These docs are for Cribl Edge 4.8 and are no longer actively maintained.
See the latest version (4.13).
TLS Defaults and System-wide Settings
Cribl Edge prioritizes secure communication by default. This ensures the integrity and confidentiality of data transmitted between your Cribl Edge instance and various Sources and Destinations.
TLS Version Support and Defaults
The minimum supported TLS version in Cribl Edge is TLS 1.2 by default. This default applies to all secure connections, including supported Sources and Destinations, Worker/Leader communications, and Cribl.Cloud.
Cribl.Cloud and on-prem deployments use the same TLS settings, with TLS 1.2 being the default minimum version.
You can check whether a Source or Destination supports TLS by reviewing the information box at the beginning of its corresponding documentation page.
TLS Settings and Traffic Types
This table shows TLS client/server pairs, and encryption defaults, per traffic type.
| Traffic Type | TLS Client | TLS Server | Encryption | Cert Auth | CN* Check |
|---|---|---|---|---|---|
| UI | Browser | Cribl Edge | Default disabled | Default disabled | Default disabled |
| API | Worker/Edge Node | Leader | Default disabled | Default disabled | Default disabled |
| Worker-to-Leader | Worker/Edge Node | Leader | Default disabled | Default disabled | Default disabled |
| Data | Any data sender | Cribl Edge (Source) | Default disabled | Default disabled | Default disabled |
| Data | Cribl Edge (Destination) | Any data receiver | Default disabled | Default disabled | Default disabled |
| Authentication | ———— | ———— | ———— | ———— | ———— |
| Local* | Browser | Cribl Edge | Default Disabled | N/A | N/A |
| LDAP* | Cribl Edge | LDAP Provider | Custom | N/A | Default Disabled |
| Splunk* | Cribl Edge | Splunk Search Head | Default Enabled | N/A | Default Disabled |
| OIDC†/Okta* | Browser and Cribl Edge | Okta | Default Enabled | N/A | Enabled (Browser) |
| OIDC†/Google* | Browser and Cribl Edge | Default Enabled | N/A | Enabled (Browser) |
* Common name
† OpenID Connect
System-wide TLS Settings Including Ciphers
You can configure advanced, system-wide TLS settings – minimum and maximum TLS versions, default cipher lists, and ECDH curve names. Select Settings > Global Settings > System > General Settings > Default TLS Settings.
In the Default cipher list field, you can specify one or more ciphers from the following list:
ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES256-GCM-SHA384ECDHE-ECDSA-AES256-GCM-SHA384DHE-RSA-AES128-GCM-SHA256ECDHE-RSA-AES128-SHA256DHE-RSA-AES128-SHA256ECDHE-RSA-AES256-SHA384DHE-RSA-AES256-SHA384ECDHE-RSA-AES256-SHA256DHE-RSA-AES256-SHA256HIGH!aNULL!eNULL!EXPORT!DES!RC4!MD5!PSK!SRP!CAMELLIA
CA Certificates and Environment Variables
For any Cribl Edge Source or Destination that supports TLS, you can configure a CA Certificate Path field that points to a Certificate Authority (CA) .pem file(s). However, you can also use environment variables to manage CAs globally. Here are some common scenarios:
Add a set of trusted root CAs to the list of trusted CAs that Cribl Edge trusts. Set the
NODE_EXTRA_CA_CERTSenvironment variable for each Edge Node. For example, if you are using systemd, add the following line in each Edge Node’s systemd unit file (replace/<path>/<to>/<the>/<directory>/<containing>/<certs>/ca.pemwith the path to your CA.pemfile):... [Service] Environment="NODE_EXTRA_CA_CERTS=/<path>/<to>/<the>/<directory>/<containing>/<certs>/ca.pem" ...When configuring TLS authentication on Edge Nodes, make sure you place your certificates into a separate directory outside of $CRIBL_HOME. If you place the certificates inside $CRIBL_HOME, they’ll be removed when the next config bundle is deployed from the Leader.
For details about
NODE_EXTRA_CA_CERTS, see the node.js documentation.Configure Cribl Edge to accept all TLS certificates, regardless of their validity. Set the
NODE_TLS_REJECT_UNAUTHORIZEDenvironment variable for each Edge Node. For example, if you are using systemd, add the following line in each Edge Node’s systemd unit file:... [Service] Environment="NODE_TLS_REJECT_UNAUTHORIZED=0" ...NODE_TLS_REJECT_UNAUTHORIZED=0disables TLS certificate validation, which can decrease the security posture of your Cribl installation. For this reason, we recommend avoidingNODE_TLS_REJECT_UNAUTHORIZED=0in production environments. Instead, use theNODE_EXTRA_CA_CERTSenvironment variable to explicity trust the necessary certificates.For details about
NODE_TLS_REJECT_UNAUTHORIZED, see the node.js documentation.