Splunk® Phantom App for Splunk

Use the Splunk Phantom App for Splunk to Forward Events

Splunk Phantom App for Splunk has been replaced by Splunk App for SOAR Export.

Provide a valid SSL certificate for the connection between Splunk Phantom and Splunk Enterprise

By default, the connection between Splunk Phantom and Splunk Enterprise or Splunk Cloud Platform requires a valid SSL certificate. Splunk Phantom generates a self-signed certificate when it is installed. When a web browser requests a connection to Splunk Phantom, Splunk Enterprise, or Splunk Cloud Platform, HTTPS validation fails because the self-signed certificate is not issued by a valid Certificate Authority.

You can manage your HTTPS certificate validation on Splunk Enterprise by using one of the following methods to provide a valid SSL certificate, in order of preference:

  1. Use a valid certificate signed by a Certificate Authority.
  2. Add a public key to your Splunk Enterprise instance.
  3. Manage HTTPS certificate validation using configuration files.
  4. Manage HTTPS certificate validation using the REST API.

Disable certificate verification only in development or test environments. Do not disable certificate verification in a production system. If you are a Splunk Cloud Platform user, contact support with your certificate bundle.

Use a valid certificate signed by a Certificate Authority

Perform the following tasks to replace the default self-signed certificate in Splunk Phantom with a valid certificate signed by a Certificate Authority.

  1. Back up the existing self-signed certificate files in the following locations:
    /opt/phantom/etc/ssl/certs/httpd_cert.crt
    /opt/phantom/etc/ssl/private/httpd_cert.key
    
  2. Replace the existing certificate files with your new files, in the same location. If you choose to use a different location, edit the /etc/nginx/conf.d/default.conf file (or the <PHANTOM_HOME>/usr/nginx/conf/conf.d/phantom-nginx-server.conf file, for unprivileged installations) to point to the appropriate location.

    If you modify the Nginx configuration, it may be overwritten when Splunk Phantom is upgraded.

  3. If you are using a commercial certificate authority, you will be given one or intermediate certificates to go along with your server certificate. You must add the intermediates into the httpd_cert.crt file. To do so, append the lines from the intermediate certificates to the server certificate file. Once the intermediate certificates have been added, your httpd_cert.crt will look something like this:
    [root@localhost certs]# pwd
    /opt/phantom/etc/ssl/certs
    [root@localhost certs]# cat httpd_cert.crt 
    -----BEGIN CERTIFICATE-----
    MIIGBzCCA++gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMSIwIAYDVQQKDBlQaGFudG9tIEN5YmVyIENv
    cnBvcmF0aW9uMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEyMDAGA1UEAwwpUGhhbnRv
    bSBDeWJlciBDb3Jwb3JhdGlvbiBJbnRlcm1lZGlhdGUgQ0EwHhcNMTYwNjAyMDI0
    MzI2WhcNMjEwNjAxMDI0MzI2WjCBjzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNh
    bGlmb3JuaWExEjAQBgNVBAcMCVBhbG8gQWx0bzEiMCAGA1UECgwZUGhhbnRvbSBD
    eWJlciBDb3Jwb3JhdGlvbjEUMBIGA1UECwwLRW5naW5lZXJpbmcxHTAbBgNVBAMM
    FG15cGhhbnRvbS5waGFudG9tLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEAyFBqOJqtJrRM/kmOOVGmRm9DtaGlxfNCsmOMhpyR//ju025ibaoYiQRr
    BqbNhsmDZuzSAIqxkO1fwYw3LBLmsrFqtc3wwO5PDXl8fKGN49iYWzG5N5RtU0Nv
    9r/iCsGDM0tjnUxQaGpl3CNTil6qKKO+Xb2KeNKBM4xP9bwRzkQ9bBK9aIMd1f/y
    DquWNvgxkcofhS6Dicp3fySOym96Eb2GdBH9C3cYuPmBeqvOgj/OUidItLwL12oV
    0AaXKWC5HLYODqLGvfXtaw6c29mz/RM5UnI+/U+EErngypFhQD9a9ZbEAChCCZFo
    vUxF/ufk1C2RHvw32xjU69j52YQKnwIDAQABo4IBaDCCAWQwCQYDVR0TBAIwADAR
    BglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJh
    dGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUJ4hpYjyWbPPoUoa6pe2A
    vAUz5ScwgcoGA1UdIwSBwjCBv4AU46v2CJIQGDXu1FB6M9lKbsoUDRKhgaKkgZ8w
    gZwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQ
    YWxvIEFsdG8xIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDAS
    BgNVBAsMC0VuZ2luZWVyaW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBv
    cmF0aW9uIFJvb3QgQ0GCAhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
    BgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA5kdSwVQMHjCIQvyjOQsflPOcj2zS
    t0IWVp4OmDipJ+MYm4+bHvsw3OxBb3fWx4W7S249dbTNoTPqPlCoLLlv8mshTwF4
    nZJksLz5D40rtqrtYT1g3d1rDURz8rANP9MqHUpkXKETg9ufNwprWAdFYfd/IQw8
    e547k0Wy60NRb1rowI7hIOc/egqRU6WjQ5ygmCblHmoL9AK6Jh03tXS6maPrbSRt
    9Nkf/iPbkz8m7kOR1OUbq9/YXaNI6LECOYsI+ML8iy1ddPIGg+eNce3Lg47Q/rpY
    3Y+w1KHoticeetKvJn+mzxLiGXVEUik/Mm5eniJGMCa5bMO31xH5TXcouOE554u6
    gcACjeaTz/KYQ8TnMTAaJIG9GIvclao4xYA705LPMHHeEF5fQXRnJqSZ9i1tqWZQ
    EOFJ5RhJSJuf0j4P+4fpZOxV3wZJlvE6Ts3s2m2Iws+WLZSYAHlpVLUKuk2vxvrO
    v44syOGi80f/zPWAy4u0NrNSBMCCIv9VElJ+9azCjOW349murPZeymOWGM/A9HbU
    DH00pogNlUHHiZB+X9tKktFGAI2qZXHE13fRlmNbblAKepQdCNEo/Cji5sDXKacG
    7HaBZlQZiX9u2pOYtLZHSyCgfThtKv3DzmOFtER1BMDeiRffUcjGvMKErjU1SLeE
    FqZLl+YJqmQ7sZM=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIGEDCCA/igAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZwxCzAJBgNVBAYTAlVT
    MRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlQYWxvIEFsdG8xIjAgBgNV
    BAoMGVBoYW50b20gQ3liZXIgQ29ycG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVy
    aW5nMSowKAYDVQQDDCFQaGFudG9tIEN5YmVyIENvcnBvcmF0aW9uIFJvb3QgQ0Ew
    HhcNMTYwNjAxMjM0ODA4WhcNMjYwNTMwMjM0ODA4WjCBkDELMAkGA1UEBhMCVVMx
    EzARBgNVBAgMCkNhbGlmb3JuaWExIjAgBgNVBAoMGVBoYW50b20gQ3liZXIgQ29y
    cG9yYXRpb24xFDASBgNVBAsMC0VuZ2luZWVyaW5nMTIwMAYDVQQDDClQaGFudG9t
    IEN5YmVyIENvcnBvcmF0aW9uIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN
    AQEBBQADggIPADCCAgoCggIBAPJEEEDFnoPwu70writqR/s2njLR6FqVNYcXGnot
    U9SU0mlOse3ZKa1tNKE84WBO0IYxFTXO+B1F7DK2aGmvC2pAdMH34zOdfk3j2FwA
    Zed4NUzkmn2cFcTa7Ldroj+8DLWPnB03FAlPfcXOx1yYhV1vxTdT1uw+nzyxbUGf
    kMVu0i+NpXjar9hzkw7YxyShnUYrlBX/kA8arWoe9v+b/1t8mnySb+v0DdW5i2pS
    6Jnu2C6tnYzPbqyQANsar1MFWHV0c3L24f8B8je33vdqdzmKlGbvCBBMS0LCQm7L
    B1xDY3yJrkjc+x6R6cBytxwW9+h/eZp6wpu2vtX15EOF6acJOCHtvXM9CbpVRHkW
    Hy5+c5cuEh4HA/0BGZa0okhy8aguD+YCVVFkeZ+UM0Arxs+mVrlbNQjeogaP1Kxm
    k7+GooB0z1PXL95dZarovawuJ+k3IPT+trTO8CtINqOZqauo56n6KSWtpN0OP+nE
    6xb92DR9LP8GvdKEnVH7AxBLinNrwtUqXgmqJFjcqNE6RdxmBxr2s35WJzaqBkzp
    mX4HVyxIFDXSRIY54RjyNcx+5glcCrDilekm6sSTtNcV3vCxSMlj64UjtaI8j0ph
    3xNFLfJBa9sDyljmwo+1SFQw/VIfDoasPJtxkgW/ry47XLs4wPvljNm/8bG/wtbf
    QmMfAgMBAAGjZjBkMB0GA1UdDgQWBBTjq/YIkhAYNe7UUHoz2UpuyhQNEjAfBgNV
    HSMEGDAWgBQtWQnie48FM86cNmhnlUEI9o0OQjASBgNVHRMBAf8ECDAGAQH/AgEA
    MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEATriE0O4xdpHojl5H
    l7xdTi5sBe5KdZ+zgs6BBJSbDKKPoADZzx0CUB5vzqx1By3z4aS0fWId+eG1rQ70
    JA2if+JqLR/NK0M9n/D9e4/wwz+GgDdtFARljrdvPiau4Rk1ybNGgdvKHBjF9lCG
    7uo1XVJ/IszFJGG37q3L+0aJjQnKxmgd0Fh1z50OtMjiO6EKzeAIJagr+zceobUt
    c5c3E67fITGI1Dr74em+g4Wo2th0zt7OYwfVTbFM7delGnCS/+J2JlGOX6A4KVd5
    2dN79y7Asf5ULngDOg77N+coHaEhHSS5gLYQ2vsi6mIRBmJaxkYwQErAg3ObHXiV
    94KIGlmDq3C9f1olUHdEbOw0njYG7R0zciKGe78FVQqtmjK1gbI8x9bo9+kzyVH6
    1Ru7ZnoitT8UqJxtMml4pUSHSM9u4HCjXkSYzEWmZzn+6weqH1qLwBCiqx5hgKUI
    IHq8Hu/RPwFQsEqTSZAgcA0QvbMxT7yqt5HYxLNvj6sbieQNRxjeUshCFt6/o42e
    buAkABxg0cY1kRdSKDjRL6NSw7t6GLs0xkW8Z98WbMmE7LueXqKTk/FZVRL4u9Nx
    eeheRnVf5vPVd6OSsLxpCQtzOCb9zG+LvIg16qJfacXtsDHbcRM6cKaDKlTT2CmA
    +xULbgPvxpR3cOc2l+bxhf0EExM=
    -----END CERTIFICATE-----
    
  4. Restart the nginix service:
    service nginx reload

    If Nginx fails to restart, SELinux may have a conflict with the changed security context of the SSL files. The issue can be resolved by resetting the security context of the replaced SSL files. The Nginx error log location is /var/log/nginx/error.log (or <PHANTOM_HOME>/var/log/nginx/error.log for unprivileged installations). Run the following commands to reset the security context and restart Nginx:

    restorecon /opt/phantom/etc/ssl/certs/httpd_cert.crt
    restorecon /opt/phantom/etc/ssl/private/httpd_cert.key
    service nginx reload
    

Add your Splunk Phantom or Splunk SOAR root CA certificate to your Splunk Enterprise instance

If you want to use the default Splunk SOAR or Splunk Phantom certificate or create your own self-signed certificate so that Splunk SOAR or Splunk Phantom can communicate securely with Splunk Enterprise, you must add your root CA certificate to Splunk Enterprise. To do so, perform the following tasks on Splunk Enterprise:

  1. (Optional) If you have an existing certificate from a previous configuration, make a backup copy of the existing $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem file. First-time installations of Splunk Phantom will not have a existing certificate, so you must perform this step.
  2. Create or edit the existing $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem file and add your PEM formatted certificate to the end of the file. This is the .pem or .crt file from the default Splunk Phantom certificate or your own self-signed certificate. See Getting your certificates in the Securing Splunk Enterprise manual for more information about creating your own SSL certificates for Splunk Enterprise.

Multiple Splunk SOAR or Splunk Phantom root CA certificates can be added to $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem.

Manage HTTPS certificate validation using configuration files

You can configure HTTPS certificate validation by editing the verify_certs stanza in the phantom.conf Splunk Phantom App for Splunk configuration file.

Perform the following tasks:

  • Set the value to true or 1 to enable HTTPS certificate validation. For example:
    [verify_certs]
    value = true
    
  • Set the value to false or 0 to disable HTTPS certificate validation. For example:
    [verify_certs]
    value = false
    

It is a best practice to edit a local version of any configuration file, not the version in the default folder. See How to edit a configuration file in the Splunk Enterprise Admin Manual for more information.

Restart Splunk Enterprise to have configuration file changes take affect. To learn more, see When to restart Splunk Enterprise after a configuration file change in the Splunk Enterprise Admin Manual.

Manage HTTPS certificate validation using the REST API

In Splunk Enterprise, you can configure HTTPS certificate validation using the REST API by sending an HTTP POST to the REST endpoint with a curl command. The curl command has the following format:

curl -ku <username>:<password> https://<hostname>:<mgmtHostPort>/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs -d value=<true|false>

See Configuration endpoint descriptions in the Splunk Enterprise REST API Reference Manual for more information.

This method is not allowed in Splunk Cloud Platform environments.

Last modified on 26 January, 2024
Enable Splunk platform users to use the Splunk Phantom App for Splunk   Connect the Splunk Phantom App for Splunk and the Splunk Platform to a Splunk Phantom server or Splunk SOAR

This documentation applies to the following versions of Splunk® Phantom App for Splunk: 4.1.73


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters