customers leading up to the upgrade date and time.
   • Continue communicating up to the beginning of the maintenance window
4. Back up data and configurations
   • Back up KV Store
   • Back up indexes
   • Back up knowledge objects
   • Back up configurations
5. Confirm that prerequisite configurations are in place in both indexing and forwarding tiers
   • Review operating system requirements for FIPS 140-2 support. OS must also be compatible with Splunk 10
   • Review OS requirements for FIPS 140-3 support. OS must be compatible with Splunk 10 and FIPS 140-3 to complete Phase 2
   • Review "How to Upgrade Splunk Enterprise" topic in the Splunk documentation to determine upgrade paths to version 10 from lower versions
6. Upgrade the indexing tier to Splunk 10
   • Download the Splunk Enterprise 10 software
   • Stop the Splunk Enterprise instance
   • Install the Splunk 10 software directly into the existing Splunk Enterprise directory
   • Restart the Splunk Enterprise instance
   • Follow any prompts and answer any questions that appear as the instance comes up
7. Verify that the Splunk 10 indexing tier works as you expect
   • Log into Splunk Web, where applicable
   • Confirm that authentication works as you expect
   • Confirm that indexing works as you expect
   • Confirm that search works as you expect
   • Confirm that forwarders continue to send data to indexers as you expect
   • Confirm that KV Store runs MongoDB version 7.0.17 or higher
8. Upgrade the forwarding tier to Splunk 10
   • Download the Splunk 10 Universal Forwarder software
     • For heavy forwarders, download the Splunk Enterprise 10 software
   • Stop the forwarder
   • Install the Splunk 10 software directly into the existing Universal Forwarder directory
   • Restart the forwarder
   • Follow any prompts and answer any questions that appear as the instance comes up
9. Verify that Splunk 10 nodes in the forwarding tier work as you expect and connect to the indexing tier
   • Confirm that authentication works as you expect
   • Confirm that forwarders continue to send data to indexers as you expect

Following is the procedure to implement Phase 2 of the upgrade and make your Splunk Enterprise deployment FIPS compliant beyond September 21, 2026.

Following are the list of requirements to migrate a Splunk platform deployment from the default FIPS 140-2 mode to FIPS 140-3 mode.

This set of requirements applies only for transition from FIPS 140-2 mode to FIPS 140-3 mode. It does not apply to upgrading to Splunk 10.

Following is the list of steps you must perform to migrate Splunk Enterprise from FIPS 140-2 mode to FIPS 140-3 mode and complete Phase 2 of the upgrade.

After you complete Phase 2, both tiers of the deployment will operate in FIPS 140-3 mode.

1. Identify a maintenance window
   • Determine the date and time when you want to run Phase 2 of the upgrade.
   • Identify stakeholders and customers who will be affected by the upgrade.
2. Notify stakeholders
   • Communicate with stakeholders and customers leading up to the migration date and time.
   • Continue communicating up to the beginning of the maintenance window
3. Back up data and configurations
   • Back up KV Store
   • Back up indexes
   • Back up knowledge objects
   • Back up configurations
4. Migrate the forwarding tier from FIPS 140-2 to FIPS 140-3
   • Stop the Universal or Heavy Forwarder instance
   • Edit the splunk-launch.conf file in the $SPLUNK_HOME installation directory

   • Add the following lines to the file:

     # Turn on FIPS 140-3 mode
     SPLUNK_FIPS_VERSION = 140-3
     

   • Save the file and close it
   • Restart the forwarder
   Note: You can use deployment server or some other software distribution tool to distribute this configuration. On Windows, you can set this configuration by using a systemwide environment variable.
5. Verify that the forwarding tier is on FIPS 140-3 and continues to forward data as you expect
   • Review the splunkd.log file on each forwarder. Forwarders report which FIPS mode they operate in on startup
   • Review Monitoring Console to determine the state of forwarder FIPS mode operation
6. Migrate the indexing tier from FIPS 140-2 to FIPS 140-3
   • See the details for "Migrate the forwarding tier from FIPS 140-2 to FIPS 140-3. The process is exactly the same.
7. Verify that the indexing tier is on FIPS 140-3 and continues to accept connections and index data from migrated forwarders as you expect
   • Review the splunkd.log file on each instance in the indexing tier.
   • Instances report which FIPS mode they operate in on startup
   • Confirm that you do not see TLS handshake or FIPS configuration errors from forwarders

If you encounter problems during either the upgrade or the migration, follow these procedures to get back on track or, if necessary, revert the upgrade or migration to a previous state. The goal of these steps is to get your deployment to a state where it operates as you expect until you have time to troubleshoot and fix the problems that prevent your deployment from being upgraded successfully.