Deployment Architecture

Encrypted information from deployer to search head

irsysintegratio
Path Finder

We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information.

First of all, if I understand it right, the addon has to be setup from the deployer, right? The setup link won't even show up in a search head for an addon.

During the setup of our addon there are some passwords we take from the user, and we need to store them for later use. We post them to the storage/passwords endpoint. So the passwords will be encrypted in the password.conf.

Now if the deployer push this addon to the search heads, how can they decrypt these please?

Thanks.

1 Solution

woodcock
Esteemed Legend

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

View solution in original post

woodcock
Esteemed Legend

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

splunkreal
Motivator

Hi @woodcock this is old topic however just want to know if pushing addon from deployer using encrypted credentials in new local/passwords.conf (previously encrypted by clustered search head) is different in term of behavior   than configuring addon on search head (web UI) and letting SHC replicating passwords.conf?

* If this helps, please upvote or accept solution if it solved *
0 Karma

irsysintegratio
Path Finder

Thanks for your information!

I want to make sure I understand this right.

  1. Start a new deployer. It will generate a splunk.secret file automatically (in $SPLUNK_HOME/etc/auth);
  2. copy this splunk.secret file to a new search head before starting it the first time. Then the search head will use this splunk.secret as the seed to create keys? Those keys will then be the same as the keys used by the deployer?
  3. Then an encrypted password in password.conf can be pushed from the deployer to the search head, because both the deployer and the search head are now using the same key to encrypt/decrypt?

Thanks!

0 Karma

woodcock
Esteemed Legend

You've got it.

0 Karma

irsysintegratio
Path Finder

Hmmmm....

There is one disadvantage of this approach. It relies on the setup of the search heads. We develop addon for customers, and there is no guarantee that all the customers will setup their search heads like this. As a matter of fact, this is not mentioned in the guideline about setting up search cluster.

I imagine, some if not most customers did not setup their search cluster this way. Then this approach won't work.

Is it possible to get the (decrypted) pass4SymmKey via the splunk sdk? Then we can use it to generate a key. Since this is for sure the same for the deployer and all search heads, then we don't need to rely on the splunk.secret?

Thanks.

0 Karma

woodcock
Esteemed Legend

I believe that there is a REST endpoint for that, but have never looked for it.

0 Karma

irsysintegratio
Path Finder

Thanks!

I will look for the REST endpoint.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...