Security

Cert issue with TA-Illumio

gregorytd
New Member

When configuring the Illumio TA it is failing to communicate to my Illumio server and errors about the certificate on the Illumio server. The Illumio product is installed with a valid Thwate certificate but Splunk is complaining about it when trying to configure the TA. Any thoughts as to why Splunk does not see the certificate as valid? I have tried loading the Thwate root cert and intermediate on the Splunk host OS, but it is still not working,
The Splunk setup is 6.6.4, running on Windows Server 2012.

Errors below:

2018-05-10 13:40:52,444 - Illumio_Get_Data - ERROR - Error Trace for failed workload request: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
Traceback (most recent call last):
  File "C:\Program Files\Splunk\etc\apps\TA-Illumio\bin\get_data.py", line 97, in get_workload
    r = requests.get(url +resource.get("orgs", "")+str(rest_help[4])+ resource.get("workload", ""), headers=headers, verify=cert_path)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\api.py", line 55, in get
    return request('get', url, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\api.py", line 44, in request
    return session.request(method=method, url=url, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\sessions.py", line 456, in request
    resp = self.send(prep, **send_kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\sessions.py", line 559, in send
    r = adapter.send(request, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\requests\adapters.py", line 382, in send
    raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
2018-05-10 13:40:52,444 - Illumio_MODINPUT - INFO - Completed execution of threads.

Thanks

Tags (1)
0 Karma

54638
Explorer

We finally have this working in our environment on TA-Illumio 2.1.0. It was not working on 2.0.1, so I imagine it may not have earlier either.

We had to use the double backslash in the "Custom (self-signed) certificate path":

C:\\Program Files\\Splunk\\etc\\apps\\TA-Illumio\\pce.crt
0 Karma

jforrest1234
New Member

Hi, thanks for the quick response. What syntax is needed for the directory path? I use Windows. C:......\filename.pem or something else?

0 Karma

sajjadlateef
Explorer

I do not know, but, you can try double back-slash in the Windows path that someone else posted earlier.

C:\PATH\TO\cert.pem

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @jforrest1234,

Which user were you trying to ask this question to? There are two answers above from different users...

Thanks.

0 Karma

sajjadlateef
Explorer

If you use Firefox to access your Illumio server, you should be able to download the root certificate chain directly
a. Click on the padlock in the url bar
b. Examine the "Secure Connection" and then click "More Information"
c. A dialog box pops open (at leat, on Mac OS-X) and there is a "View Certificate" button
d. Click on View Certificate, click on Details. You will see the certificate chain.

Now, highlight the root cert (at the very top), and then click the "Export" button. This will download the entire root certificate chain in PEM format.

Upload this certificate to your Splunk server in a location that is accessible. Provide the full path to this certificate in the Data Input and save the data input.

This should resolve the issue.

0 Karma

xpac
SplunkTrust
SplunkTrust

Did you try to upload the Root CA certificate somewhere where Splunk has read permissions and then set this parameter in the input config?

Certificate Path
When a self-signed SSL certificate is used with the PCE, its SSL Certificate needs to be uploaded onto Splunk Server and the full path to directory containing the certificate should be provided here.
0 Karma

gregorytd
New Member

I uploaded the Root CA cert to the Splunk server and believe read permissions were set. On Windows server what permissions do I need to give the file so Splunk can have read access? The Splunk processes run as local System so I assumed local system was the rights the file needed or am I missing something.

Thanks

0 Karma

xpac
SplunkTrust
SplunkTrust

Yeah, that is basically local admin, and should be fine, unless you did something really weird.
Did you set the path to those files in the input settings? Maybe on Windows you need to do something strange, like doubling the \s, or replacing \ with / - nothing I can actually point you to, but all of those have happened to me in the past, so it's worth to give them a try.

0 Karma

jforrest1234
New Member

was anyone able to resolve this issue?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...