Deployment Architecture

pass4SymmKey for License Master and License Slaves

jaracan
Communicator

Hi Team,

Here is our scenario:
We needed to update the pass4SymmKey for the License Master and License Slaves.
We will update the parameter "pass4SymmKey" in the [general] stanza of the server.conf.

However,we have a complex Splunk environment.

The Splunk servers (License Master/Slaves) needed for this update are consists of ff:
Clustered Indexers
Clustered Search Heads
Non-Clustered Search Heads
Deployment Server
Deployer
Cluster Master
Heavy Forwarders

Can you help us sort out the steps needed to update parameter "pass4SymmKey" in the [general] stanza of the server.conf?
Currently, we have the steps below:
LICENSE MASTER
1. In License Master, use btool to locate the server.conf with [general] stanza

/opt/splunk/bin/splunk btool server list --debug | grep general

  1. Update the server.conf with the new pass4SymmKey # vi /opt/splunk/etc/system/local/server.conf
  2. Restart Splunk # /opt/splunk/bin/splunk restart

What tier should we implement the update next?
Also, for Clustered Indexers and Clustered Search Heads tier, is it okay to update and simply restart splunk? Or do we need to do some maintenance mode or rolling restart instead?

I hope you can help us. Thanks.

0 Karma

ekost
Splunk Employee
Splunk Employee
  1. Select a new passcode to fill in for pass4SymmKey.
  2. SSH to the Splunk instance.
  3. Edit the /opt/splunk/etc/system/local/server.conf file.
  4. Under the [general] stanza pass4SymmKey field, replace the hashed value with the new passcode in plain text. It will stay in plain text until Splunk services are restarted.
  5. Save the changes to the server.conf file.
  6. Restart Splunk services on that node.

Perform steps 2 - 6 on the License Master, Cluster Master, and all Cluster Peers (Indexers.) The CM and LM should get a regular service restart, and the CP's can receive a rolling-restart if the pass4SymKey update is finished on all of them.

Once communications are re-established, verify CP connectivity on the LM. The various peers would appear under your license pool(s). If you need to, re-license the Cluster Peers: e.g. use the CLI command ./splunk edit licenser-localslave -master_uri 'https://my_lic_master:8089' and verify CP connectivity on the LM.

After that, move on to performing steps 2 - 6 on the standalone SH, DS, and HF nodes.

For the final SHC and Deployer portion, I liked the post "How to set a new pass4SymmKey password on a search head cluster deployer"

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...