I want to link Phantom and Splunk, but if I enter rest API and save it an error will be output.
The content of the error is
"Could not communicate with Phantom server "https://10.13.255.27": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)".
Could you give me some advice?
I'm sorry in my poor English, thank you.
Hi,
you can try the following steps , it is mentioned in the README file of phantom app.
You can disable the certificate validation entirely by POSTing to the Splunk REST API
https://splunk-server:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs
with the following as the request body:
value=0
For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.
Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.
How do you install the certificate though?
Hi,
you can try the following steps , it is mentioned in the README file of phantom app.
You can disable the certificate validation entirely by POSTing to the Splunk REST API
https://splunk-server:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs
with the following as the request body:
value=0
For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.
Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.
HI,kvswathi
Thank you for your answer.
I succeed to change the setting by editing "value" to "false" from "true" of "verify_certs" in $SPLUNK_HOME/etc/apps/phantom/local/phantom.conf and restarting Splunk.
Thanks, this worked for me.
Had to add stanza, as it was not in default\phantom.conf
[verify_certs]
value = false
Thanks @shozawa, it is quick fix me during development process.
Thanks kvswathi - I had the same problem. my curl wouldn't work - your edit suggestion did.
And debug refresh works too (w/o restart)