All Apps and Add-ons

Phantom APPs can not be set.

shozawa
Explorer

I want to link Phantom and Splunk, but if I enter rest API and save it an error will be output.
The content of the error is

"Could not communicate with Phantom server "https://10.13.255.27": [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)".

Could you give me some advice?

I'm sorry in my poor English, thank you.

0 Karma
1 Solution

kvswathi
Path Finder

Hi,

you can try the following steps , it is mentioned in the README file of phantom app.

You can disable the certificate validation entirely by POSTing to the Splunk REST API
https://splunk-server:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs
with the following as the request body:
value=0

For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.

Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.

View solution in original post

AdamDDewey11
New Member

How do you install the certificate though?

0 Karma

kvswathi
Path Finder

Hi,

you can try the following steps , it is mentioned in the README file of phantom app.

You can disable the certificate validation entirely by POSTing to the Splunk REST API
https://splunk-server:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs
with the following as the request body:
value=0

For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0

To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.

Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.

shozawa
Explorer

HI,kvswathi

Thank you for your answer.

I succeed to change the setting by editing "value" to "false" from "true" of "verify_certs" in $SPLUNK_HOME/etc/apps/phantom/local/phantom.conf and restarting Splunk.

CSmoke
Path Finder

Thanks, this worked for me.

 

Had to add stanza, as it was not in default\phantom.conf

 

[verify_certs]

value = false

0 Karma

louismai
Path Finder

Thanks @shozawa, it is quick fix me during development process.

0 Karma

AzJimbo
Path Finder

Thanks kvswathi - I had the same problem. my curl wouldn't work - your edit suggestion did.

And debug refresh works too (w/o restart)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...