topic Re: Forescout Adaptive Response TA - SSL error in All Apps and Add-ons

SSL error: How do I fix this Forescout Adaptive Response TA?

mattmans1 — Mon, 06 Jun 2022 03:02:38 GMT

Hi.

I'm having a nightmare getting this adaptive response TA working. Has anybody got it working? I'm getting the following error.

ta_forescout_response_init.py:45 - CRITICAL - Unexpected error while getting alert actions from CounterACT: HTTPSConnectionPool(host='forescout.mattlab.local', port=443): Max retries exceeded with url: /splunk/actions_info?auth=CounterACT%20A6885132-A0EE-4AED-A2A3-8C01AF148957 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))

The guide I've followed is here. Specifically page 15:

https://www.forescout.com/resources/app-and-add-on-for-splunk-how-to-guide-2-9-1/

********************************************************************************************

To enable HTTPS communication using Forescout eyeExtend for Splunk:

1. Operators must not use the default self-signed web-portal certificate; instead,
they need to procure their own certificate. See Appendix 😧 System
Certificate for Web Portal.

2. Once the certificates are installed on the CounterACT Appliance, the Forescout
platform Public Key Certificate must be appended to the cacert.pem file at the
following location:

$SPLUNK_HOME/lib/python2.7/site-packages/requests/cacert.pem

****************************************************************************

I have created a server certificate for forescout and copied the CA cert over to request directory below

root@splunklinux:/opt/splunk/lib/python3.7/site-packages/requests# ls -al
total 228
drwxrwxrwx 3 10777 10777 4096 May 15 21:56 .
drwxrwxrwx 73 10777 10777 4096 May 2 12:56 ..
-rwxrwxrwx 1 10777 10777 21344 Feb 1 00:57 adapters.py
-rwxrwxrwx 1 10777 10777 6271 Feb 1 00:57 api.py
-rwxrwxrwx 1 10777 10777 10206 Feb 1 00:57 auth.py
-rw-r--r-- 1 root root 2110 May 15 19:26 cacert.pem
-rwxrwxrwx 1 10777 10777 453 Feb 1 00:57 certs.py
-rwxrwxrwx 1 10777 10777 1678 Feb 1 00:57 compat.py
-rwxrwxrwx 1 10777 10777 18430 Feb 1 00:57 cookies.py
-rwxrwxrwx 1 10777 10777 3185 Feb 1 00:57 exceptions.py
-rwxrwxrwx 1 10777 10777 3515 Feb 1 00:57 help.py
-rwxrwxrwx 1 10777 10777 757 Feb 1 00:57 hooks.py
-rwxrwxrwx 1 10777 10777 3921 Feb 1 00:57 __init__.py
-rwxrwxrwx 1 10777 10777 1096 Feb 1 00:57 _internal_utils.py
-rwxrwxrwx 1 10777 10777 34210 Feb 1 00:57 models.py
-rwxrwxrwx 1 10777 10777 542 Feb 1 00:57 packages.py
drwxrwxrwx 2 root root 4096 May 15 21:59 __pycache__
-rwxrwxrwx 1 10777 10777 29332 May 15 21:56 sessions.py
-rwxrwxrwx 1 10777 10777 4129 Feb 1 00:57 status_codes.py
-rwxrwxrwx 1 10777 10777 2981 Feb 1 00:57 structures.py
-rwxrwxrwx 1 10777 10777 30049 Feb 1 00:57 utils.py
-rwxrwxrwx 1 10777 10777 436 Feb 1 00:57 __version__.py

there was no cacert.pem file in this location - what does it mean append the public key to the cacert.pem file? i just copied the ca cert from my forescout signed CA over to this location and called it cacert.pem as it didn't exist?

Re: Forescout Adaptive Response TA - SSL error

PickleRick — Mon, 16 May 2022 06:21:50 GMT

The general approach seems to be good but.

Which version of splunk are you using? This version of app is meant for Splunk 7 which is EOL. Splunk 8 uses Python 3, not 2. (This should have no connection with the error itself; just mentioning this as a general advice). There is a 3.0.3 version available on Splunkbase.

Try connecting to the web portal using openssl s_client and see the certificate chain.

Did you indeed apply a certificate from an external CA or did you simply copy out the default self-signed certificate from the server? (The docs say it won't work this way).

Re: Forescout Adaptive Response TA - SSL error

mattmans1 — Mon, 16 May 2022 08:35:10 GMT

Hi PickleRick,

thankyou for the reply. I'm using the latest which is 8.2.6 with the latest version of forescout 8.4. I did notice it used the python 3 libraries rather than 2. I have a windows CA so i signed the CSR from Forescout with a CA a created using openssl - copied the CA part to the splunk directory after.

I will try using the openssl client you specified to see the certificate chain - im suspecting its not presenting the CACERT.PEM certificate so i agree i need to figure out of that's actually what's not happening.

thanks for the advice i will update later when i try again.

Re: Forescout Adaptive Response TA - SSL error

alexstanley85 — Sun, 05 Jun 2022 23:51:52 GMT

The permission of cacert.pem looks root:root. Will that work ?
Also the path /app/analytics/splunk/lib/python3.7/site-packages/certifi/cacert.pem has a certificate which seems interesting to me. Forescout document mentioned a different path.