Configure Python Docker Integrations to Trust Custom Certificates
Python integrations running in Docker contain
a built-in set of CA-Signed certificates, to which you can add custom
trusted certificates when needed. For example, if you are working
with a proxy that performs SSL traffic inspection or using a service
that has a self-signed certificate.
Only PEM format
certificates are supported.
Configure the custom certificates.
Create a certificates PEM file that includes
all of the required custom certificates.
If you require the standard set
of certificates trusted by browsers, download the PEM certificates file provided
by the Certifi Project and add your custom certificates to the file
that contains the standard set of certificates.
This example adds the
(custom certificate) to the
cat proxy-ca.pem >> cacert.pem
Copy the certificates PEM file to the following path.
Configure the Cortex XSOAR server settings.
Save the server configuration.
Restart the Cortex XSOAR server to verify that all
existing Docker images are relaunched.
Add the certificate files to engines.
Configure each engine to use the
Make sure that you have the following directory on
the engine host.
Set the demisto user as the directory
owner with 0700 permissions.
Add the following configuration to either the engine
configuration file (UI) or to the
Restart the engine.
Verify that the configuration was added successfully.
If you are using an SSL inspection proxy (MiTM) and want
to verify that the certificates are properly set, you can run the
following command, which will fetch from www.google.com using HTTPS,
and print the headers of the response:
After you save the server configuration, Docker images
that are launched by the Cortex XSOAR server will contain the certificates
file mounted in the following path:
the following environment variables will be set with the value of the
certificates file path, which enables standard Python HTTP libraries
to automatically trust the certificates (without code modifications):
are developing your own integration (BYOI) and using non-standard HTTP
libraries, you might need to include specific code that will trust
the passed certificates file when the environment variable SSL_CERT_FILE
is set. In these cases, always use the value in the environment
variable as the path for the certificates file, and do not hard
code the mounted path specified above. For example:
certs_file = os.environ.get('SSL_CERT_FILE')
# perform custom logic to trust certificates...