Splunk Enterprise

How to Securely Deploy API Token in Passwords.conf for Scripted Inputs on HF Managed by Deployment Server

koshyk
Super Champion

Hi all,

We’re deploying a custom Splunk app (e.g., my_app) that includes a scripted input to pull data from an internal API (in-house application). This API requires an API token, and we want to store that token securely using Splunk's passwords.conf mechanism — i.e., the native storage/passwords feature that encrypts the credential on disk.

This app needs to be deployed on a Splunk Heavy Forwarder (HF) which is:

  • Managed entirely via Deployment Server

  • Does not have a UI or user access for entering credentials manually

  • But we can get temporary shell access if absolutely needed (e.g., during bootstrap)

 

What We Know and Have Tried (in dev system without Deployment server)

  • Adding the credential securely via the REST API works fine:

curl -k -u admin:changeme \
  https://localhost:8089/servicesNS/nobody/search/storage/passwords \
  -d name=my_realm:my_api_key \
  -d password=actual_api_token
​
and this then stores password encrypted in 'search' app
[credential::my_realm:my_api_key:]
password = $1$encrypted_string_here
  • However, if we try to deploy a plain-text password via my_app/local/passwords.conf like this:
[credential::my_realm:my_api_key:]
password = plaintext_token

# Splunk does not encrypt if I add it via shell and restart Splunk — and the token remains in clear text on disk, which is not acceptable for production.
    • We also know that encrypting the token on another instance and copying the encrypted config doesn’t work, because encryption depends on the local splunk.secret, which is unique per instance. (Though got a worse case workaround of getting the splunk.secret and run a docker instance, create passwords.conf and copy it back. Quite a long winded option)

    •  

What is the best practice to securely bootstrap the credential?

Specifically:

    1. Should we:

      • Add the credential once via REST API during the shell access window

      • Then copy the resulting passwords.conf into my_app/local/ for persistence?

    2. How does other Splunk app that run in Heavy Forwarders (HF) which requires passwords store credentials?

    3. Are there any community-recommended patterns (scripts, startup hooks, init-time credential registration, etc.) for this kind of controlled environment?

Labels (1)
Tags (1)
0 Karma
1 Solution

livehybrid
SplunkTrust
SplunkTrust

Hi @koshyk 

are you only needing to deploy to a single HF? If so then using a method to get the encrypted password out of the DS to then manage it as a normal app but with the passwords.conf and other appropriate confs for the app in its “deployed state”. 
If you know the exact realm that will be created then using the api call you suggested would work well. If you are unsure then you could do a “dummy run” using the same app on a local instance and inspect the conf file to see what realm was used. This is probably what I would do for a single HF. You’re ensuring the credentials/sensitive detail are still protected as you’re only putting the encrypted value on the DS.

If you do need to distribute to multiple HF then the problem becomes more complicated! You could do the above approach however would need to have the same splunk.secret on each HF. This could impact existing configurations if changed after the HF has been commissioned and in use.
The alternative is something I’ve actually had to do before, it’s not particularly pretty but involves creating a custom app with a modular input that runs against each HF it’s deployed to which programmatically creates the inputs and/or encrypted passwords. 

 

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma

koshyk
Super Champion

The issue is we don't want to store cleartext password in the deployment server too. your workaround is very similar to the docker workaround we do currently with slight change.

I was checking if there is any other option to inject it directly into the API of the HF without logging into each of them and without an admin login 

surely, this would be an issue in lot of integrations from HF? wanted to see how Splunk handles this internally for other apps

0 Karma

cklunck
Path Finder

If you're sending passwords via deployment apps, they generally need to be stored in plaintext on the Deployment Server. If this isn't acceptable in your environment, you'll probably end up with a work-around.

Use the REST API Remotely

Are you able to access the HF remotely over port 8089 after the HF has been deployed? If so, the REST API method could still work. Instead of using 'localhost' as your hostname:

curl -k -u admin:changeme \
  https://hf.mydomain.com:8089/servicesNS/nobody/search/storage/passwords \
  -d name=my_realm:my_api_key \
  -d password=actual_api_token

 

Pre-Encrypt the Secret

Instead of copying the splunk.secret to a Docker container, encrypt the secret locally on the HF. If you have shell access, you can run something like:

read creds && $SPLUNK_HOME/bin/splunk show-encrypted --value "${creds}"

 

This will generate an encrypted version of $creds that is decryptable by that server's splunk.secret file. Put the string in the appropriate place in passwords.conf.

Alternately, after obtaining the encrypted string, you could insert it into the deployment app on the DS, and leave it there in encrypted form (assuming, as mentioned above, you only need the credential on this one HF). Then the DS can push the entire app, encrypted password included, to the HF.

koshyk
Super Champion

thanks for that (API's challenge is we need Splunk application login which has been redacted for users to reduce footprint)

 

show-encrypted

 is something I haven't tried, but seems promising. Will test and get back

0 Karma

isoutamo
SplunkTrust
SplunkTrust

koshyk
Super Champion

thanks for that. Exactly i was looking for

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...