I am trying to follow the document to disable the legacy ciphers in the Splunk 7.2, and I notice that the cluster master is been disconnected with the indexers and also the web interface of the Cluster master is down. Below is the error I found in the Splunkd.logs
ERROR ConfigEncryptor - Legacy encryption disabled! Will not decrypt. If you want to allow decryption for configs encrypted with legacy ciphers please set server.conf/[general]/legacyCiphers to 'decryptOnly
Document : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/ConfigureS2Sonnewcipher
To diable the cipher legacy suits in the Splunk 7.2 and higher you need to follow below process.
You can follow the same process on the SH as well, and for search head, you need to run the Secret key on the SH Captain.
Let me know if you face any difficulties.
By disabling the legacy ciphers Splunk won't be able to read all encrypted passwords, pass4symmkey, ssh keys. Which means no more https for your splunk web, no more pass4symmkey to connect to the indexers ..
So make sure you follow this documentation :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/ConfigureS2Sonnewcipher
And let me know if you need any help.
Cheers,
David