All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is it possible to check out a password from CyberArk's password vault for use in the Cisco ACI app?

jlstanley
Path Finder
‎01-12-2018 11:06 AM

I want to avoid having to save the password to password.conf and instead check out the password from Cyberark's password vault since it would be changed regularly. Is it possible to integrate Cyberark AIM or some variation to check out the password from the vault to then be used by Cisco ACI?

0 Karma
Reply

nilaysh
Explorer
‎01-12-2018 03:23 PM

The password is stored in local/passwords.conf directory of the app. The collector script collect.py takes this password information and uses it for authentication.

Two ways I can think of how you can integrate CyberArk is:
1.
a. To create an automated script polled on regular interval to look into the vault and updates the passwords.conf file OR
b. Make CyberArk update passwords.conf in the Splunk app if the APIC password is updated in the vault.

2.Modify the collect.py script to use APIs to get password information instead of looking into passwords.conf

0 Karma
Reply

jlstanley
Path Finder
‎01-15-2018 04:49 AM

thank you. I like the idea of updating the collect.py script to check out the password rather than use the password.conf file. Now on to learning enough python to do it. 🙂

0 Karma
Reply

nickhills
Ultra Champion
‎01-12-2018 04:40 PM

That’s not quite right. Passwords.conf is accessed via the password storage mechanism within Splunk’s rest api. The conf file contains only the encrypted password, the key for which is contained within Splunk and as not accessible. (In theory). The collect .py is not reading password.conf.

With that said, Splunk is pretty good at finding clear text passwords at boot and encrypting them when it starts. Your solution 1 could work if you write the clear text password into password.conf but I am not sure if you can trigger a rest call to encrypt while Splunk is running, and restarting Splunk every time the password changes is clearly not workable. Add to this, that that’s not really how cyberark works. Passwords can be changed at different intervals, or after each use, so I think option 1 is out of the question.

Option 2 is the way to go , and why I decided to write my own script, as it’s less effort that reengineering existing methods based on the Splunk auth mechanism.

HiweverI haven’t finished mine yet, so I could still be eating my hat 🙂

If my comment helps, please give it a thumbs up!
0 Karma
Reply

jlstanley
Path Finder
‎01-15-2018 04:48 AM

Thanks Nick, if you have a snippet of code that you use to pull the password and use it in python it would nice to see. I'm new to python so every shortcut helps. thanks for the info.

0 Karma
Reply

nickhills
Ultra Champion
‎01-12-2018 11:39 AM

Yes, it totally (probably) is possible.
I am implementing something similar for triggering vulnerability scans.

I have not looked at Cisco ACI but, i decided to start from scratch and roll my own.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...