Splunk® Automation Broker

Set Up and Manage the Splunk SOAR Automation Broker

Add a Certificate Authority to the Splunk SOAR Automation Broker

If your network utilizes a TLS intercepting proxy which replaces or modifies the TLS certificate sent from Splunk SOAR Cloud to the Automation Broker you might need to add one or more Certificate Authority (CA) certificates associated with that proxy to the list of CAs that Splunk SOAR Automation Broker trusts.

Adding an enterprise certificate authority certificate

For secure communication between your Splunk SOAR Automation Broker and your on-premises internal system, you can add a new TLS or SSL CA to each broker host.

  1. Stop your Splunk SOAR Automation Broker. Alternatively you can do this before starting the Splunk SOAR Automation Broker for the first time.
  2. Create a directory inside splunk_data called ca-certs: mkdir /splunk_data/ca-certs
  3. Add the CA certificates to the splunk_data/ca-certs directory in PEM format.
  4. Restart your Splunk SOAR Automation Broker.

Make sure only valid PEM formatted certificates exist in this directory. If your proxy or other use case needs a chain of certificates you might need to add multiple certificates to this directory.

Example:

Be sure to use the correct broker image for your version of Splunk SOAR (Cloud) or Splunk SOAR (On-premises). You can see the available releases of the Splunk SOAR Automation Broker on Docker Hub at https://hub.docker.com/r/phantomsaas/automation_broker/tags.

> BROKER_IMAGE=phantomsaas/automation_broker:6.0.0.114895
> PHANTOM_BASE_URL=https://psaas-51835-25854.stg.soar.splunkcloud.com
> SPLUNK_DATA=/path/to/splunk_data

> # copy 1 or more certificates to the splunk_data cert folder
> mkdir $SPLUNK_DATA/ca-certs
> cp my_ca_bundle.pem $SPLUNK_DATA/ca-certs
>
> # start the automation broker. It should report that the certificate has been merged.
> docker run -it -v $SPLUNK_DATA:/splunk_data -e PHANTOM_BASE_URL=$PHANTOM_BASE_URL $BROKER_IMAGE

Post Initialization Environment:
 ...
 PHANTOM_BASE_URL:https://psaas-51835-25854.stg.soar.splunkcloud.com
 PHANTOM_HTTPS_STRICT_TLS:1
 PHANTOM_HTTPS_STRICT_TLS_AUTODETECT:1
 ...
 broker_tool: CheckUpdateCaBundle
 broker_tool: Merging /etc/pki/tls/cert.pem of size 199356 bytes.
 broker_tool: Merging certificate /splunk_data/ca-certs/my_ca_bundle.pem
 ...


Last modified on 29 May, 2024
Reinstall or revert the Splunk SOAR Automation Broker   Troubleshooting the Splunk SOAR Automation Broker

This documentation applies to the following versions of Splunk® Automation Broker: current, current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters