Hello,

Thank you so much for your quick response, truly appreciate it.

Client provides us the password to be used in REST API to access to their location, they don't want to disclose that password to us.... wanted to use/provide encrypted form of the password. How we would implement that encrypted form of password into our REST API.

After giving it some more thought I think I know where this idea came from.

There are several mechanisms where you can configure authentication based on data suppliedby client, which is not the "direct" credentials used by client to authenticate - for example configuring salted password hash supplied by user (when you don't know the password itself but configure your server to accept a password which hashes to configured value) or authentication using user's private key (when the public key is placed on the server).

But the idea that client would not need to know the credentials to authenticate is the same idea mistakenly "transposed backwards". And it's often cited by people who can't properly limit access per authenticated client (or even differentiate ckients) so they're afraid of losing control of access to their environment. Unfortunately the whole premise of this idea is wrong

Hello @PickleRick ,

Thank you so much once again, truly appreciate your support in these efforts. I think the options we are discussing here are mostly properties of REST API or the public/private keys (or cryptographic/simply hash function) rather than the properties of SPLUNK itself. We should be able to use those options to encrypt our keys/passcode. Yes, I agree with you that there might not be any magic or inbuild option within SPLUNK that can hide key/password in questions. Please share your thoughts....Thank you so much.

REST API on its own has nothing to do with authentication.

There are several ways to authenticate client with REST but most of them either use plain-text authentication data (usually sent over encrypted HTTPS channel) like HTTP Basic Auth or use token generated after a call to some form of authenticating REST endpoint. But still usually authentication data for this call is more or less in plain form.

Theoreticaly, you could authenticate and authorize user calling REST endpoint (or any other HTTP request) by client HTTPS certificate. And there are many uses where people do that. I'm not sure that in your case:

1) your client can authenticate based on certificate

2) your software used to connect to client (is it something splunk-related or are we talking completely off-topic? :-)) can use client certificate to connect to server.

@PickleRick ,

Thank you so much again. Actually, REST API in question..... I meant end point what you mentioned....... other part of REST API end point data encryption public key/private key, I think beyond the scope of this discussion. But, I understood what you meant. Thank you so much again, appreciated.