Manage credentials in Splunk Enterprise Security

Use the Credential Management page to store credentials for scripted or modular inputs. Input configurations that reference credentials use the credentials stored in Credential Management. You can store credentials such as usernames and passwords, or certificates used for authentication with third-party systems. Do not use this page to manage certificates used to encrypt server-to-server communications.

Your role must have the appropriate capabilities to add, modify, and view credentials and certificates. See Configure users and roles in the Installation and Upgrade Manual.

Add a new credential for an input

1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
2. Click New Credential to add a new user credential.
3. Type a Username.
4. (Optional) Type a Realm field to differentiate between multiple credentials that have the same username.
5. Type the Password for the credential, and type it again in Confirm password.
6. Select the App for the credential.
7. Click Save.

Add a new credential for UBA input

Splunk ES uses a specific local UBA username and password authentication to integrate with Splunk User Behavior Analytics.

1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
2. Click New Credential to add a new user credential.
3. Type a Username of ubaesuser.
4. Type a Realm of uba.
5. Type the same Password for the credential that is used in UBA for this user, and type it again in Confirm password.
6. Select the App of SA-UEBA for the credential.
7. Click Save.

For the integration to work correctly, this user needs to exist in both UBA and Splunk ES. If the password for this user needs to be changed, it needs to be the same in both places.

Edit an existing input credential

You can edit passwords of existing input credentials.

1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
2. In the Action column of a credential, click Edit.
3. Type a new Password for the credential, and type it again in Confirm password.
4. Click Save.

Add a new certificate

You cannot add a new certificate using Credential Management on a search head cluster (SHC). To add a new certificate to Splunk Enterprise Security on a SHC, add the certificate to $SPLUNK_HOME/etc/shcluster/apps/<app_name>/auth on the deployer and deploy the certificate to the SHC members.

1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
2. Click New Certificate to add a new certificate.
3. Type a File name for the certificate. This is the file name that the certificate is saved as in the $SPLUNK_HOME/etc/apps/<app_name>/auth directory.
4. Add Certificate text for the certificate. Paste the contents of an existing certificate file here to add the certificate to Splunk Enterprise Security.
5. Select an App to save the certificate in.
6. Click Save.

Edit an existing certificate

You can edit the certificate text of existing certificates in Credential Management. You cannot edit certificates on a search head cluster.

1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
2. In the Action column of a certificate, click Edit.
3. Type a new Certificate text for the certificate.
4. Click Save.

Delete an existing input credential or certificate

You cannot delete certificates on a search head cluster.

1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
2. In the Action column of a credential or certificate, click Delete.
3. Click OK to confirm.