Security

Level of encryption for ssl self signed password between forwarder and indexer

ben_leung
Builder

http://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifica...

What kind of algorithm is the password using? MD5? Is there a way to hash this password with SHA512?

Indexer inputs.conf:

[splunktcp-ssl:9997]
compressed = true

[SSL]
password = $1$4KHF/Y1YxT9H
requireClientCert = false
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/indexer.pem

Forwarder outputs.conf:

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = XX.XXX.XX.XXX:9997
compressed = true

[tcpout-server://XX.XXX.XX.XXX:9997]
altCommonNameToCheck = benjamin
sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem
sslCommonNameToCheck = benjamin
sslPassword = $1$XFx5StYf4eTRsA==
sslRootCAPath = $SPLUNK_HOME/etc/certs/cacert.pem
sslVerifyServerCert = true
Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

This is not a hash. It is a reversible encryption, encrypted and decrypted using a key that is in $SPLUNK_HOME/etc/auth/splunk.secret. It is not possible to use a one-way hash on this password, since the purpose of it is to be accessible to the Splunk process to use. I believe the encryption used is Blowfish or AES, for what it's worth.

You should treat this config just as you would treat the SSL private key, and make sure it is not readable by unauthorized users. The encryption here is suitable only for preventing casual inspection. Anyone with access to the Splunk server would be able to get this password, the decryption key, and the secret key.

View solution in original post

0 Karma

samlll42
Explorer

Could someone please document how the Splunk passwords are encrypted (in inputs and outputs.conf) so that we can setup our configuration management tools (Chef, Puppet etc...) to properly encrypt the passwords in the conf files without provisioning clear password and restarting Splunk a each chef run?

Just a shell, perl, python or other example using the etc/auth/splunk.secret would help a LOT

we figured out how dbconnect does (even had to fix a bug when passwords contains a "=") - can't find any details on the $1$xxxxxxxxxx passwords used in inputs.conf and outputs.conf

Thanks!!

troyready
New Member

I've been wondering the same thing -- did you ever find an answer to this?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This is not a hash. It is a reversible encryption, encrypted and decrypted using a key that is in $SPLUNK_HOME/etc/auth/splunk.secret. It is not possible to use a one-way hash on this password, since the purpose of it is to be accessible to the Splunk process to use. I believe the encryption used is Blowfish or AES, for what it's worth.

You should treat this config just as you would treat the SSL private key, and make sure it is not readable by unauthorized users. The encryption here is suitable only for preventing casual inspection. Anyone with access to the Splunk server would be able to get this password, the decryption key, and the secret key.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Actually in the latest release of Splunk I believe the scripts create certs that are good for nearly 10 years (3650 days actually)

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

That is the case if you just run the default Splunk cert generation scripts. If you want, you can either copy/edit the default scripts (in $SPLUNK_HOME/bin/gen*.sh) or manually run openssl to pick different dates for your own certificates, or you could generate certificates using other means and use those.

0 Karma

ben_leung
Builder

Thanks for the clarification gkanapathy. Quick question, so the default certs expire after 3 years, so I assume when creating your own self-signed certs, they have an expiration of 3 years as well? And so before they expire, you would just have to create another root cert and then a self-signed cert for the forwarders correct?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...