Splunk SOAR

Phantom App for Splunk: Error loading Phantom Server Configurations & Error HTTP certification verification?

test_qweqwe
Builder

Hi.
I don't understand how to fix it.

App: Phantom -> Phantom Server Configuration:
Error loading Phantom Server Configurations: You must have phantom_read, phantom_write and admin_all_objects permissions.

Labels (2)
1 Solution

test_qweqwe
Builder

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

View solution in original post

bob_miron
Engager

Hi,

Thanks for documenting this, I was miles away and looking at the Capabilities on the Phantom side rather than Splunk's.

If I can participate, note that you can enable HTTPS with these steps:
from your browser (or any other method you like), export the certificate of the phantom. machine as X.509 Certificate (PEM).
For instance, with Firefox: Click the padlock icon on the left of the URL > Click the arrow next to the IP address (if you're using the IP as I am) > More information (at the bottom) > Security tab > View Certificate > in the next open that opens > Details > Export

Copy this to your Splunk ,machine in $SPLUNK_HOME/etc/apps/phantom/local/cert_bundle.pem

Now return to Splunk's Web UI and save your "Phantom Server Configuration" again. This should be accepted. No restart required.

vasdell
Engager

One other thing that tripped me up: add your Splunk server IPs to the Allowed IPs list of the Phantom user you copied the token from.

0 Karma

test_qweqwe
Builder

@sebeling3
Hi, I fixed it already.
If you have problem like my.
Try in Splunk via GUI:

Settings > Access controls > Roles > Admin > Capabilities

And move phantom_read, phantom_write from Available capabilities to Selected capabilities

If you will have problem with HTTPS certificate verification.
Try:
%splunk_home%/etc/apps/phantom/local/phantom

 [verify_certs]
 value = true (change to false)

DEAD_BEEF
Builder

for clarity, the path is:

%splunk_home%/etc/apps/phantom/local/phantom.conf

0 Karma

oadiaobong
Explorer

i don have local folder all i see is default and i made the change there and i still get the error "AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/phantom/configs/conf-phantom?count=-1&output_mode=json"

can anyone help

0 Karma

sebeling3
New Member

I'm seeing the same thing. I am new to Splunk and Phantom and wanted to setup a POC using the free versions. I've installed both Splunk (win 2016) and Phantom on Centos 7.4 on Azure on the same subnet.

Connectivity seems to be fine from both servers.

I am simply trying to setup via the Splunk Enterprise "app" under this screen by following the directions on the Phantom Configuration Page.

0 Karma

Tecumseh
Observer

I'm getting the same error. Anyone figure out the solution:

Splunk App for SOAR Export Latest Version 4.3.13

There was an error adding the server configuration.
On SOAR: Verify server's 'Allowed IPs' and authorization configuration.

Error talking to Splunk: POST /servicesNS/nobody/phantom/storage/passwords: status code 500: b'{"messages":[{"type":"ERROR","text":"\\n In handler \'passwords\': Data could not be written: /nobody/phantom/passwords/credential::78a22ab111a4d706cbb4d830f19ea1b3d752f277:/password: $7$qAjGApYELkDTpOBFCFv+hnwTe6tSbTIAIk2b/s4q6GdFBw0mT6AQYQh85WYOruod9tt4ArrN0rjOHYBbesSJqjOjeOUqIjeYl7efAQ=="}]}'

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...