Provide a valid SSL certificate for the connection between Splunk SOAR and Splunk Enterprise
By default, the connection between Splunk SOAR (Cloud) and Splunk SOAR (On-Premises) and Splunk Enterprise or Splunk Cloud Platform requires a valid SSL certificate. Splunk SOAR (Cloud) and Splunk SOAR (On-Premises) generate a self-signed certificate when installed. When a web browser requests a connection to Splunk SOAR (Cloud), Splunk SOAR (On-Premises), Splunk Enterprise, or Splunk Cloud Platform, HTTPS validation fails because the self-signed certificate is not issued by a valid Certificate Authority.
Splunk SOAR (Cloud) and Splunk Cloud Platform include compatible certificates. When using this combination, the steps described in this article are not required.
For Splunk SOAR (on-premises) deployments with a custom root certificate, used in combination with Splunk Cloud Platform, contact Splunk Support.
You can manage your HTTPS certificate validation on Splunk Enterprise by using one of the following methods to provide a valid SSL certificate, listed in order of preference:
- Use a valid certificate signed by a Certificate Authority.
- Add a public key to your Splunk Enterprise instance.
- Manage HTTPS certificate validation using the REST API.
- Manage HTTPS certificate validation using configuration files.
Disable certificate verification only in development or test environments. Do not disable certificate verification in a production system. If you are a Splunk Cloud Platform user, contact support with your certificate bundle.
Assign certificates in clustered environments
Each node in a clustered environment requires a certificate. Add the same certificate for each node, using one of the methods described in the following sections.
Use a valid certificate signed by a Certificate Authority
For details, see Replace existing HTTPS certificate with certificate signed by a Certificate Authority in the Add, remove, or replace certificates from the Splunk SOAR (On-premises) certificate store article in the Administer Splunk SOAR (On-premises) documentation.
Add your Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) root CA certificate to your Splunk Enterprise instance
If you want to use the Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) certificate or add your own certificate so that Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) can communicate securely with Splunk Enterprise, you must add the root CA certificate to Splunk Enterprise.
You must add the root certificate to the PEM file used by Splunk App for SOAR Export, usually cert_bundle.pem. If you created a cert_bundle.pem file in the Splunk App for SOAR Export app directory, Splunk App for SOAR Export will only read the local PEM file and will not use the PEM file for Splunk Enterprise or Splunk Cloud Platform.
To add the Splunk SOAR (On-Premises) root CA certificate to your Splunk Enterprise instance, perform the following tasks on Splunk Enterprise:
- If you are installing for the first time, proceed to the next step.
If you have an existing certificate from a previous configuration, make a backup copy of the existing$SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
file. - Create or edit the existing
$SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
file and add your PEM formatted certificate to the end of the file. This is the.pem
or.crt
file from the default Splunk SOAR (Cloud), Splunk SOAR (On-Premises) certificate, or your own certificate. See Getting your certificates in the Securing Splunk Enterprise manual for more information about creating your own SSL certificates for Splunk Enterprise.
You can add multiple Splunk SOAR (Cloud) or Splunk SOAR (On-Premises) root CA certificates to$SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem
.
Manage HTTPS certificate validation using the REST API
In Splunk Enterprise, you can configure HTTPS certificate validation using the REST API by sending an HTTP POST to the REST endpoint with a curl
command.
This method is not allowed in Splunk Cloud Platform environments.
It is best practice to have certificate verification turned on.
The curl
command has the following format:
curl -ku <username>:<password> https://<splunk address>:<mgmtHostPort>/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs -d value=<true|false>
See Configuration endpoint descriptions in the Splunk Enterprise REST API Reference Manual for more information.
Manage HTTPS certificate validation using configuration files
You can configure HTTPS certificate validation by editing the verify_certs
stanza in the phantom.conf
, Splunk App for SOAR configuration file.
This method is not allowed in Splunk Cloud Platform environments.
It is best practice to have certificate verification turned on.
It is a best practice to edit a local version of any configuration file, not the version in the default
folder. See How to edit a configuration file in the Splunk Enterprise Admin Manual for more information.
Perform the following tasks as a user with both read and write permissions:
- Set the
value
totrue
or1
to enable HTTPS certificate validation. For example:[verify_certs] value = true
- Set the
value
tofalse
or0
to disable HTTPS certificate validation. For example:[verify_certs] value = false
Restart Splunk Enterprise to have configuration file changes take affect. To learn more, see When to restart Splunk Enterprise after a configuration file change in the Splunk Enterprise Admin Manual.
Enable Splunk platform users to use Splunk App for SOAR Export | Connect Splunk App for SOAR Export and the Splunk Platform to Splunk SOAR |
This documentation applies to the following versions of Splunk® App for SOAR Export: 4.1.117, 4.1.135, 4.2.3, 4.3.2
Feedback submitted, thanks!