Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I get Tenable add-on to connect to Splunk?

sudderthc
Loves-to-Learn Lots
‎03-28-2023 09:01 AM

Hello all,

I was reaching out to see if anyone has come across issues connecting Tenable.sc add-on to Splunk.  I downloaded the Tenable application and add-on, and I was able upload to Splunk.  My issue is getting Tenable to connect to Splunk.  When I try with credentials, I receive the following error, "Please enter valid address, username and password, or configure valid proxy settings or verify  SSL certificate."  When trying with API keys, I receive the following error, "Please enter valid address, access key, secret key, or configure valid proxy settings.  I have verified credentials and API keys multiple times.  Can anyone help with this?  Thank you. 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

flakshack
Path Finder
‎04-24-2025 02:24 PM

Sorry to resurrect this old thread, but I ran across this post in my search to solve my problem and thought I'd share the solution.  Here's the error in the log:

/opt/splunk/var/log/splunk/ta_tenable_tenable_securitycenter.log

requests.exceptions.SSLError: HTTPSConnectionPool(host='mytenableserver.mycompany.local', port=443): Max retries exceeded with url: /rest/system (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1161)')))



There used to be a UI option in the Addon to disable certificate verification, but apparently this functionality was removed by Splunk, so to fix it there are 2 options described below in case the Tenable KB article changes in the future.  Note that any update to the Addon would overwrite these changes, so you'll have to do them each time you update it.

Best Option:  Append your custom CA cert to the one in the certifi folder.  Change the script to reference your CA certificate chain file (text file with all the certificates BASE64 encoded).

Command to append our CA to the certifi cacert.pem file

su splunk
cp /opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/certifi/cacert.pem /opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/certifi/cacert.pem.original
cat /opt/splunk/etc/auth/mycerts/mycustom-ca-chain.pem >> /opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/certifi/cacert.pem


Next option:  Disable SSL certificate verification (less secure).

/opt/splunk/etc/apps/TA-tenable/bin/tenable_consts.py

verify_ssl_for_sc_api_key = False



Source:
https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ConfigureTenablescCertificatesS2.htm

0 Karma
Reply

esalesapns2
Communicator
‎09-26-2024 01:34 PM

the curl command works from the command line only if I specify "-k" (ignore SSL cert)
how do I get Splunk to accept the cert?

0 Karma
Reply

Tom_Lundie
Contributor
‎03-28-2023 06:39 PM

Hi @sudderthc,

First and foremost, this add-on is supported by Tenable so I would raise a case with them if you can't get this going.

Looking at tenable_account_validation.py that error is unfortunately just as vague as it looks. Funnily enough, the ConnectionError exception that's raised to trigger that exception is decently verbose but for some reason the TA Devs have decided to mask it with that generic error you're seeing.

If you're comfortable with it, you could temporarily modify the TA to include the verbose exception details. I've also included some more generic troubleshooting steps to help if you'd rather not touch the code.

Making the TA Validation More Verbose:

Modify tenable_account_validation.py lines 221-223
From:

 

                except Exception:
                    msg = "Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate."
                    raise Exception(msg)

 

To:

 

                except Exception as e:
                    msg = "Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate. Verbose Details: " + repr(e)
                    raise Exception(msg)

 

Then try to add your account again. It should now include the verbose details about what went wrong.

High-Level Troubleshooting:

If I were troubleshooting this on the Splunk host, I would step-through the following:

1. Establish basic connectivity:

 

curl -k https://tenablesc_host:tenablesc_port/rest/system

 

If you're behind a proxy you can use the --proxy curl switch.
Do you get a response? If not then you'll need to facilitate this connectivity first.

2. Validate SSL Settings:

(This is only applicable if you're using verify_ssl=true, if not then skip to 3.)

 

curl https://tenablesc_host:tenablesc_port/rest/system

 

Does the same command work with SSL Verification (no -k)? If not, then you're probably using a self-signed certificate for your Tenable SC instance. Tenable does not support self-signed certificates on their SDK, but you could modify the TA slightly to support it. A quick look through the code shows that it leverages the restfly library so you could update the APISessions base class to support your self-signed certificate. Do this as your own risk, it will be a trade-off between SSL verification and upstream support.

3. Validate Credentials

If you've managed to establish connectivity then I would test if your credentials are working properly.

 

curl https://tenablesc_host:tenablesc_port/rest/system -H "X-APIKey: accessKey=123; secretKey=123;"

 

(Replacing 123 with the appropriate keys) does this return the same content as the previous commands? If not and you receive a login denied message instead, validate that your credentials are correct and API key login is enabled on the SC instance.

Good Luck, let me know how you get on!

0 Karma
Reply

x_R4Z0R_x
New Member
‎02-06-2025 04:44 AM

For Tenable SC with Custom Server SSL Certificate:
After identifying the source issue, if its SSL-related, Modify the following file to disable SSL Verification: /opt/splunk/etc/apps/TA-tenable/bin/tenable_consts.py
verify_ssl_for_sc_api_key = False

It worked for me.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
li.common.scroll-to.top