Deploy secure passwords across multiple servers
When you Install Splunk Enterprise, it creates a file called splunk.secret
in the $SPLUNK_HOME/etc/auth directory. This file contains a key that Splunk Enterprise uses to encrypt some of your authentication information in its configuration files.
The following files can have authentication information encrypted within them. Passwords and encryption methods that each file uses are not necessarily interchangeable.
Configuration file | Purpose | What can be encrypted |
---|---|---|
authentication.conf | Authentication | Any Lightweight directory access protocol (LDAP) passwords (bindDNPassword , attributeQuerySoapPassword settings.)
|
inputs.conf | Splunk platform data inputs | TLS/SSL passwords (sslPassword setting) for splunktcp-ssl inputs, for data distribution
|
outputs.conf | Splunk platform data forwarding configurations | TLS/SSL passwords (sslPassword setting) for when you need to configure splunktcp-ssl outputs for receiving data from TLS inputs that you configure in the inputs.conf file
|
passwords.conf | Credential information for apps | Passwords for a specific app ( password setting).
|
server.conf | Splunk Enterprise server configurations | Any pass4Symmkeys that you use to secure connections between Splunk Enterprise components. For more information on this setting, see Secure Splunk Enterprise services with pass4SymmKey.
|
web.conf | Splunk Web and associated services | TLS/SSL passwords (sslPassword setting) for each instance.
|
When Splunk Enterprise starts, it checks all its configuration files for clear-text passwords. If it detects a clear-text password for one of the previously-specified settings, it creates or overwrites the value for that setting with the encrypted password value.
In a search head cluster, the search head cluster captain replicates its splunk.secret
file to all other cluster members during initial deployment of the cluster. You do not need to copy the file manually. As part of its normal operation, the cluster also automatically replicates any credentials that are stored by apps for their own use.
If you specify a password value for either the pass4SymmKey
or sslPassword
settings in clear text within the default directory of an app, Splunk Enterprise obfuscates the values in the local configuration directory for the app when you restart it. The value for the setting still appears in clear text within the app default configuration directory. If you display the contents of the file using REST, the password prints in encrypted format.
Secure Splunk Enterprise service accounts | Harden the network port that App Key Value Store uses |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.3.0
Feedback submitted, thanks!