I want to link Phantom and Splunk, but if I enter rest API and save it an error will be output.
The content of the error is
"Could not communicate with Phantom server "https://10.13.255.27": [SSL: CERTIFICATEVERIFYFAILED] certificate verify failed (_ssl.c:676)".
Could you give me some advice?
I'm sorry in my poor English, thank you.
you can try the following steps , it is mentioned in the README file of phantom app.
You can disable the certificate validation entirely by POSTing to the Splunk REST API
with the following as the request body:
For example, via CURL:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
To re-enable certificate validation, you can post to the same endpoint but change "value" to 1.
Phantom recommends using certificates, and only disabling certificate verification in development
or test environments only. Never disable certificate verification for a production system.
Thank you for your answer.
I succeed to change the setting by editing "value" to "false" from "true" of "verifycerts" in $SPLUNKHOME/etc/apps/phantom/local/phantom.conf and restarting Splunk.
Thanks kvswathi - I had the same problem. my curl wouldn't work - your edit suggestion did.
And debug refresh works too (w/o restart)