In order to connect to the Resilient platform, if the platform does not have a trusted TLS certificate, you must provide the serverâ€™s certificate in a file (such as “cacerts.pem”). The quickest way to do this is to use either openssl or the Java keytool command line utilities.
Using openssl to create the cacerts.pem file (using Linux or Mac OS):
In a production setting, you should take care to get the certificate from a trusted source and confirm its fingerprint.
When connecting to a Resilient platform with the Python libraries, the hostname you specify must match exactly the name in the server certificate. If there is a mismatch, the permanent solution is to either change your DNS server or change the server certificate so it matches. It is also possible to modify your hosts file temporarily, but that is not a permanent solution.
Configuration File Settings
When using the Resilient Python API modules, your configuration file (app.config) typically contains this section:
# If your Resilient server uses a self-signed TLS certificate, or some
# other certificate that is not automatically trusted by your machine,
# you need to explicitly tell the Python scripts that it should be trusted.
# To explicitly trust a site, download its certificate to a file, e.g:
# mkdir -p ~/resilient/
# openssl s_client -connect resilient.example.com:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/resilient/cert.cer
# then specify the file (remove the '#' from the line below):
Set the value of ‘cafile’ to the full path to your certificate file. For example:
Sometimes you want to completely disable certificate verification. This is possible by setting:
Disabling certificate verification is insecure because it would allow man-in-the-middle attack between your integration and the Resilient platform.
If the server has a CA-issued certificate, it might not contain the intermediate at all. This can cause the connection from Python to fail, because Python requests do not automatically resolve the full certificate chain.
The cert-chain-resolver.py Python script here can often fetch these intermediate certificates, using the AIA (Authority Information Access) information that is embedded within the certs.
$ openssl s_client -connect google.com:443 -showcerts -tls1 < /dev/null | openssl x509 > SERVER.pem
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
$ python cert-chain-resolver.py -i SERVER.pem -o INTERMEDIATE.pem
1: Google Internet Authority G2
1 certificate(s) found.
$ openssl x509 -text < INTERMEDIATE.pem
Version: 3 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Not Before: May 22 11:32:37 2017 GMT
Not After : Dec 31 23:59:59 2018 GMT
Subject: C=US, O=Google Inc, CN=Google Internet Authority G2