Security

Level of encryption for ssl self signed password between forwarder and indexer

Builder

http://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifica...

What kind of algorithm is the password using? MD5? Is there a way to hash this password with SHA512?

Indexer inputs.conf:

[splunktcp-ssl:9997]
compressed = true

[SSL]
password = $1$4KHF/Y1YxT9H
requireClientCert = false
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/indexer.pem

Forwarder outputs.conf:

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = XX.XXX.XX.XXX:9997
compressed = true

[tcpout-server://XX.XXX.XX.XXX:9997]
altCommonNameToCheck = benjamin
sslCertPath = $SPLUNK_HOME/etc/certs/forwarder.pem
sslCommonNameToCheck = benjamin
sslPassword = $1$XFx5StYf4eTRsA==
sslRootCAPath = $SPLUNK_HOME/etc/certs/cacert.pem
sslVerifyServerCert = true
Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

This is not a hash. It is a reversible encryption, encrypted and decrypted using a key that is in $SPLUNK_HOME/etc/auth/splunk.secret. It is not possible to use a one-way hash on this password, since the purpose of it is to be accessible to the Splunk process to use. I believe the encryption used is Blowfish or AES, for what it's worth.

You should treat this config just as you would treat the SSL private key, and make sure it is not readable by unauthorized users. The encryption here is suitable only for preventing casual inspection. Anyone with access to the Splunk server would be able to get this password, the decryption key, and the secret key.

View solution in original post

0 Karma

Explorer

Could someone please document how the Splunk passwords are encrypted (in inputs and outputs.conf) so that we can setup our configuration management tools (Chef, Puppet etc...) to properly encrypt the passwords in the conf files without provisioning clear password and restarting Splunk a each chef run?

Just a shell, perl, python or other example using the etc/auth/splunk.secret would help a LOT

we figured out how dbconnect does (even had to fix a bug when passwords contains a "=") - can't find any details on the $1$xxxxxxxxxx passwords used in inputs.conf and outputs.conf

Thanks!!

New Member

I've been wondering the same thing -- did you ever find an answer to this?

0 Karma

Splunk Employee
Splunk Employee

This is not a hash. It is a reversible encryption, encrypted and decrypted using a key that is in $SPLUNK_HOME/etc/auth/splunk.secret. It is not possible to use a one-way hash on this password, since the purpose of it is to be accessible to the Splunk process to use. I believe the encryption used is Blowfish or AES, for what it's worth.

You should treat this config just as you would treat the SSL private key, and make sure it is not readable by unauthorized users. The encryption here is suitable only for preventing casual inspection. Anyone with access to the Splunk server would be able to get this password, the decryption key, and the secret key.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Actually in the latest release of Splunk I believe the scripts create certs that are good for nearly 10 years (3650 days actually)

0 Karma

Splunk Employee
Splunk Employee

That is the case if you just run the default Splunk cert generation scripts. If you want, you can either copy/edit the default scripts (in $SPLUNK_HOME/bin/gen*.sh) or manually run openssl to pick different dates for your own certificates, or you could generate certificates using other means and use those.

0 Karma

Builder

Thanks for the clarification gkanapathy. Quick question, so the default certs expire after 3 years, so I assume when creating your own self-signed certs, they have an expiration of 3 years as well? And so before they expire, you would just have to create another root cert and then a self-signed cert for the forwarders correct?

0 Karma