Splunk® SOAR (On-premises)

Install and Upgrade Splunk SOAR (On-premises)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
This documentation does not apply to the most recent version of Splunk® SOAR (On-premises). For documentation on the most recent version, go to the latest release.

Convert a privileged deployment to an unprivileged deployment

release 5.3.6 includes tools to convert an privileged deployment of Splunk SOAR (On-premises) to an unprivileged deployment.

Because support for privileged deployments has been removed in release 5.4.0 and higher, you must convert a privileged deployment to an unprivileged one before you can upgrade beyond release 5.3.6.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

Before you begin

There are a few steps to perform before you begin the conversion.

  1. Make a full backup of your Splunk SOAR (On-premises) deployment. See Splunk SOAR (On-premises) backup and restore overview in Administer Splunk SOAR (On-premises.
  2. Disable any warm standby. See Disable warm standby for Splunk SOAR (On-premises) in Administer Splunk SOAR (On-premises).
  3. Disable any cron jobs or other automated processes that might try to make changes to your Splunk SOAR (On-premises) deployment during the conversion process.

Changes to a privileged deployment when converting to an unprivileged deployment

Unprivileged instances of run as a user other than the root user.

  • New OVA or AMI deployments run under the user account phantom.
  • Privileged deployments converted to unprivileged deployments run under the user account phantom.
  • Manually installed unprivileged deployments run under the user account specified during installation.

These changes are made to a deployment which is converted from privileged to unprivileged.

  • RPM dependencies that are replaced with unprivileged versions are uninstalled.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Splunk SOAR (On-premises) RPM files are removed from the RPM database. Existing files are not removed, only the RPM database entries. This largely impacts deployments which were upgraded from Splunk Phantom.
  • Change the owner of everything in the <$PHANTOM_HOME> directory to the owner phantom:phantom.
  • Disable SElinux
  • Install the unprivileged versions of dependency items.
    • pgbouncer
    • nginx
    • postgresql
    • git
  • Reconfigures auto-boot.
  • Modifies logging config setting for all the Splunk SOAR daemons in the phantom database.
  • Remove rsyslog configuration.
  • Updates the necessary configuration files, mostly for updating logging paths.
  • Ensures that the phantom user has a gecos/full name attribute set.
  • Configure a firewall port forward from your custom unprivileged HTTPS port to HTTPS port 443. Firewalld must be running.
    For some releases, the custom HTTPS port is 9999, while on others it is 8443. See Splunk SOAR (On-premises) ports and endpoints for more information.

Manually converting a privileged deployment to an unprivileged deployment

After you have upgraded to the 5.3.6 release of Splunk SOAR (On-premises), you can convert your privileged deployment to unprivileged one at any time. The tool works for single instances or clusters.

Converting a privileged Splunk SOAR (On-premises) deployment to an unprivileged deployment cannot be undone. Make sure you are ready to convert before running the running the conversion tool.

If you want to manually convert a privileged deployment of Splunk SOAR (On-premises) to an unprivileged one, do the following:

  1. Make sure that firewalld is active and running. The migration script requires firewalld to be active so it can be configured.

    If firewalld is not running, redirects from your custom HTTPS port to port 443 are not automatically configured. SOAR will only be available on your custom HTTPS port.

    If your deployment cannot use firewalld, see If you cannot use firewalld in your deployment.

    1. Check the status of firewalld.
      sudo systemctl status firewalld
      Example output from an active firewalld:
      ● firewalld.service - firewalld - dynamic firewall daemon
      

      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)

      Active: active (running) since Wed 2022-07-13 19:00:17 GMT; 1 weeks 1 days ago
    2. (Conditional) If firewalld is not active, enable it, then activate it.
      sudo systemctl enable firewalld
      sudo systemctl start firewalld
  2. Change directory to /opt/phantom.
    cd /opt/phantom
  3. Run the migration tool, and follow the prompts.
    phenv python migration/migrate.py

    The migrate.py tool supports two arguments:

    • Use --no-prompt or -y to run the tool without prompting the user for input.
    • Use --https-port or -p to specify your custom HTTPS port. If you do not specify port, 8443 is used.
  4. (Optional) If you are converting a privileged Splunk SOAR (On-premises) cluster, stop Splunk SOAR on all nodes, then repeat the preceding steps for each cluster node.

    If you are converting a privileged cluster to an unprivileged one, you will need to configure your load balancer to listen for your custom HTTPS port. If you did not specify a port during the migration, the port 8443 is set for you.

If the script fails to complete the migration, an error message is displayed on stdout that will contain the error encountered and the log file to consult for further troubleshooting.

If you cannot use firewalld in your deployment

Some deployments cannot use firewalld. If this is the case for your organization, manually convert your Splunk SOAR (On-premises) release 5.3.6 deployment from privileged to unprivileged.

As the root user:

cd /opt/phantom
/opt/phantom/bin/phenv python3 migration/migrate.py --no-prompt --https-port 8443

When you migrate this way, you must manually update all of your assets that are configured to use port 443 to use port 8443.

Last modified on 20 September, 2023
Prepare your Splunk SOAR (On-premises) deployment for upgrade   Upgrade a single privileged instance

This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.3.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters