I want to avoid having to save the password to password.conf and instead check out the password from Cyberark's password vault since it would be changed regularly. Is it possible to integrate Cyberark AIM or some variation to check out the password from the vault to then be used by Cisco ACI?
The password is stored in local/passwords.conf directory of the app. The collector script collect.py takes this password information and uses it for authentication.
Two ways I can think of how you can integrate CyberArk is:
1.
a. To create an automated script polled on regular interval to look into the vault and updates the passwords.conf file OR
b. Make CyberArk update passwords.conf in the Splunk app if the APIC password is updated in the vault.
2.Modify the collect.py script to use APIs to get password information instead of looking into passwords.conf
thank you. I like the idea of updating the collect.py script to check out the password rather than use the password.conf file. Now on to learning enough python to do it. 🙂
That’s not quite right. Passwords.conf is accessed via the password storage mechanism within Splunk’s rest api. The conf file contains only the encrypted password, the key for which is contained within Splunk and as not accessible. (In theory). The collect .py is not reading password.conf.
With that said, Splunk is pretty good at finding clear text passwords at boot and encrypting them when it starts. Your solution 1 could work if you write the clear text password into password.conf but I am not sure if you can trigger a rest call to encrypt while Splunk is running, and restarting Splunk every time the password changes is clearly not workable. Add to this, that that’s not really how cyberark works. Passwords can be changed at different intervals, or after each use, so I think option 1 is out of the question.
Option 2 is the way to go , and why I decided to write my own script, as it’s less effort that reengineering existing methods based on the Splunk auth mechanism.
HiweverI haven’t finished mine yet, so I could still be eating my hat 🙂
Thanks Nick, if you have a snippet of code that you use to pull the password and use it in python it would nice to see. I'm new to python so every shortcut helps. thanks for the info.
Yes, it totally (probably) is possible.
I am implementing something similar for triggering vulnerability scans.
I have not looked at Cisco ACI but, i decided to start from scratch and roll my own.