Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Phantom APPs can not be set.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to link Phantom and Splunk, but if I enter rest API and save it an error will be output.
The content of the error is
"Could not communicate with Phantom server "https://10.13.255.27": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)".
Could you give me some advice?
I'm sorry in my poor English, thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can try the following steps , it is mentioned in the README file of phantom app.
You can disable the certificate validation entirely by POSTing to the Splunk REST API
https://splunk-server:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs
with the following as the request body:
value=0
For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.
Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you install the certificate though?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can try the following steps , it is mentioned in the README file of phantom app.
You can disable the certificate validation entirely by POSTing to the Splunk REST API
https://splunk-server:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs
with the following as the request body:
value=0
For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.
Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,kvswathi
Thank you for your answer.
I succeed to change the setting by editing "value" to "false" from "true" of "verify_certs" in $SPLUNK_HOME/etc/apps/phantom/local/phantom.conf and restarting Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, this worked for me.
Had to add stanza, as it was not in default\phantom.conf
[verify_certs]
value = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @shozawa, it is quick fix me during development process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks kvswathi - I had the same problem. my curl wouldn't work - your edit suggestion did.
And debug refresh works too (w/o restart)
Thanks for the Memories! Splunk University, .conf25, and our Community
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
