When first entering a set of user/password credentials into the Qualys TA setup page, everything works as expected.
Once the credentials expire in the API and I attempt to update the password in the setup page, I get this error:
Encountered the following error while trying to update: Error while posting to url=/servicesNS/nobody/TA-QualysCloudPlatform/storage/passwords/
Looking at the _internal
index, I can see the POST fail with a 409 status code, Conflict
.
127.0.0.1 - admin [15/Jan/2018:10:28:25.948 +0100] "POST /servicesNS/nobody/TA-QualysCloudPlatform/apps/local/TA-QualysCloudPlatform/setup HTTP/1.0" 409 205 - - - 12675ms
Storing the password for a different user works and re-inserting the original user works after deleting passwords.conf, so it appears the setup page can only insert, not update a value.
Happens on various versions of Splunk including 7.0, using the latest version 1.2.3 of the Qualys TA.
Please fix updating the API user's password via the setup page.
Here's the response I got from Qualys support:
In order to update the changes successfully into the Qualys TA for Splunk, please follow the below steps:
1)From Settings> Data Inputs disable the TA Inputs
2)Delete passwords.conf file.
3)Reboot the splunk instance.
4)Go to TA config in Splunk UI and give the credentials again.
5)Check if the passwords.conf file created
6)Enable TA inputs from data Inputs
Perpetual workaround, it seems 😞
Thanks for letting me know that we're not alone 😄
My gut feeling says it's a problem with using the setup.xml to update credentials, it always forces a POST to the storage/passwords/_new
entity, which is a create/insert... that fails when the key (=username) already exists.
Hi There,
We had the same issue with updating our credentials on our cloud instance and to get Splunk Support to assist, apparently it is a know issue but what we did was exactly what you did.... delete the passwords.conf to allow the new credentials to take, an absolute pain as it left us without data for a few days