Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there an updated best practice guide for storing encrypted credentials when developing an app?

cschmidt_hurric
Path Finder
‎12-12-2016 08:42 AM

In an effort to meet the requirements needed for Splunk Cloud app vetting, I have been migrating my apps over to storing their credentials using Splunk's password storage endpoint. When looking at Splunk-developed apps that use encrypted credentials, I can't help but notice many if not all of them don't use a simple setup.xml page and instead have something on top doing intermediary work (usually Javascript or a custom endpoint). I know the guide I followed is fairly dated (close to 6 years old now!), so my question is: is there a more modern best practice for storing credentials?

Reply
1 Solution
Solved! Jump to solution
Solution

Simon
Contributor
‎12-15-2016 04:57 AM

From my point of view, the "Storage Passwords" endpoint and passwords.conf is still the state of the art to store credentials encrypted. Even the JS stack has been updated to provide APIs to work with. Even if it's quite old, it works quite well. By the way, there is no requirement to use setup.xml to manage the credentials as the API provides enough tools to manipulate the entries. Also, I think setup.xml isn't allowed anymore to get certified. A good resource to build custom setup pages is the Addon Builder app (https://splunkbase.splunk.com/app/2962/). Overall, the Dev Page has a lot information too regarding credential management: http://dev.splunk.com/view/javascript-sdk/SP-CAAAEJ8 (Section "Storage passwords").

HTH.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-15-2016 06:56 AM

Check out the latest Palo Alto app (v5 I think). It uses a new credential encryption approach and has been cloud certified.

0 Karma
Reply
Solved! Jump to solution
Solution

Simon
Contributor
‎12-15-2016 04:57 AM

From my point of view, the "Storage Passwords" endpoint and passwords.conf is still the state of the art to store credentials encrypted. Even the JS stack has been updated to provide APIs to work with. Even if it's quite old, it works quite well. By the way, there is no requirement to use setup.xml to manage the credentials as the API provides enough tools to manipulate the entries. Also, I think setup.xml isn't allowed anymore to get certified. A good resource to build custom setup pages is the Addon Builder app (https://splunkbase.splunk.com/app/2962/). Overall, the Dev Page has a lot information too regarding credential management: http://dev.splunk.com/view/javascript-sdk/SP-CAAAEJ8 (Section "Storage passwords").

HTH.

Reply
Solved! Jump to solution

cschmidt_hurric
Path Finder
‎12-15-2016 06:09 AM

Thanks. This helped a lot.

0 Karma
Reply
Solved! Jump to solution

mrgibbon
Contributor
‎12-12-2016 02:35 PM

Im looking into this myself, and I stumbled upon this, it might give you another avenue to stroll down:
https://www.vaultproject.io/

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...