Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help To recover Pass4SymmKey

Prakash493
Communicator
‎05-08-2019 05:43 AM

Hi , i have a indexer cluster of 3 indexers and 2 search heads are in a cluster and having the pass4symmkey. Which authenticate the connections between slaves and masters. Now my task is to add more indexers in a cluster so i need the pass4symmkey inorder to do that. Currently i wont have the password stored anywhere. How can i change the pass4symmkey value how can i recover the password ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ashwinm
Explorer
‎05-08-2019 06:22 AM

Copy the splunk.secret file from $SPLUNK_HOME/etc/auth/ on your cluster master node and place it in the same location on your Monitoring Console node.
Once copied, start your instance.
Take the hashed Pass4SymmKey value from the existing cluster master.
Create a Splunk app ci1_unhash_app with an passwords.conf file containing a credential stanza with your reclaimed Pass4SymmKey.
Add the following to $SPLUNK_HOME/etc/apps/ci1_unhash_app/local/passwords.conf, for example:
[credential::test:]
password = $pass4symmkeyvalue

Use the following command to retrieve your credentials.
$SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test
You can now use that value to join your new Monitoring console node to your cluster.
The command above may not work in it's current form. Make sure you check your app permissions or adjust the command to match the namespace of your app.

Once successfully joined to the cluster with a fully configure monitoring console, make sure that you delete the ci1_unhash_app.
Configure the Monitoring Console

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ashwinm
Explorer
‎05-08-2019 06:22 AM

Copy the splunk.secret file from $SPLUNK_HOME/etc/auth/ on your cluster master node and place it in the same location on your Monitoring Console node.
Once copied, start your instance.
Take the hashed Pass4SymmKey value from the existing cluster master.
Create a Splunk app ci1_unhash_app with an passwords.conf file containing a credential stanza with your reclaimed Pass4SymmKey.
Add the following to $SPLUNK_HOME/etc/apps/ci1_unhash_app/local/passwords.conf, for example:
[credential::test:]
password = $pass4symmkeyvalue

Use the following command to retrieve your credentials.
$SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test
You can now use that value to join your new Monitoring console node to your cluster.
The command above may not work in it's current form. Make sure you check your app permissions or adjust the command to match the namespace of your app.

Once successfully joined to the cluster with a fully configure monitoring console, make sure that you delete the ci1_unhash_app.
Configure the Monitoring Console

0 Karma
Reply
Solved! Jump to solution

Mirza_Jaffar1
Explorer
‎12-08-2025 11:02 AM

can you please validate the below what could be issues as pe the config

splunk@mc1:/opt/splunk/etc/apps/ci1_unhash_app/local$ /opt/splunk/bin/splunk _internal call /storage/passwords/test


QUERYING: 'https://127.0.0.1:8089/services/storage/passwords/test'
WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details.


Your session is invalid. Please login.
Splunk username: admin
Password:
FAILED: 'HTTP/1.1 404 Not Found'
Content:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Could not find object id=:test:</msg>
</messages>
</response>

splunk@mc1:/opt/splunk/etc/apps/ci1_unhash_app/local$ ll
total 16
drwxrwxr-x 2 splunk splunk 4096 Dec 8 18:53 ./
drwxrwxr-x 4 splunk splunk 4096 Dec 8 18:36 ../
-rw-rw-r-- 1 splunk splunk 110 Dec 8 18:19 app.conf
-rw-rw-r-- 1 splunk splunk 91 Dec 8 18:53 passwords.conf
splunk@ci1-persn000000001356580-mc1:/opt/splunk/etc/apps/ci1_unhash_app/local$ cat passwords.conf
[credential::test:]
password = $7$N/ZmtDftfjp7/ij6VGZeXh1l3UU2T6Ve+Hem3JCNna6upxmTvMDjSi==
splunk@mc1:/opt/splunk/etc/apps/ci1_unhash_app/local$

0 Karma
Reply
Solved! Jump to solution

Prakash493
Communicator
‎05-08-2019 07:26 AM

but my indexer cluster master node and monitoring console node is on the same server , still do i need to copy the splunk.secret file ?

0 Karma
Reply
Solved! Jump to solution

Prakash493
Communicator
‎05-08-2019 07:29 AM

whats this following command SPLUNK_HOME/bin/splunk _internal call /storage/passwords/test , will you please tell in the format like ./ which i need to execute in bin ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...