Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Encrypted information from deployer to search head

irsysintegratio
Path Finder
‎12-04-2017 01:55 PM

We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information.

First of all, if I understand it right, the addon has to be setup from the deployer, right? The setup link won't even show up in a search head for an addon.

During the setup of our addon there are some passwords we take from the user, and we need to store them for later use. We post them to the storage/passwords endpoint. So the passwords will be encrypted in the password.conf.

Now if the deployer push this addon to the search heads, how can they decrypt these please?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-04-2017 03:08 PM

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-04-2017 03:08 PM

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

Reply
Solved! Jump to solution

splunkreal
Motivator
‎07-18-2024 09:24 AM

Hi @woodcock this is old topic however just want to know if pushing addon from deployer using encrypted credentials in new local/passwords.conf (previously encrypted by clustered search head) is different in term of behavior   than configuring addon on search head (web UI) and letting SHC replicating passwords.conf?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

irsysintegratio
Path Finder
‎12-05-2017 05:50 AM

Thanks for your information!

I want to make sure I understand this right.

  1. Start a new deployer. It will generate a splunk.secret file automatically (in $SPLUNK_HOME/etc/auth);
  2. copy this splunk.secret file to a new search head before starting it the first time. Then the search head will use this splunk.secret as the seed to create keys? Those keys will then be the same as the keys used by the deployer?
  3. Then an encrypted password in password.conf can be pushed from the deployer to the search head, because both the deployer and the search head are now using the same key to encrypt/decrypt?

Thanks!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-05-2017 08:18 AM

You've got it.

0 Karma
Reply
Solved! Jump to solution

irsysintegratio
Path Finder
‎12-05-2017 06:53 AM

Hmmmm....

There is one disadvantage of this approach. It relies on the setup of the search heads. We develop addon for customers, and there is no guarantee that all the customers will setup their search heads like this. As a matter of fact, this is not mentioned in the guideline about setting up search cluster.

I imagine, some if not most customers did not setup their search cluster this way. Then this approach won't work.

Is it possible to get the (decrypted) pass4SymmKey via the splunk sdk? Then we can use it to generate a key. Since this is for sure the same for the deployer and all search heads, then we don't need to rely on the splunk.secret?

Thanks.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-05-2017 08:19 AM

I believe that there is a REST endpoint for that, but have never looked for it.

0 Karma
Reply
Solved! Jump to solution

irsysintegratio
Path Finder
‎12-05-2017 01:06 PM

Thanks!

I will look for the REST endpoint.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...