Re: Phantom on-prem Install

ada64 · ‎06-29-2023

I tried to install unprivillaged phantom soar on centos 7 but I receive same mistake every time. Can somebody help please. The eror:

Initializing Splunk SOAR settings

Failed Splunk SOAR initialization
Traceback (most recent call last):
File "/home/phantom/soar/splunk-soar/install/console.py", line 207, in run
proc = subprocess.run(normalized_cmd, **cmd_args) # noqa: PHANTOM112
File "/home/phantom/soar/splunk-soar/usr/python39/lib/python3.9/subprocess.py", line 528, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/home/phantom/soar/bin/phenv', 'python', '/home/phantom/soar/bin/initialize.py', '--first-initialize']' returned non-zero exit status 2.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/phantom/soar/splunk-soar/./soar-install", line 72, in main
deployment.run()
File "/home/phantom/soar/splunk-soar/install/deployments/deployment.py", line 132, in run
self.run_deploy()
File "/home/phantom/soar/splunk-soar/usr/python39/lib/python3.9/contextlib.py", line 79, in inner
return func(*args, **kwds)
File "/home/phantom/soar/splunk-soar/install/deployments/deployment.py", line 193, in run_deploy
operation.run()
File "/home/phantom/soar/splunk-soar/install/operations/deployment_operation.py", line 135, in run
self.install()
File "/home/phantom/soar/splunk-soar/install/operations/tasks/initialize_phantom.py", line 62, in install
self.initialize_py("--first-initialize")
File "/home/phantom/soar/splunk-soar/install/operations/tasks/initialize_phantom.py", line 33, in initialize_py
return self.shell.phenv(cmd, **kwargs)
File "/home/phantom/soar/splunk-soar/install/console.py", line 275, in phenv
return self.run([phenv] + cmd, **kwargs)
File "/home/phantom/soar/splunk-soar/install/console.py", line 224, in run
raise InstallError(
install.install_common.InstallError: Failed Splunk SOAR initialization
install failed.

QuentinM · ‎01-16-2024

Hi,

I had the same output on a centos7.
I added the option -v to get more verbosity and I was able to see that the installer cannot generate the certificate.

Creating HTTPS cert...
Aborting https cert create. File already exists
Shell command: openssl x509 -in /opt/phantom/etc/ssl/certs/httpd_cert.crt -pubkey -noout
Initialization function create_https_cert failed!
Traceback (most recent call last):
  File "/opt/phantom/bin/initialize.py", line 965, in initialize
    func()
  File "/opt/phantom/bin/initialize.py", line 334, in create_https_cert
    cert_tools.create_https_cert(group=group, force=force)
  File "pycommon3/phantom_common/cert_tools.py/cert_tools.py", line 123, in create_https_cert
  File "pycommon3/phantom_common/phproc.py/phproc.py", line 269, in run
  File "pycommon3/phantom_common/phproc.py/phproc.py", line 379, in __init__
  File "/opt/phantom/usr/python39/lib/python3.9/subprocess.py", line 951, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/opt/phantom/usr/python39/lib/python3.9/subprocess.py", line 1821, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'openssl'
Done.

I installed openssl and I was able to complete the installation.

satyen_usda

I encountered multiple certificate errors running the upgrade script from SOAR from 7.0.0 to 8.5.0.

1) Running the upgrade with the -v option was essential to get detailed error info ( /opt/soar/splunk-soar/soar-install --splunk-soar-home /opt/soar --upgrade --with-apps -v)

2) Encountered "Failed Splunk SOAR initialization" error. The cause was a combination of an old DER certificate in /opt/soar/etc/certs/ (fixed by executing: openssl x509 -inform der -in ./dercert.crt -out ./dercert.crt) It only worked when I reformatted the script AFTER the error throws, then resuming upgrade. If I reformatted before the error throws, the script would bomb on cp errors.

3) Also, a nonprintable character was in in /opt/soar/etc/cacerts.pem (fixed by: LC_ALL=C tr -cd '\0-\177' < input.txt > output.txt)

4) Also, a missing CA cert for Sectigo E46 was needed in /opt/soar/etc/cacerts.com to validate https://github.com.

damianpadden · ‎10-16-2023

did you resolve this? I am trying 6.1.1 on RHEL 7.9 and using the RHEL 7 install getting the same issue

phanTom · ‎06-29-2023

@ada64

Can you confirm you have downloaded the centos7 version of the installer?

Have you also disabled any SELinux capabilities on the server?

Other than that the error isn't too clear. Can you try the centos8 version on a centos8 box?

ada64 · ‎07-03-2023

I installed the soar on rehl8 os in google cloud machine. But how i will reach the soar web interface?

phanTom · ‎07-03-2023

@ada64 if you have console access to the VM then you need to find the IP address it's using and just go there via HTTPs.

https://<your_phantom_ip_or_hostname>

Once there you can log in as soar_local_admin / password.

https://docs.splunk.com/Documentation/SOARonprem/6.0.2/Install/Login

Phantom on-prem Install

installation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation