Manage credentials in Splunk Enterprise Security

Create and manage credentials and certificates for scripted or modular inputs. Your role must have the appropriate capabilities to add, modify, and view credentials and certificates.

Input configurations that reference credentials use these stored credentials such as usernames and passwords, or certificates that are used for authentication with third-party systems. Do not use the credentials stored in the Credentials page to manage certificates used to encrypt server-to-server communications.

Credentials are stored in the following location: etc/apps/SplunkEnterpriseSecuritySuite/local/passwords.conf.

Add a new credential for an input configuration

Follow these steps to add a new input credential:

1. In the Splunk Enterprise Security app, select Configure.
2. Select General settings, and then select Credentials.
3. On the Credential and certificate management page, select New credential to add a new user credential.
4. Enter a Username without including / or spaces.
5. (Optional) Enter a Realm field to differentiate between multiple credentials that have the same username.
6. Enter the Password for the credential, and enter it again in Confirm password.
7. Select the app context for the credential in the App field. For example, Enterprise Security.
8. Select Save.

Add a new credential for UBA input

Splunk Enterprise Security uses a specific local UBA username and password authentication to integrate with Splunk User Behavior Analytics (UBA).

Follow these steps to add a new input credential for UBA:

1. In the Splunk Enterprise Security app, select Configure.
2. Select General settings, and then select Credentials.
3. On the Credential and certificate management page, select New credential to add a new user credential.
4. Enter a Username of ubaesuser.
5. Enter a Realm of uba.
6. Enter the same Password for the credential that is used in UBA for this user, and enter it again in Confirm password.
7. Select the app context for the credential in the App field. For example, SA-UEBA.
8. Select Save.

For the integration to work correctly, this user needs to exist in both UBA and Splunk Enterprise Security. If you must change the password for this user, you must keep it the same in both places.

Edit an existing input credential

Follow these steps to edit passwords of existing input credentials:

1. In the Splunk Enterprise Security app, select Configure.
2. Select General settings, and then select Credentials.
3. On the Credential and certificate management page, go to a credential and select Edit in the Action column for the credential,
4. Enter a new Password for the credential, and enter it again in Confirm password.
5. Select Save.

Add a new certificate

You can't add a new certificate using the Credential and certificate management page on a search head cluster (SHC). To add a new certificate to Splunk Enterprise Security on a SHC, add the certificate to $SPLUNK_HOME/etc/shcluster/apps/<app_name>/auth on the deployer and deploy the certificate to the SHC members.

Follow these steps to add a new certificate:

1. In the Splunk Enterprise Security app, select Configure.
2. Select General settings, and then select Credentials.
3. On the Credential and certificate management page, select New certificate to add a new certificate.
4. Enter a File name for the certificate. This is the file name that the certificate is saved as in the $SPLUNK_HOME/etc/apps/<app_name>/auth directory.
5. Add Certificate text for the certificate. Paste the contents of an existing certificate file here to add the certificate to Splunk Enterprise Security.
6. Select an App to save the certificate in.
7. Select Save.

Edit an existing certificate

You can edit the certificate text of existing certificates using the Credential and certificate management page. You can't edit certificates on a search head cluster.

Follow these steps to edit an existing certificate:

1. In the Splunk Enterprise Security app, select Configure.
2. Select General settings, and then select Credentials.
3. On the Credential and certificate management page, select Edit in the Action column for a certificate,
4. Enter a new Certificate text for the certificate.
5. Select Save.

Delete an existing input credential or certificate

You can't delete certificates on a search head cluster.

Follow these steps to delete a certificate:

1. In the Splunk Enterprise Security app, select Configure.
2. Select General settings, and then select Credentials.
3. On the Credential and certificate management page, select Delete in the Action column of a credential or certificate.
4. Select OK to confirm.

Manage permissions in Splunk Enterprise Security

Follow these steps to assign Splunk Enterprise Security capabilities to non-admin roles.

1. On the Splunk Enterprise Security menu bar, select Configure.
2. Select General settings and then select Roles and capabilities.
3. Select the checkbox for the role and permissions for that role.
4. Select Save.

Manage permissions for custom roles in Splunk Enterprise Security

If you create a custom role for Enterprise Security and you want to manage it in the general permissions along with the default Splunk Enterprise components, follow these steps:

1. On the Splunk Enterprise menu bar, select Settings.
2. Select Data and then select Data inputs.
3. Select App permissions manager.
4. Select enforce_es_permissions.
5. Add your custom role to the comma separated list of roles to be managed.
6. Select Save.
7. Now you can manage the role in the general permissions.

See also

For more information on how to configure user roles and configuration files in Splunk Enterprise Security, see the product documentation:

• Configure users and roles in Splunk Enterprise Security in the Install and Upgrade Splunk Enterprise Security manual
• passwords.conf in the Splunk Enterprise Admin manual