Add a Certificate Authority to the Splunk SOAR Automation Broker
If your network utilizes a TLS intercepting proxy which replaces or modifies the TLS certificate sent from Splunk SOAR Cloud to the Automation Broker you might need to add one or more Certificate Authority (CA) certificates associated with that proxy to the list of CAs that Splunk SOAR Automation Broker trusts.
Adding an enterprise certificate authority certificate
For secure communication between your Splunk SOAR Automation Broker and your on-premises internal system, you can add a new TLS or SSL CA to each broker host.
- Stop your Splunk SOAR Automation Broker. Alternatively you can do this before starting the Splunk SOAR Automation Broker for the first time.
- Create a directory inside splunk_data called ca-certs:
mkdir /splunk_data/ca-certs
- Add the CA certificates to the splunk_data/ca-certs directory in PEM format.
- Restart your Splunk SOAR Automation Broker.
Make sure only valid PEM formatted certificates exist in this directory. If your proxy or other use case needs a chain of certificates you might need to add multiple certificates to this directory.
Example:
Be sure to use the correct broker image for your version of Splunk SOAR (Cloud) or Splunk SOAR (On-premises). You can see the available releases of the Splunk SOAR Automation Broker on Docker Hub at https://hub.docker.com/r/phantomsaas/automation_broker/tags.
> BROKER_IMAGE=phantomsaas/automation_broker:6.0.0.114895 > PHANTOM_BASE_URL=https://psaas-51835-25854.stg.soar.splunkcloud.com > SPLUNK_DATA=/path/to/splunk_data > # copy 1 or more certificates to the splunk_data cert folder > mkdir $SPLUNK_DATA/ca-certs > cp my_ca_bundle.pem $SPLUNK_DATA/ca-certs > > # start the automation broker. It should report that the certificate has been merged. > docker run -it -v $SPLUNK_DATA:/splunk_data -e PHANTOM_BASE_URL=$PHANTOM_BASE_URL $BROKER_IMAGE Post Initialization Environment: ... PHANTOM_BASE_URL:https://psaas-51835-25854.stg.soar.splunkcloud.com PHANTOM_HTTPS_STRICT_TLS:1 PHANTOM_HTTPS_STRICT_TLS_AUTODETECT:1 ... broker_tool: CheckUpdateCaBundle broker_tool: Merging /etc/pki/tls/cert.pem of size 199356 bytes. broker_tool: Merging certificate /splunk_data/ca-certs/my_ca_bundle.pem ...
Reinstall or revert the Splunk SOAR Automation Broker | Troubleshooting the Splunk SOAR Automation Broker |
This documentation applies to the following versions of Splunk® Automation Broker: current
Feedback submitted, thanks!