All Apps and Add-ons

SSL error: How do I fix this Forescout Adaptive Response TA?

mattmans1
New Member

Hi.

I'm having a nightmare getting this adaptive response TA working.  Has anybody got it working? I'm getting the following error.

ta_forescout_response_init.py:45 - CRITICAL - Unexpected error while getting alert actions from CounterACT: HTTPSConnectionPool(host='forescout.mattlab.local', port=443): Max retries exceeded with url: /splunk/actions_info?auth=CounterACT%20A6885132-A0EE-4AED-A2A3-8C01AF148957 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1106)')))

The guide I've followed is here.  Specifically page 15:

https://www.forescout.com/resources/app-and-add-on-for-splunk-how-to-guide-2-9-1/

********************************************************************************************

To enable HTTPS communication using Forescout eyeExtend for Splunk:

1. Operators must not use the default self-signed web-portal certificate; instead,
they need to procure their own certificate. See Appendix 😧 System
Certificate for Web Portal.


2. Once the certificates are installed on the CounterACT Appliance, the Forescout
platform Public Key Certificate must be appended to the cacert.pem file at the
following location:


$SPLUNK_HOME/lib/python2.7/site-packages/requests/cacert.pem

****************************************************************************

I have created a server certificate for forescout and copied the CA cert over to request directory below

root@splunklinux:/opt/splunk/lib/python3.7/site-packages/requests# ls -al
total 228
drwxrwxrwx 3 10777 10777 4096 May 15 21:56 .
drwxrwxrwx 73 10777 10777 4096 May 2 12:56 ..
-rwxrwxrwx 1 10777 10777 21344 Feb 1 00:57 adapters.py
-rwxrwxrwx 1 10777 10777 6271 Feb 1 00:57 api.py
-rwxrwxrwx 1 10777 10777 10206 Feb 1 00:57 auth.py
-rw-r--r-- 1 root root 2110 May 15 19:26 cacert.pem
-rwxrwxrwx 1 10777 10777 453 Feb 1 00:57 certs.py
-rwxrwxrwx 1 10777 10777 1678 Feb 1 00:57 compat.py
-rwxrwxrwx 1 10777 10777 18430 Feb 1 00:57 cookies.py
-rwxrwxrwx 1 10777 10777 3185 Feb 1 00:57 exceptions.py
-rwxrwxrwx 1 10777 10777 3515 Feb 1 00:57 help.py
-rwxrwxrwx 1 10777 10777 757 Feb 1 00:57 hooks.py
-rwxrwxrwx 1 10777 10777 3921 Feb 1 00:57 __init__.py
-rwxrwxrwx 1 10777 10777 1096 Feb 1 00:57 _internal_utils.py
-rwxrwxrwx 1 10777 10777 34210 Feb 1 00:57 models.py
-rwxrwxrwx 1 10777 10777 542 Feb 1 00:57 packages.py
drwxrwxrwx 2 root root 4096 May 15 21:59 __pycache__
-rwxrwxrwx 1 10777 10777 29332 May 15 21:56 sessions.py
-rwxrwxrwx 1 10777 10777 4129 Feb 1 00:57 status_codes.py
-rwxrwxrwx 1 10777 10777 2981 Feb 1 00:57 structures.py
-rwxrwxrwx 1 10777 10777 30049 Feb 1 00:57 utils.py
-rwxrwxrwx 1 10777 10777 436 Feb 1 00:57 __version__.py

there was no cacert.pem file in this location - what does it mean append the public key to the cacert.pem file?  i just copied the ca cert from my forescout signed CA over to this location and called it cacert.pem as it didn't exist?

 

Labels (1)
Tags (4)
0 Karma

PickleRick
Ultra Champion

The general approach seems to be good but.

Which version of splunk are you using? This version of app is meant for Splunk 7 which is EOL. Splunk 8 uses Python 3, not 2. (This should have no connection with the error itself; just mentioning this as a general advice). There is a 3.0.3 version available on Splunkbase.

Try connecting to the web portal using openssl s_client and see the certificate chain.

Did you indeed apply a certificate from an external CA or did you simply copy out the default self-signed certificate from the server? (The docs say it won't work this way).

0 Karma

mattmans1
New Member

Hi PickleRick,

 

thankyou for the reply.  I'm using the latest which is 8.2.6 with the latest version of forescout 8.4.  I did notice it used the python 3 libraries rather than 2.  I have a windows CA so i signed the CSR from Forescout with a CA a created using openssl - copied the CA part to the splunk directory after.

I will try using the openssl client you specified to see the certificate chain - im suspecting its not presenting the CACERT.PEM certificate so i agree i need to figure out of that's actually what's not happening.

thanks for the advice i will update later when i try again.

 

0 Karma

alexstanley85
New Member

The permission of cacert.pem looks root:root. Will that work ?
Also the path /app/analytics/splunk/lib/python3.7/site-packages/certifi/cacert.pem has a certificate which seems interesting to me. Forescout document mentioned a different path.

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...