Deployment Architecture

Encrypted information from deployer to search head

irsysintegratio
Path Finder

We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information.

First of all, if I understand it right, the addon has to be setup from the deployer, right? The setup link won't even show up in a search head for an addon.

During the setup of our addon there are some passwords we take from the user, and we need to store them for later use. We post them to the storage/passwords endpoint. So the passwords will be encrypted in the password.conf.

Now if the deployer push this addon to the search heads, how can they decrypt these please?

Thanks.

0 Karma
1 Solution

woodcock
Esteemed Legend

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

View solution in original post

woodcock
Esteemed Legend

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

irsysintegratio
Path Finder

Thanks for your information!

I want to make sure I understand this right.

  1. Start a new deployer. It will generate a splunk.secret file automatically (in $SPLUNK_HOME/etc/auth);
  2. copy this splunk.secret file to a new search head before starting it the first time. Then the search head will use this splunk.secret as the seed to create keys? Those keys will then be the same as the keys used by the deployer?
  3. Then an encrypted password in password.conf can be pushed from the deployer to the search head, because both the deployer and the search head are now using the same key to encrypt/decrypt?

Thanks!

0 Karma

woodcock
Esteemed Legend

You've got it.

0 Karma

irsysintegratio
Path Finder

Hmmmm....

There is one disadvantage of this approach. It relies on the setup of the search heads. We develop addon for customers, and there is no guarantee that all the customers will setup their search heads like this. As a matter of fact, this is not mentioned in the guideline about setting up search cluster.

I imagine, some if not most customers did not setup their search cluster this way. Then this approach won't work.

Is it possible to get the (decrypted) pass4SymmKey via the splunk sdk? Then we can use it to generate a key. Since this is for sure the same for the deployer and all search heads, then we don't need to rely on the splunk.secret?

Thanks.

0 Karma

woodcock
Esteemed Legend

I believe that there is a REST endpoint for that, but have never looked for it.

0 Karma

irsysintegratio
Path Finder

Thanks!

I will look for the REST endpoint.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...