After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
Convert a privileged deployment to an unprivileged deployment
From release 5.3.3 and higher of , you can convert an privileged deployment of Splunk SOAR (On-premises) to an unprivileged deployment.
Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.
Before you begin
There are a few steps to perform before you begin the conversion.
- Make a full backup of your Splunk SOAR (On-premises) deployment. See Splunk SOAR (On-premises) backup and restore overview in Administer Splunk SOAR (On-premises.
- Disable any warm standby. See Disable warm standby for Splunk SOAR (On-premises) in Administer Splunk SOAR (On-premises).
- Disable any cron jobs or other automated processes that might try to make changes to your Splunk SOAR (On-premises) deployment during the conversion process.
Changes to a privileged deployment when converting to an unprivileged deployment
Unprivileged instances of run as a user other than the root user.
- New OVA or AMI deployments run under the user account phantom.
- Privileged deployments converted to unprivileged deployments run under the user account phantom.
- Manually installed unprivileged deployments run under the user account specified during installation.
These changes are made to a deployment which is converted from privileged to unprivileged.
- RPM dependencies that are replaced with unprivileged versions are uninstalled.
- pgbouncer
- nginx
- postgresql
- git
- Splunk SOAR (On-premises) RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries. This largely impacts deployments which were upgraded from Splunk Phantom.
- Change the owner of everything in the <PHANTOM_HOME> directory to the owner phantom:phantom.
- Disable SElinux
- Install the unprivileged versions of dependency items.
- pgbouncer
- nginx
- postgresql
- git
- Reconfigures auto-boot.
- Modifies logging config setting for all the Splunk SOAR daemons in the phantom database.
- Remove rsyslog configuration.
- Updates the necessary configuration files, mostly for updating logging paths.
- Moves Splunk SOAR (On-premises) logs from /var/log/phantom to <PHANTOM_HOME>/var/log/phantom.
- Ensures that the phantom user has a gecos/full name attribute set.
- Configure a firewall port forward from the custom unprivileged HTTPS port (default is 9999) to HTTPS port 443. This item requires firewalld to be running.
Manually converting a privileged deployment to an unprivileged deployment
After you have upgraded to the 5.3.3 or higher release of Splunk SOAR (On-premises), you can convert your privileged deployment to unprivileged one at any time. The tool works for single instances or clusters.
Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.
If you want to manually convert a privileged deployment of Splunk SOAR (On-premises) to an unprivileged one, do the following:
- Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.
If firewalld is not running, the migration script can fail, and leave your deployment in an unusable state.
If your deployment cannot use firewalld, see If you cannot use firewalld in your deployment.- Check the status of firewalld. Example output from an active firewalld:
sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2022-07-13 19:00:17 GMT; 1 weeks 1 days ago - (Conditional) If firewalld is not active, enable it, then activate it.
sudo systemctl enable firewalld
sudo systemctl start firewalld
- Check the status of firewalld.
- Change directory to /opt/phantom.
cd /opt/phantom
- Run the migration tool, and follow the prompts.
phenv python migration/migrate.py
The migrate.py tool supports two arguments:
- Use
--no-prompt
or-y
to run the tool without prompting the user for input. - Use
--https-port
or-p
to specify your custom HTTPS port. If you do not specify port, 9999 is used.
- Use
- (Optional) If you are converting a privileged Splunk SOAR (On-premises) cluster, stop Splunk SOAR on all nodes, then repeat the preceding steps for each cluster node.
If you are converting a privileged cluster to an unprivileged one, you will need to configure your load balancer to listen for your custom HTTPS port. If you did not specify a port during the migration, the port 9999 is set for you.
If the script fails to complete the migration, an error message is displayed on stdout that will contain the error encountered and the log file to consult for further troubleshooting.
If you cannot use firewalld in your deployment
Some deployments cannot use firewalld. If this is the case for your organization, do these additional tasks to make Splunk SOAR (On-premises) available on port 8443:
- Download an alternate version of the migrate.py script. File: alternate_5.3.5_migrate_py.zip
- Extract the file, replacing the original migrate.py in /opt/phantom/migration/
- Manually convert your Splunk SOAR (On-premises) release 5.3.5 deployment from privileged to unprivileged. As the root user:
cd /opt/phantom
/opt/phantom/bin/phenv python3 migration/migrate.py --no-prompt --https-port 8443
When you migrate this way, you must manually update all assets configured to use port 443 to use port 8443.
upgrade overview and prerequisites | Upgrade a single privileged instance |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.5
Feedback submitted, thanks!