I am deploying Indexer Cluster settings in an app to multiple Universal Forwarders via the Deployment Server. The issue I have is that they require the Indexer Cluster password to be sent in the /local/outputs.conf
file.
App deployment works fine and a new outputs.conf is created on the Universal Forwarder under $SPLUNK_HOME/etc/system/local
with the required stanza and encrypted password.
The issue is that the password exists in clear text in 2 places;
Deployment Server - $SPLUNK_HOME/etc/deployment_apps/app_name/local/outputs.conf
Universal Forwarder - $SPLUNK_HOME/etc/apps/app_name/local/outputs.conf
Is there a way for the password to be encrypted at all locations?
This problem seems to be known. Read this section on the docs and it mentions this specifically. It also gives a sort of workaround, too:
Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.
By adding this answer the question will pop up to the top of the stack, so maybe someone else will have a better answer.
My current solution is a script which pushes the pass4SymmKey password out to Universal Forwarders, then I deploy an empty app from the Deployment Server called 'restart' with the restart services flag checked which restarts the UF service on all of the UFs, which hashes the password.