Splunk® SOAR (On-premises)

Administer Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

Update or renew SSL certificates for Nginx, RabbitMQ, or Consul

Secure Sockets Layer (SSL) certificates are automatically updated when you upgrade to a new release. In some cases, you many need to manually update the certificates for Nginx, RabbitMQ, or Consul on your Splunk SOAR (On-premises) deployment.

Clustered deployments of require RabbitMQ and Consul for internode coordination. Single instance deployments do not.

A management command, update_certificates, can be used to check the status of, and manually update SSL certificates for Nginx, RabbitMQ, and Consul.

The following instructions refer to the self-signed SSL certificates shipped with Splunk SOAR (On-premises). If you want to use custom certificates see Add, remove, or replace certificates from the Splunk SOAR (On-premises) certificate store for more information.

Updating the SSL certificates

To update the SSL certificates for your deployment follow these steps:

  1. Connect to your deployment using SSH.
  2. Change directory to <PHANTOM_HOME>/bin.
  3. Check the status of your SSL certificates.
    phenv update_certificates status
  4. Stop services. In a clustered deployment, do this on each cluster node.
    ./stop_phantom.sh
  5. Start pgbouncer. In a clustered deployment, do this on each cluster node.
    ./phsvc start pgbouncer
  6. Update the desired certificates. In a clustered deployment, do this on the primary cluster node.
    phenv update_certificates refresh --scope <scope> --verbosity 3
  7. (Conditional) In a clustered deployment, update the certificates on each other node.
    phenv update_certificates refresh --scope <scope> --skip-ca
  8. Start services. In a clustered deployment, do this on each cluster node, one at a time.
    ./start_phantom.sh

This process applies only to the default Splunk SOAR (On-premises) self-signed certificates.

When updating the certificates used by Consul and RabbitMQ, all the cluster nodes need to be stopped before refreshing the certificates. Additionally, the certificates on every node need to be refreshed before any of the nodes are started. Start the node that you shutdown last, first and use the --skip-ca option for all the nodes except the first one.

update_certificates tool options and examples

This table lists the arguments for the management command update_certificates.

The arguments should be placed anywhere after phenv update_certificates. For example, phenv update_certificates --no-color status.

Argument Description
-h, --help Show the help text, then exit.
--scope {nginx, glusterfs, all, consul_and_rabbitmq} Set the scope of the certificates that this command will affect. If no scope is specified, the default is all.
  • all
  • nginx
  • consul_and_rabbitmq

glusterfs is not currently supported.

--no-prompt Set the tool to run without prompting the user for input.
--skip-ca Set the tool to run without getting certificate authority information.
-v {0,1,2,3}, --verbosity {0,1,2,3} Verbosity level:
  • 0 for minimal output
  • 1 for normal output
  • 2 for verbose output
  • 3 for very verbose output
--no-color Don't colorize the command output. This changes the output to also include the log levels DEBUG, INFO, WARNING, or ERROR.
--skip-checks Skip system checks.
Positional Argument Description
refresh Refresh the expiration dates of the specified scope of SSL certificates.
status Output the status of the specified scope of SSL certificates.

Check the status of certificates

You can check the status of your SSL certificates.

phenv update_certificates status

For a standalone system, the output looks similar to the following:

Fetching certificate status for nginx

Nginx ssl certificate:
  Subject: CN=phantom
  Valid until: May 20 2025 at 08:50 AM

For a system with clusters, the output looks similar to the following:

Fetching certificate status for nginx, consul_and_rabbitmq, and glusterfs

Nginx ssl certificate:
  Subject: CN=phantom
  Valid until: Mar 10 2025 at 07:32 PM

Consul & RabbitMQ ca certificate:
  Subject: CN=PhantomRabbitCA
  Valid until: Dec 04 2032 at 07:58 PM

Consul & RabbitMQ server certificate:
  Subject: O=server,CN=10.1.19.113
  Valid until: Dec 04 2032 at 07:58 PM

Consul & RabbitMQ client certificate:
  Subject: O=client,CN=10.1.19.113
  Valid until: Dec 04 2032 at 07:58 PM

Consul on port 8501 (LIVE):
  Subject: CN = 10.1.19.113, O = server
  Valid until: Dec  4 19:58:23 2032 GMT

RabbitMQ on port 5671 (LIVE):
  Subject: CN = 10.1.19.113, O = server
  Valid until: Dec  4 19:58:23 2032 GMT

GlusterFS ca/server certificate:
  Subject: OU=Gluster,O=Phantom,ST=CA,CN=US
  Valid until: Dec 04 2032 at 07:52 PM

Update the expiration date of certificates

This example updates the expiration date of the nginx SSL certificate on a single-instance deployment of .

phenv update_certificates --skip-ca -v 2 refresh
Refreshing the following certificates: nginx
Shell command: openssl x509 -in /opt/phantom/etc/ssl/certs/httpd_cert.crt -pubkey -noout
b'-----BEGIN PUBLIC KEY-----'
KEY SIGNATURE APPEARS HERE
b'-----END PUBLIC KEY-----'
Command: /opt/phantom/bin/phsvc restart nginx
Shell command: /opt/phantom/bin/phsvc restart nginx
Stopping NGINX: [  OK  ]
Starting NGINX: [  OK  ]

Nginx certificate refreshed:
Loading cert from /opt/phantom/etc/ssl/certs/httpd_cert.crt

Nginx ssl certificate:
  Subject: CN=phantom
  Valid until: Apr 14 2025 at 07:11 PM

All done!
Last modified on 04 October, 2024
Troubleshooting certificate issues   Renew IdP certificates

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 6.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters