Splunk® App for SOAR Export

Use the Splunk App for SOAR Export to Forward Events

This documentation does not apply to the most recent version of Splunk® App for SOAR Export. For documentation on the most recent version, go to the latest release.

Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise

By default, the connection between Splunk SOAR (Cloud) and Splunk SOAR (On-Premises) and Splunk Enterprise or Splunk Cloud Platform requires a valid SSL certificate. Splunk SOAR (Cloud) and Splunk SOAR (On-Premises) generate a self-signed certificate when installed. When a web browser requests a connection to Splunk SOAR (Cloud), Splunk SOAR (On-Premises), Splunk Enterprise, or Splunk Cloud Platform, HTTPS validation fails because the self-signed certificate is not issued by a valid Certificate Authority.

Splunk SOAR (Cloud) and Splunk Cloud Platform include compatible certificates. When using this combination, the steps described in this article are not required.

For Splunk SOAR (on-premises) deployments with a custom root certificate, used in combination with Splunk Cloud Platform, contact Splunk Support.

You can manage your HTTPS certificate validation on Splunk Enterprise by using one of the following methods to provide a valid SSL certificate, listed in order of preference:

Disable certificate verification only in development or test environments. Do not disable certificate verification in a production system. If you are a Splunk Cloud Platform user, contact support with your certificate bundle.

Assign certificates in clustered environments

Each node in a clustered environment requires a certificate. Add the same certificate for each node, using one of the methods described in the following sections.

Use a valid certificate signed by a Certificate Authority

For details, see Replace existing HTTPS certificate with certificate signed by a Certificate Authority in the Add, remove, or replace certificates from the Splunk SOAR (On-premises) certificate store article in the Administer Splunk SOAR (On-premises) documentation.

Add your Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) root CA certificate to your Splunk Enterprise instance

If you want to use the Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) certificate or add your own certificate so that Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) can communicate securely with Splunk Enterprise, you must add the root CA certificate to Splunk Enterprise.

You must add the root certificate to the PEM file used by Splunk App for SOAR Export, usually cert_bundle.pem. If you created a cert_bundle.pem file in the Splunk App for SOAR Export app directory, Splunk App for SOAR Export will only read the local PEM file and will not use the PEM file for Splunk Enterprise or Splunk Cloud Platform.

To add the Splunk SOAR (On-Premises) root CA certificate to your Splunk Enterprise instance, perform the following tasks on Splunk Enterprise:

  1. If you are installing for the first time, proceed to the next step.
    If you have an existing certificate from a previous configuration, make a backup copy of the existing $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem file.
  2. Create or edit the existing $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem file and add your PEM formatted certificate to the end of the file. This is the .pem or .crt file from the default Splunk SOAR (Cloud), Splunk SOAR (On-Premises) certificate, or your own certificate. See Getting your certificates in the Securing Splunk Enterprise manual for more information about creating your own SSL certificates for Splunk Enterprise.
    You can add multiple Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) root CA certificates to $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem.

Manage HTTPS certificate validation using the REST API

In Splunk Enterprise, you can configure HTTPS certificate validation using the REST API by sending an HTTP POST to the REST endpoint with a curl command.

This method is not allowed in Splunk Cloud Platform environments.

It is best practice to have certificate verification turned on.

The curl command has the following format:

curl -ku <username>:<password> https://<splunk address>:<mgmtHostPort>/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs -d value=<true|false>

See Configuration endpoint descriptions in the Splunk Enterprise REST API Reference Manual for more information.


Manage HTTPS certificate validation using configuration files

You can configure HTTPS certificate validation by editing the verify_certs stanza in the phantom.conf, Splunk App for SOAR configuration file.

This method is not allowed in Splunk Cloud Platform environments.

It is best practice to have certificate verification turned on.

It is a best practice to edit a local version of any configuration file, not the version in the default folder. See How to edit a configuration file in the Splunk Enterprise Admin Manual for more information.

Perform the following tasks as a user with both read and write permissions:

  • Set the value to true or 1 to enable HTTPS certificate validation. For example:
    [verify_certs]
    value = true
    
  • Set the value to false or 0 to disable HTTPS certificate validation. For example:
    [verify_certs]
    value = false
    


Restart Splunk Enterprise to have configuration file changes take affect. To learn more, see When to restart Splunk Enterprise after a configuration file change in the Splunk Enterprise Admin Manual.

Last modified on 12 December, 2024
Enable Splunk platform users to use Splunk App for SOAR Export   Connect Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR

This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135, 4.2.3, 4.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters