I am getting a 403 error when adding a new server configuration to the Phantom app in Splunk.
"There was an error adding the server configuration. Verify server's 'Allowed IPs' and authorization configuration.
I have made sure that the Allowed IPs are set to 'any', and have regenerated the Authorization Configuration multiple times. Any idea what is going on? Anyone have a similar experience?
I'm having the exact same issue. I can confirm that traffic TCP port 443 traffic is allowed between the Splunk server and the Phantom server.
Two things to verify. First, is your account associated with the phantom role? If you are using local accounts, simply add your account in Settings/Access Control/Roles. If you are using LDAP users, then map the groups using Authentication/Authentication Method/LDAP Settings/Map Groups.
Next login CLI to your Phantom server and run the following command:
curl -ku 'username:password' https://SplunkEnterpriseServer.domain.com:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify... -d value=0
Finally clean up history
run the history command from the cli prompt
find the line number with your password in plain text
Run the command: history -d %linenumber%
run the history command again to verify you deleted the password.
I'm not sure if "any" will work, but if not, enter the IP of the ES server you are connecting from.
Go back the phantom app configuration and try to create the server again.
This is the history of the Linux operating system. from the shell command line, type the command "history". This shows the most recent commands typed into the shell. If you put a password on the command line as a parameter, it will show in history. you can either clear all the history, or just that one line. To clear just the one line, find the line number with your password in plain text. Then Run the command: history -d "linenumber" - (no quotes, just the line number you found running the history command.
I use the history in Linux to save time by pressing either the up or down arrow on the keyboard. So I only delete the one line with the password in it. The rest I leave alone.
You can also omit the the password and curl will prompt, thus eliminating the need to clear up the history.
Hi aridday, is that the full error message or is there more text below the "Text: Forbidden" part?
This is a step-by-step walk through of the configuration and some troubleshooting steps. Hopefully this will help with people seeing these types of messages.
The starting point is having a Phantom OVA configured and a Splunk instances without the Phantom App for Splunk installed.
1) Let's start by installing the Phantom App for Splunk:
2) Let's go ahead and add a user to the Phantom Role in Splunk:
(assuming 'admin' will be creating doing the configuration)
(Don't forget to click 'Save' after adding the Phantom role!)
Next, let's look our App:
Let's go to the Phantom Server Configuration:
We can see in the next screenshot that HTTPS Certificate verification is enabled. For this post, being in a lab environment and without the requisite certificate work going into place, I am going to disable this. If you're just building Phantom with default certs or in a lab, you should follow this next step too.
NOTE: If you are using Splunk Cloud, you cannot disable SSL verification. Instead you will need to get a valid cert issued from a public CA.
Let's disable this verification. We can see in the README.md of the Phantom app in Splunk how to do this. To quote the document directly:
curl -ku 'username:password' https://splunk:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\=json -d value=0
So, I am going to type the following:
curl -ku admin https://192.168.54.22:8089/servicesNS/nobody/phantom/configs/conf-phantom/verify_certs\?output_mode\... -d value=0
Note that I changed "splunk" -> "192.168.54.22" and I removed the ":password" from the first parameter. I like to be prompted for the password and thus not have the password go into bash_history.
Now, if I refresh the Phantom Server Configuration page, I can see that HTTPS certification verification is disabled.
Okay... let's pop over to Phantom to get that side configured....
First, we'll create a new automation user:
NOTE: In the next screenshot I have configured an IP for my lab. My configuration looks like this:
Therefore, Phantom (.72) has to allow Splunk (.22).
NOTE:your IP configs will almost certainly be different
After clicking 'Create', we'll need to click the newly created account to get our API key.
Copy the entire API key to your clipboard and head back over to the Phantom Server Configuration in Splunk. Then click 'Create Server'. Paste the JSON there:
When you click 'Save' it should validate the settings.
I've see the 403 errors be caused by the wrong IP address in the 'allowed ips' dialog box in Phantom. I've seen 403 because the Phantom role was not assigned to the user.
Hope this helps!