Splunk SOAR

Phantom App for Splunk: Error loading Phantom Server Configurations & Error HTTP certification verification?

test_qweqwe
Builder

Hi.
I don't understand how to fix it.

App: Phantom -> Phantom Server Configuration:
Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.

Labels (2)
1 Solution

test_qweqwe
Builder

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

View solution in original post

bob_miron
Engager

Hi,

Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.

If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export

Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem

Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.

vasdell
Engager

One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.

0 Karma

test_qweqwe
Builder

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

DEAD_BEEF
Builder

for clarity, the path is:

%splunk_home%/etc/apps/phantom/local/phantom.conf

0 Karma

oadiaobong
New Member

i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"

can anyone help

0 Karma

sebeling3
New Member

I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.

Connectivity seems to be fine from both servers.

I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...