I built up a brand new fresh Splunk environment (on 7.2.1) and am getting an error when attempting to set up the SH cluster.... specifically when starting the cluster captain for the 1st time.

I started the process on the Deployer, and added the following stanza/values in the /etc/system/local/server.conf file:

[shclustering]
pass4SymmKey = myPassword
shcluster_label = myClusterName

... and restarted the deployer. Confirmed that the plain text password I type in now encrypted (not in plain text)

I ran the SH cluster init command on all (3) SH members:

/opt/splunk/bin/splunk init shcluster-config -auth admin:myPassword -mgmt_uri https://myDeploymentServer:8089 -replication_port 34567 -replication_factor 3 -conf_deploy_fetch_url https://myDeployer:8089 -shcluster_label myClusterName

... and restarted them. No errors.

Attempted to start a SH captain (just picked one of the SH members) and ran this command:

/opt/splunk/bin/splunk bootstrap shcluster-captain -servers_list "https://mySearchHead1:8089,https://mySearchHead2:8089,https://mySearchHead3:8089" -auth admin:myPassword

... and I get this error message:

uri=https://myDeploymentServer:8089/services/shcluster/member/consensus/pseudoid/last_known_state?output_mode=json, error=401 - Unauthorized. Is this member using the same pass4SymmKey as other members?;

Interesting that it appears to be coming from the deployment server... and I know that the myPassword value is correct. I use that one password all over the place when connecting to the deployment server, setting up the index cluster, etc.

I noticed that there is a pass4SymmKey under 2 stanza's.. [general] and [shclustering]. Does that matter?

Any help would be much appreciated. Thank You!

Joe