Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise
By default, the connection between Splunk Phantom and Splunk Enterprise or Splunk Cloud requires a valid SSL certificate. Splunk Phantom generates a self-signed certificate when it is installed. When a web browser requests a connection to Splunk Phantom, Splunk Enterprise, or Splunk Cloud, HTTPS validation fails because the self-signed certificate is not issued by a valid Certificate Authority.
You can manage your HTTPS certificate validation on Splunk Enterprise by using one of the following methods to provide a valid SSL certificate, in order of preference:
- Use a valid certificate signed by a Certificate Authority.
- Add a public key to your Splunk Enterprise instance.
- Manage HTTPS certificate validation using configuration files.
- Manage HTTPS certificate validation using the REST API.
Disable certificate verification only in development or test environments. Do not disable certificate verification in a production system. If you are a Splunk Cloud user, contact support with your certificate bundle.
Use a valid certificate signed by a Certificate Authority
Perform the following tasks to replace the default self-signed certificate in Splunk Phantom with a valid certificate signed by a Certificate Authority.
- Back up the existing self-signed certificate files in the following locations:
/opt/phantom/etc/ssl/certs/httpd_cert.crt /opt/phantom/etc/ssl/private/httpd_cert.key
- Replace the existing certificate files with your new files, in the same location. If you choose to use a different location, edit the
/etc/nginx/conf.d/default.conf
file to point to the appropriate location.If you modify the Nginx configuration, it may be overwritten when Splunk Phantom is upgraded.
- If you are using a commercial certificate authority, you will be given one or intermediate certificates to go along with your server certificate. You must add the intermediates into the
httpd_cert.crt
file. To do so, append the lines from the intermediate certificates to the server certificate file. Once the intermediate certificates have been added, yourhttpd_cert.crt
will look something like this:[root@localhost certs]# pwd /opt/phantom/etc/ssl/certs [root@localhost certs]# cat httpd_cert.crt -----BEGIN CERTIFICATE----- MIIGBzCCA++gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVT MRMwEQYDVQQIDApDYWxpZm9ybmlhMSIwIAYDVQQKDBlQaGFudG9tIEN5YmVyIENv cnBvcmF0aW9uMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEyMDAGA1UEAwwpUGhhbnRv bSBDeWJlciBDb3Jwb3JhdGlvbiBJbnRlcm1lZGlhdGUgQ0EwHhcNMTYwNjAyMDI0 MzI2WhcNMjEwNjAxMDI0MzI2WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh bGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEiMCAGA1UECgwZUGhhbnRvbSBD eWJlciBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMM FG15cGhhbnRvbS5waGFudG9tLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAyFBqOJqtJrRM/kmOOVGmRm9DtaGlxfNCsmOMhpyR//ju025ibaoYiQRr BqbNhsmDZuzSAIqxkO1fwYw3LBLmsrFqtc3wwO5PDXl8fKGN49iYWzG5N5RtU0Nv 9r/iCsGDM0tjnUxQaGpl3CNTil6qKKO+Xb2KeNKBM4xP9bwRzkQ9bBK9aIMd1f/y DquWNvgxkcofhS6Dicp3fySOym96Eb2GdBH9C3cYuPmBeqvOgj/OUidItLwL12oV 0AaXKWC5HLYODqLGvfXtaw6c29mz/RM5UnI+/U+EErngypFhQD9a9ZbEAChCCZFo vUxF/ufk1C2RHvw32xjU69j52YQKnwIDAQABo4IBaDCCAWQwCQYDVR0TBAIwADAR BglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJh dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ4hpYjyWbPPoUoa6pe2A vAUz5ScwgcoGA1UdIwSBwjCBv4AU46v2CJIQGDXu1FB6M9lKbsoUDRKhgaKkgZ8w gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQ YWxvIEFsdG8xIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDAS BgNVBAsMC0VuZ2luZWVyaW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBv cmF0aW9uIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA5kdSwVQMHjCIQvyjOQsflPOcj2zS t0IWVp4OmDipJ+MYm4+bHvsw3OxBb3fWx4W7S249dbTNoTPqPlCoLLlv8mshTwF4 nZJksLz5D40rtqrtYT1g3d1rDURz8rANP9MqHUpkXKETg9ufNwprWAdFYfd/IQw8 e547k0Wy60NRb1rowI7hIOc/egqRU6WjQ5ygmCblHmoL9AK6Jh03tXS6maPrbSRt 9Nkf/iPbkz8m7kOR1OUbq9/YXaNI6LECOYsI+ML8iy1ddPIGg+eNce3Lg47Q/rpY 3Y+w1KHoticeetKvJn+mzxLiGXVEUik/Mm5eniJGMCa5bMO31xH5TXcouOE554u6 gcACjeaTz/KYQ8TnMTAaJIG9GIvclao4xYA705LPMHHeEF5fQXRnJqSZ9i1tqWZQ EOFJ5RhJSJuf0j4P+4fpZOxV3wZJlvE6Ts3s2m2Iws+WLZSYAHlpVLUKuk2vxvrO v44syOGi80f/zPWAy4u0NrNSBMCCIv9VElJ+9azCjOW349murPZeymOWGM/A9HbU DH00pogNlUHHiZB+X9tKktFGAI2qZXHE13fRlmNbblAKepQdCNEo/Cji5sDXKacG 7HaBZlQZiX9u2pOYtLZHSyCgfThtKv3DzmOFtER1BMDeiRffUcjGvMKErjU1SLeE FqZLl+YJqmQ7sZM= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGEDCCA/igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZwxCzAJBgNVBAYTAlVT MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIjAgBgNV BAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVy aW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBvcmF0aW9uIFJvb3QgQ0Ew HhcNMTYwNjAxMjM0ODA4WhcNMjYwNTMwMjM0ODA4WjCBkDELMAkGA1UEBhMCVVMx EzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29y cG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVyaW5nMTIwMAYDVQQDDClQaGFudG9t IEN5YmVyIENvcnBvcmF0aW9uIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAPJEEEDFnoPwu70writqR/s2njLR6FqVNYcXGnot U9SU0mlOse3ZKa1tNKE84WBO0IYxFTXO+B1F7DK2aGmvC2pAdMH34zOdfk3j2FwA Zed4NUzkmn2cFcTa7Ldroj+8DLWPnB03FAlPfcXOx1yYhV1vxTdT1uw+nzyxbUGf kMVu0i+NpXjar9hzkw7YxyShnUYrlBX/kA8arWoe9v+b/1t8mnySb+v0DdW5i2pS 6Jnu2C6tnYzPbqyQANsar1MFWHV0c3L24f8B8je33vdqdzmKlGbvCBBMS0LCQm7L B1xDY3yJrkjc+x6R6cBytxwW9+h/eZp6wpu2vtX15EOF6acJOCHtvXM9CbpVRHkW Hy5+c5cuEh4HA/0BGZa0okhy8aguD+YCVVFkeZ+UM0Arxs+mVrlbNQjeogaP1Kxm k7+GooB0z1PXL95dZarovawuJ+k3IPT+trTO8CtINqOZqauo56n6KSWtpN0OP+nE 6xb92DR9LP8GvdKEnVH7AxBLinNrwtUqXgmqJFjcqNE6RdxmBxr2s35WJzaqBkzp mX4HVyxIFDXSRIY54RjyNcx+5glcCrDilekm6sSTtNcV3vCxSMlj64UjtaI8j0ph 3xNFLfJBa9sDyljmwo+1SFQw/VIfDoasPJtxkgW/ry47XLs4wPvljNm/8bG/wtbf QmMfAgMBAAGjZjBkMB0GA1UdDgQWBBTjq/YIkhAYNe7UUHoz2UpuyhQNEjAfBgNV HSMEGDAWgBQtWQnie48FM86cNmhnlUEI9o0OQjASBgNVHRMBAf8ECDAGAQH/AgEA MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEATriE0O4xdpHojl5H l7xdTi5sBe5KdZ+zgs6BBJSbDKKPoADZzx0CUB5vzqx1By3z4aS0fWId+eG1rQ70 JA2if+JqLR/NK0M9n/D9e4/wwz+GgDdtFARljrdvPiau4Rk1ybNGgdvKHBjF9lCG 7uo1XVJ/IszFJGG37q3L+0aJjQnKxmgd0Fh1z50OtMjiO6EKzeAIJagr+zceobUt c5c3E67fITGI1Dr74em+g4Wo2th0zt7OYwfVTbFM7delGnCS/+J2JlGOX6A4KVd5 2dN79y7Asf5ULngDOg77N+coHaEhHSS5gLYQ2vsi6mIRBmJaxkYwQErAg3ObHXiV 94KIGlmDq3C9f1olUHdEbOw0njYG7R0zciKGe78FVQqtmjK1gbI8x9bo9+kzyVH6 1Ru7ZnoitT8UqJxtMml4pUSHSM9u4HCjXkSYzEWmZzn+6weqH1qLwBCiqx5hgKUI IHq8Hu/RPwFQsEqTSZAgcA0QvbMxT7yqt5HYxLNvj6sbieQNRxjeUshCFt6/o42e buAkABxg0cY1kRdSKDjRL6NSw7t6GLs0xkW8Z98WbMmE7LueXqKTk/FZVRL4u9Nx eeheRnVf5vPVd6OSsLxpCQtzOCb9zG+LvIg16qJfacXtsDHbcRM6cKaDKlTT2CmA +xULbgPvxpR3cOc2l+bxhf0EExM= -----END CERTIFICATE-----
- Restart the nginix service:
phsvc restart nginx
If Nginx fails to restart, SELinux may have a conflict with the changed security context of the SSL files. The issue can be resolved by resetting the security context of the replaced SSL files. The Nginx error log location is
/var/log/nginx/error.log
. Run the following commands to reset the security context and restart Nginx:restorecon /opt/phantom/etc/ssl/certs/httpd_cert.crt restorecon /opt/phantom/etc/ssl/private/httpd_cert.key phsvc restart nginx
Add a public key to your Splunk Enterprise instance
If you want to use the default Splunk Phantom certificate or create your own self-signed certificate so that Splunk Phantom can communicate securely with Splunk Enterprise, you must add your public key to Splunk Enterprise. To do so, perform the following tasks on Splunk Enterprise:
- Make a backup copy of the existing
$SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
file. - Edit the existing
$SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
file and add your PEM formatted certificate to the end of the file. This is the.pem
or.crt
file from the default Splunk Phantom certificate or your own self-signed certificate. See Getting your certificates in the Securing Splunk Enterprise manual for more information about creating your own SSL certificates for Splunk Enterprise.
Manage HTTPS certificate validation using configuration files
You can configure HTTPS certificate validation by editing the verify_certs
stanza in the phantom.conf
Splunk Phantom App for Splunk configuration file.
Perform the following tasks:
- Set the
value
totrue
or1
to enable HTTPS certificate validation. For example:[verify_certs] value = true
- Set the
value
tofalse
or0
to disable HTTPS certificate validation. For example:[verify_certs] value = false
It is a best practice to edit a local version of any configuration file, not the version in the default
folder. See How to edit a configuration file in the Splunk Enterprise Admin Manual for more information.
Restart Splunk Enterprise to have configuration file changes take affect. To learn more, see When to restart Splunk Enterprise after a configuration file change in the Splunk Enterprise Admin Manual.
Manage HTTPS certificate validation using the REST API
In Splunk Enterprise, you can configure HTTPS certificate validation using the REST API by sending an HTTP POST to the REST endpoint with a curl
command. The curl
command has the following format:
curl -ku <username>:<password> https://<hostname>:<mgmtHostPort>/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs -d value=<true|false>
See Configuration endpoint descriptions in the Splunk Enterprise REST API Reference Manual for more information.
This method is not allowed in Splunk Cloud environments.
Enable Splunk platform users to use the Splunk Phantom App for Splunk | Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR |
This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.3
Feedback submitted, thanks!