topic Encrypted information from deployer to search head in Deployment Architecture

Encrypted information from deployer to search head

irsysintegratio — Mon, 04 Dec 2017 21:55:42 GMT

We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information.

First of all, if I understand it right, the addon has to be setup from the deployer, right? The setup link won't even show up in a search head for an addon.

During the setup of our addon there are some passwords we take from the user, and we need to store them for later use. We post them to the storage/passwords endpoint. So the passwords will be encrypted in the password.conf.

Now if the deployer push this addon to the search heads, how can they decrypt these please?

Thanks.

Re: Encrypted information from deployer to search head

woodcock — Mon, 04 Dec 2017 23:08:25 GMT

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

Re: Encrypted information from deployer to search head

irsysintegratio — Tue, 05 Dec 2017 13:50:30 GMT

Thanks for your information!

I want to make sure I understand this right.

Start a new deployer. It will generate a splunk.secret file automatically (in $SPLUNK_HOME/etc/auth);
copy this splunk.secret file to a new search head before starting it the first time. Then the search head will use this splunk.secret as the seed to create keys? Those keys will then be the same as the keys used by the deployer?
Then an encrypted password in password.conf can be pushed from the deployer to the search head, because both the deployer and the search head are now using the same key to encrypt/decrypt?

Thanks!

Re: Encrypted information from deployer to search head

irsysintegratio — Tue, 05 Dec 2017 14:53:20 GMT

Hmmmm....

There is one disadvantage of this approach. It relies on the setup of the search heads. We develop addon for customers, and there is no guarantee that all the customers will setup their search heads like this. As a matter of fact, this is not mentioned in the guideline about setting up search cluster.

I imagine, some if not most customers did not setup their search cluster this way. Then this approach won't work.

Is it possible to get the (decrypted) pass4SymmKey via the splunk sdk? Then we can use it to generate a key. Since this is for sure the same for the deployer and all search heads, then we don't need to rely on the splunk.secret?

Thanks.

Re: Encrypted information from deployer to search head

woodcock — Tue, 05 Dec 2017 16:18:21 GMT

You've got it.

Re: Encrypted information from deployer to search head

woodcock — Tue, 05 Dec 2017 16:19:14 GMT

I believe that there is a REST endpoint for that, but have never looked for it.

Re: Encrypted information from deployer to search head

irsysintegratio — Tue, 05 Dec 2017 21:06:49 GMT

Thanks!

I will look for the REST endpoint.

Re: Encrypted information from deployer to search head

splunkreal — Thu, 18 Jul 2024 16:24:32 GMT

Hi @woodcock this is old topic however just want to know if pushing addon from deployer using encrypted credentials in new local/passwords.conf (previously encrypted by clustered search head) is different in term of behavior than configuring addon on search head (web UI) and letting SHC replicating passwords.conf?