Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Running into errors while disabling the legacy ciphers in splunk 7.2

vinkumar_splunk
Splunk Employee
Splunk Employee
‎07-31-2019 05:05 AM

I am trying to follow the document to disable the legacy ciphers in the Splunk 7.2, and I notice that the cluster master is been disconnected with the indexers and also the web interface of the Cluster master is down. Below is the error I found in the Splunkd.logs

ERROR ConfigEncryptor - Legacy encryption disabled! Will not decrypt. If you want to allow decryption for configs encrypted with legacy ciphers please set server.conf/[general]/legacyCiphers to 'decryptOnly

Document : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/ConfigureS2Sonnewcipher

Tags (1)
0 Karma
Reply

saramamurthy_sp
Splunk Employee
Splunk Employee
‎07-31-2019 05:25 AM

To diable the cipher legacy suits in the Splunk 7.2 and higher you need to follow below process.

  1. FIrst, you need to perform it on the indexers, you need to add the [node_auth] in the server.conf restart splunkd services
  2. You need to add "legacyCiphers = disabled" below the general stanza and restart the services.
  3. You need to comment out the pass4SymmKey in the clustering stanza and add an other pass4SymmKey on the indexers.
  4. You need to do the same steps on all the indexers and then you need to perform the same steps in the cluster master.
  5. You need to run the command $plunk_home/bin/splunk rotate splunk-secret on the cluster master and the secret key will be distributed to all the indexers.

You can follow the same process on the SH as well, and for search head, you need to run the Secret key on the SH Captain.

Let me know if you face any difficulties.

0 Karma
Reply

DavidHourani
Super Champion
‎07-31-2019 05:19 AM

By disabling the legacy ciphers Splunk won't be able to read all encrypted passwords, pass4symmkey, ssh keys. Which means no more https for your splunk web, no more pass4symmkey to connect to the indexers ..

So make sure you follow this documentation :
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/ConfigureS2Sonnewcipher

And let me know if you need any help.

Cheers,
David

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...