Splunk Enterprise

How do I get Tenable add-on to connect to Splunk?

sudderthc
Loves-to-Learn Lots

Hello all,

I was reaching out to see if anyone has come across issues connecting Tenable.sc add-on to Splunk.  I downloaded the Tenable application and add-on, and I was able upload to Splunk.  My issue is getting Tenable to connect to Splunk.  When I try with credentials, I receive the following error, "Please enter valid address, username and password, or configure valid proxy settings or verify  SSL certificate."  When trying with API keys, I receive the following error, "Please enter valid address, access key, secret key, or configure valid proxy settings.  I have verified credentials and API keys multiple times.  Can anyone help with this?  Thank you. 

Labels (2)
Tags (1)
0 Karma

flakshack
Path Finder

Sorry to resurrect this old thread, but I ran across this post in my search to solve my problem and thought I'd share the solution.  Here's the error in the log:

/opt/splunk/var/log/splunk/ta_tenable_tenable_securitycenter.log

requests.exceptions.SSLError: HTTPSConnectionPool(host='mytenableserver.mycompany.local', port=443): Max retries exceeded with url: /rest/system (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1161)')))



There used to be a UI option in the Addon to disable certificate verification, but apparently this functionality was removed by Splunk, so to fix it there are 2 options described below in case the Tenable KB article changes in the future.  Note that any update to the Addon would overwrite these changes, so you'll have to do them each time you update it.

Best Option:  Append your custom CA cert to the one in the certifi folder.  Change the script to reference your CA certificate chain file (text file with all the certificates BASE64 encoded).

Command to append our CA to the certifi cacert.pem file

su splunk
cp /opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/certifi/cacert.pem /opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/certifi/cacert.pem.original
cat /opt/splunk/etc/auth/mycerts/mycustom-ca-chain.pem >> /opt/splunk/etc/apps/TA-tenable/bin/ta_tenable/certifi/cacert.pem


Next option:  Disable SSL certificate verification (less secure).

/opt/splunk/etc/apps/TA-tenable/bin/tenable_consts.py

verify_ssl_for_sc_api_key = False



Source:
https://docs.tenable.com/integrations/Splunk/Content/Splunk2/ConfigureTenablescCertificatesS2.htm

0 Karma

esalesapns2
Communicator

the curl command works from the command line only if I specify "-k" (ignore SSL cert)
how do I get Splunk to accept the cert?

0 Karma

Tom_Lundie
Contributor

Hi @sudderthc,

First and foremost, this add-on is supported by Tenable so I would raise a case with them if you can't get this going.

Looking at tenable_account_validation.py that error is unfortunately just as vague as it looks. Funnily enough, the ConnectionError exception that's raised to trigger that exception is decently verbose but for some reason the TA Devs have decided to mask it with that generic error you're seeing.

If you're comfortable with it, you could temporarily modify the TA to include the verbose exception details. I've also included some more generic troubleshooting steps to help if you'd rather not touch the code.

Making the TA Validation More Verbose:

Modify tenable_account_validation.py lines 221-223
From:

 

                except Exception:
                    msg = "Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate."
                    raise Exception(msg)

 

To:

 

                except Exception as e:
                    msg = "Please enter valid Address, Username and Password or configure valid proxy settings or verify SSL certificate. Verbose Details: " + repr(e)
                    raise Exception(msg)

 

Then try to add your account again. It should now include the verbose details about what went wrong.

High-Level Troubleshooting:

If I were troubleshooting this on the Splunk host, I would step-through the following:

1. Establish basic connectivity:

 

curl -k https://tenablesc_host:tenablesc_port/rest/system

 

If you're behind a proxy you can use the --proxy curl switch.
Do you get a response? If not then you'll need to facilitate this connectivity first.

2. Validate SSL Settings:

(This is only applicable if you're using verify_ssl=true, if not then skip to 3.)

 

curl https://tenablesc_host:tenablesc_port/rest/system

 

Does the same command work with SSL Verification (no -k)? If not, then you're probably using a self-signed certificate for your Tenable SC instance. Tenable does not support self-signed certificates on their SDK, but you could modify the TA slightly to support it. A quick look through the code shows that it leverages the restfly library so you could update the APISessions base class to support your self-signed certificate. Do this as your own risk, it will be a trade-off between SSL verification and upstream support.

3. Validate Credentials

If you've managed to establish connectivity then I would test if your credentials are working properly.

 

curl https://tenablesc_host:tenablesc_port/rest/system -H "X-APIKey: accessKey=123; secretKey=123;"

 

(Replacing 123 with the appropriate keys) does this return the same content as the previous commands? If not and you receive a login denied message instead, validate that your credentials are correct and API key login is enabled on the SC instance.

Good Luck, let me know how you get on!

0 Karma

x_R4Z0R_x
New Member

For Tenable SC with Custom Server SSL Certificate:
After identifying the source issue, if its SSL-related, Modify the following file to disable SSL Verification: /opt/splunk/etc/apps/TA-tenable/bin/tenable_consts.py
verify_ssl_for_sc_api_key = False

It worked for me.

 

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...