Deployment Architecture

Encrypted information from deployer to search head

Path Finder

We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information.

First of all, if I understand it right, the addon has to be setup from the deployer, right? The setup link won't even show up in a search head for an addon.

During the setup of our addon there are some passwords we take from the user, and we need to store them for later use. We post them to the storage/passwords endpoint. So the passwords will be encrypted in the password.conf.

Now if the deployer push this addon to the search heads, how can they decrypt these please?

Thanks.

0 Karma
1 Solution

Esteemed Legend

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

View solution in original post

Esteemed Legend

The way that this is generally done is that BEFORE you start a Splunk instance on your Search Head for the first time, you copy a known splunk.secret file (or create one, it is just a certain number of characters in a row) to each server. When Splunk starts for the first time, it uses this seed to create several encryption keys which are then used to encode/decode passwords. If you did this (and any PS guy worth anything would have done this for you if you paid somebody to setup your cluster), then you just encrypt it on any search head (or other server that was started with the same splunk.secret file) and push out the post-encrypted password from inside the file where it is supposed to reside.

View solution in original post

Path Finder

Thanks for your information!

I want to make sure I understand this right.

  1. Start a new deployer. It will generate a splunk.secret file automatically (in $SPLUNK_HOME/etc/auth);
  2. copy this splunk.secret file to a new search head before starting it the first time. Then the search head will use this splunk.secret as the seed to create keys? Those keys will then be the same as the keys used by the deployer?
  3. Then an encrypted password in password.conf can be pushed from the deployer to the search head, because both the deployer and the search head are now using the same key to encrypt/decrypt?

Thanks!

0 Karma

Esteemed Legend

You've got it.

0 Karma

Path Finder

Hmmmm....

There is one disadvantage of this approach. It relies on the setup of the search heads. We develop addon for customers, and there is no guarantee that all the customers will setup their search heads like this. As a matter of fact, this is not mentioned in the guideline about setting up search cluster.

I imagine, some if not most customers did not setup their search cluster this way. Then this approach won't work.

Is it possible to get the (decrypted) pass4SymmKey via the splunk sdk? Then we can use it to generate a key. Since this is for sure the same for the deployer and all search heads, then we don't need to rely on the splunk.secret?

Thanks.

0 Karma

Esteemed Legend

I believe that there is a REST endpoint for that, but have never looked for it.

0 Karma

Path Finder

Thanks!

I will look for the REST endpoint.

0 Karma