End-of-Life (EoL)

Configure Python Docker Integrations to Trust Custom Certificates

Python integrations running in Docker contain a built-in set of CA-Signed certificates, to which you can add custom trusted certificates when needed. For example, if you are working with a proxy that performs SSL traffic inspection or using a service that has a self-signed certificate.
Only PEM format certificates are supported.
  1. Configure the custom certificates.
    1. Create a certificates PEM file that includes all of the required custom certificates.
    2. (Optional)
      If you require the standard set of certificates trusted by browsers, download the PEM certificates file provided by the Certifi Project and add your custom certificates to the file that contains the standard set of certificates.
      This example adds the
      proxy-ca.pem
      file (custom certificate) to the
      cacert.perm
      file (standard certificates):
      cat proxy-ca.pem >> cacert.pem
    3. Copy the certificates PEM file to the following path.
      /var/lib/demisto/python-ssl-certs.pem
  2. Configure the Cortex XSOAR server settings.
    1. Go to
      Settings
      About
      Troubleshooting
      .
    2. In the
      Server Configuration
      section click
      Add Server Configuration
      .
      • Key:
        python.docker.use_custom_certs
      • true
    3. Save the server configuration.
    4. Restart the Cortex XSOAR server to verify that all existing Docker images are relaunched.
  3. (Optional)
    Add the certificate files to engines.
    1. Configure each engine to use the
      /var/lib/demisto/python-ssl-certs.pem
      file.
    2. Make sure that you have the following directory on the engine host.
      /var/lib/demisto
    3. Set the demisto user as the directory owner with 0700 permissions.
    4. Copy the
      python-ssl-certs.pem
      file to the
      /var/lib/demisto directory
      .
    5. Add the following configuration to either the engine configuration file (UI) or to the
      d1.conf
      file.
      "python.docker.use_custom_certs": true
    6. Restart the engine.
  4. Verify that the configuration was added successfully.
    If you are using an SSL inspection proxy (MiTM) and want to verify that the certificates are properly set, you can run the following command, which will fetch from www.google.com using HTTPS, and print the headers of the response:
    !py script="import requests; print(requests.get('https://google.com').headers)"
    .
After you save the server configuration, Docker images that are launched by the Cortex XSOAR server will contain the certificates file mounted in the following path:
/etc/custom-python-ssl/certs.pem
Additionally, the following environment variables will be set with the value of the certificates file path, which enables standard Python HTTP libraries to automatically trust the certificates (without code modifications):
  • REQUESTS_CA_BUNDLE
  • SSL_CERT_FILE
If you are developing your own integration (BYOI) and using non-standard HTTP libraries, you might need to include specific code that will trust the passed certificates file when the environment variable SSL_CERT_FILE is set. In these cases, always use the value in the environment variable as the path for the certificates file, and do not hard code the mounted path specified above. For example:
certs_file = os.environ.get('SSL_CERT_FILE') if certs_file: # perform custom logic to trust certificates...
The Python SSL library will check the
SSL_CERT_FILE
environment variable only when using OpenSSL. If you are using a Docker image that uses
LibreSSL
, the
SSL_CERT_FILE
environment variable will be ignored.

Recommended For You