All Apps and Add-ons

Is it possible to check out a password from CyberArk's password vault for use in the Cisco ACI app?

jlstanley
Path Finder

I want to avoid having to save the password to password.conf and instead check out the password from Cyberark's password vault since it would be changed regularly. Is it possible to integrate Cyberark AIM or some variation to check out the password from the vault to then be used by Cisco ACI?

0 Karma

nilaysh
Explorer

The password is stored in local/passwords.conf directory of the app. The collector script collect.py takes this password information and uses it for authentication.

Two ways I can think of how you can integrate CyberArk is:
1.
a. To create an automated script polled on regular interval to look into the vault and updates the passwords.conf file OR
b. Make CyberArk update passwords.conf in the Splunk app if the APIC password is updated in the vault.

2.Modify the collect.py script to use APIs to get password information instead of looking into passwords.conf

0 Karma

jlstanley
Path Finder

thank you. I like the idea of updating the collect.py script to check out the password rather than use the password.conf file. Now on to learning enough python to do it. 🙂

0 Karma

nickhills
Ultra Champion

That’s not quite right. Passwords.conf is accessed via the password storage mechanism within Splunk’s rest api. The conf file contains only the encrypted password, the key for which is contained within Splunk and as not accessible. (In theory). The collect .py is not reading password.conf.

With that said, Splunk is pretty good at finding clear text passwords at boot and encrypting them when it starts. Your solution 1 could work if you write the clear text password into password.conf but I am not sure if you can trigger a rest call to encrypt while Splunk is running, and restarting Splunk every time the password changes is clearly not workable. Add to this, that that’s not really how cyberark works. Passwords can be changed at different intervals, or after each use, so I think option 1 is out of the question.

Option 2 is the way to go , and why I decided to write my own script, as it’s less effort that reengineering existing methods based on the Splunk auth mechanism.

HiweverI haven’t finished mine yet, so I could still be eating my hat 🙂

If my comment helps, please give it a thumbs up!
0 Karma

jlstanley
Path Finder

Thanks Nick, if you have a snippet of code that you use to pull the password and use it in python it would nice to see. I'm new to python so every shortcut helps. thanks for the info.

0 Karma

nickhills
Ultra Champion

Yes, it totally (probably) is possible.
I am implementing something similar for triggering vulnerability scans.

I have not looked at Cisco ACI but, i decided to start from scratch and roll my own.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...