Getting Data In

Running into errors while disabling the legacy ciphers in splunk 7.2

Splunk Employee
Splunk Employee

I am trying to follow the document to disable the legacy ciphers in the Splunk 7.2, and I notice that the cluster master is been disconnected with the indexers and also the web interface of the Cluster master is down. Below is the error I found in the Splunkd.logs

ERROR ConfigEncryptor - Legacy encryption disabled! Will not decrypt. If you want to allow decryption for configs encrypted with legacy ciphers please set server.conf/[general]/legacyCiphers to 'decryptOnly

Document :

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

To diable the cipher legacy suits in the Splunk 7.2 and higher you need to follow below process.

  1. FIrst, you need to perform it on the indexers, you need to add the [node_auth] in the server.conf restart splunkd services
  2. You need to add "legacyCiphers = disabled" below the general stanza and restart the services.
  3. You need to comment out the pass4SymmKey in the clustering stanza and add an other pass4SymmKey on the indexers.
  4. You need to do the same steps on all the indexers and then you need to perform the same steps in the cluster master.
  5. You need to run the command $plunk_home/bin/splunk rotate splunk-secret on the cluster master and the secret key will be distributed to all the indexers.

You can follow the same process on the SH as well, and for search head, you need to run the Secret key on the SH Captain.

Let me know if you face any difficulties.

0 Karma

Super Champion

By disabling the legacy ciphers Splunk won't be able to read all encrypted passwords, pass4symmkey, ssh keys. Which means no more https for your splunk web, no more pass4symmkey to connect to the indexers ..

So make sure you follow this documentation :

And let me know if you need any help.


0 Karma