So here's what I'm trying to do...
I've stood up an index cluster and am testing some things at the moment. I used the splunk.secret from the cluster master instance and seeded it to all of the indexers before their installations were started so they all share the same encryption salt. I did this per this article: docs.splunk.com/Documentation/Splunk/6.2.8/Security/Deploysecurepasswordsacrossmultipleservers
I would like to distribute SSL certificates signed by my CA to the cluster peers to enable various SSL communications. Here is what happens when I try to do this:
I created config bundle which includes the rootca.pem file and the concatenated clustercert.pem file with all of the pertinent certs. The bundle also includes a server.conf with the following information:
disabled = false
password = "unencrypted password"
serverCert = "/opt/splunk/etc/slave-apps/certbundle/local/clustercert.pem"
rootCA = "/opt/splunk/etc/slave-apps/certbundle/local/rootca.pem"
disabled = true
Notice how I have the password currently unencrypted in the server.conf file, which is not ideal for a number of reasons. Since all of the cluster peers share the same splunk.secret I should be able to put the encrypted password in this server.conf file which would be distributed to the peers. Here is where I get hung up. I don't know if it's possible to manually encrypt a password string with the splunk.secret file. Here's how I've tried to get around this:
Put the above stanzas in the cluster master's server.conf file and restart, but it refuses to encrypt the password (I'm assuming because it's not actually using any cluster replication so it isn't recognizing the need for those stanzas and password?) Otherwise, if it did encrypt the password, I would then use it in the config bundle that would be distributed. (Note: adding these stanzas didn't seem to adversely affect the cluster master, it appeared to flat out ignore them)
Anyone have any ideas? Is there a way to hash passwords manually using the splunk.secret salt file?
I was looking through the IMAPmailbox app on splunkbase. there is a genpass.sh script in there that takes the user's input as well as the splunk.secret to generate an encrypted password.
Lunk to IMAPmailbox app: https://splunkbase.splunk.com/app/1739/
#!/bin/bash #Jimmy J - 07/15/2008 #Modified this script to use the /bin/bash shell as opposed to the /bin/sh shell. The /bin/sh does not interpret the -n flag #correctly on mac i.e. the trailing newline is added to the password #No need of a key file to save the key used for encrypting/decrypting the passwords. #We now use the splunk.secret key that comes with every installation of splunk echo -n "Enter the password you want to encrypt:" stty -echo read pass stty echo echo "" echo -n "Enter it one more time to make sure you typed it in correctly:" stty -echo read pass2 stty echo if [ $pass = $pass2 ]; then echo "" echo "" echo -n $pass | openssl bf -e -a -pass file:$SPLUNK_HOME/etc/auth/splunk.secret echo "" echo "Copy the string on the line above and paste it into" echo "local/imap.conf as the value for xpassword." else echo "" echo "" echo "Exiting" echo "Sorry, your passwords did not match." fi
Essentially it's using the openssl blowfish cipher to encrypt in base64 using the splunk.secret as the password source. One thing to consider is that the splunk.secret will be different between all of your index cluster members, so there is that to consider.
Hopefully this helps you out. It certainly helped me out.