topic Re: CWPP SSL Certificate, self-signed or chain in Prisma Cloud Discussions

CWPP SSL Certificate, self-signed or chain

TommyHunt — Wed, 14 Dec 2022 15:13:31 GMT

Given that I am programming a custom https client

When I invoke CWPP APIs over https

Then I encounter SSLErrors

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain

Where can I get a .pem or .crt file containing the CWPP certificates that I should trust?

Although I found this resource in the documentation, https://prisma.pan.dev/api/cloud/cwpp/defenders/#operation/get-defenders-install-bundle

When I invoke that API, I get this json...

$ curl -k \
>   -H "Authorization: Bearer $token" \
>   -H 'Content-Type: application/json' \
>   -X GET "${PRISMA_CLOUD_COMPUTE_CONSOLE_API_ADDR}/api/v1/defenders/install-bundle?consoleaddr=${PRISMA_CLOUD_COMPUTE_SVC_ADDR}"
{"wsAddress":"wss://us-east1.cloud.twistlock.com:443","installBundle":"eyJzZWNyZXRzIjp7fSwiZ2xvYmFsUHJveHlPcHQiOnsiaHR0cFByb3h5IjoiIiwibm9Qcm94eSI6IiIsImNhIjoiIiwidXNlciI6IiIsInBhc3N3b3JkIjp7ImVuY3J5cHRlZCI6IiJ9fSwiY3VzdG9tZXJJRCI6InVzLTEtMTExNTc0MzIzIiwiYXBpS2V5IjoiV09FcHBSWjlPZHk0UTgxeTNkNG5nUDdIbzJ6U2xVeWpqSy95VThJM2FwTVNhTXRDaXIrTnFXVkk5L2NsQUp5d0dFVThrTGNkQ1U1d1MvQnlUZUxXVXc9PSIsIm1pY3Jvc2VnQ29tcGF0aWJsZSI6ZmFsc2V9"}

What is that? How is that "installBundle" intended to be used?

Re: CWPP SSL Certificate, self-signed or chain

AHamilton-Sutherland — Thu, 15 Dec 2022 01:17:20 GMT

Is your CWP Console self hosted or a SaaS tenant?

Is the machine attempting to make API calls using a VPN?

Are you able to generate a JWT Token successfully with the API? Or is the only operation that is failing the defender call you have included an example of?

"

Given that I am programming a custom https client

When I invoke CWPP APIs over https

Then I encounter SSLErrors
"

Can you include any API endpoints that you have attempted to call that result in you getting an SSL Error?

Re: CWPP SSL Certificate, self-signed or chain

TommyHunt — Thu, 15 Dec 2022 19:31:31 GMT

Saas Tenant
Yes, my workstation connects via VPN.
I can generate a token from bash via curl command; that error is from python.requests package invoking https://api.prismacloud.io/login

IMO, its a python configuration problem.

Re: CWPP SSL Certificate, self-signed or chain

TommyHunt — Thu, 15 Dec 2022 19:35:57 GMT

Ultimately, I want to tell python's requests package where to find the certificate chain file for this host.

I added the verify parameter to my python statement / function-call.
resp = requests.post(url, json=payload, headers=headers, verify='/Users/TAHV/Downloads/cloud-twistlock-com-chain.pem')
Then... where do I get the certificate chain in a pem file format for prisma domain?
Navigate my browser to the endpoint's URL, for example https://us-east1.cloud.twistlock.com/us-1-111574323/api/v1/defenders/install-bundle?consoleaddr=us-east1.cloud.twistlock.com
Then, save the certificate to a pem file.

In Safari:

Click the padlock icon in the URL bar
Click the Show Certificate button in the dialog that appears
Click on the certificate icon, and drag it to a Finder window (or the Desktop)

In Google Chrome:

Click the padlock icon in the URL bar
If the dialog that appears has a "Connection is secure" line, click on that
Click the "Certificate is valid" or "Certificate (Valid)" area in the dialog
Click on the certificate icon, and drag it to a Finder window (or the Desktop)

In Firefox:

Click the padlock icon in the URL bar
Click the "Show connection details" (right-arrow) button to the right of "Connection secure" in the dialog that appears
Click the "More information" area
Under the Security tab, click the "View Certificate" button
A "about:certificate?cert=..." browser tab will open; scroll down to the Miscellaneous section
In the "Download" line, click "PEM (cert)" to save the site's leaf certificate to your Downloads folder, or "PEM (chain)" to save the entire trust chain

Re: CWPP SSL Certificate, self-signed or chain

AHamilton-Sutherland — Thu, 15 Dec 2022 20:01:03 GMT

Your answer is correct.

Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration

https://github.com/PaloAltoNetworks/prismacloud-api-python

They may be of use to you. They are very similar in feature set. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.

Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.

Re: CWPP SSL Certificate, self-signed or chain

AHamilton-Sutherland — Thu, 15 Dec 2022 20:03:56 GMT

*Moved Reply to accepted answer for visibility*

Your answer is correct.

Based on your statement "programming a custom https client". I recommend you check out these 2 Github repos that provide Pythons libraries for handling Authentication and Sessions with Prisma Cloud.
https://github.com/PaloAltoNetworks/pc-python-integration

https://github.com/PaloAltoNetworks/prismacloud-api-python

They may be of use to you. They are very similar in feature set and the configuration files are cross-compatible. They are both updated regularly. I am partial to PCPI as I created it. The first link, PCPI, is a lightweight implementation with only Authentication and Session management features while the second link, Prisma Cloud API for Python has lots of bre-baked API calls to help speed up your development.

Both of these libraries have support to handle the SSL Issue you were encountering since they both implement the "verify" option in Python Requests. They also both include the same script that can generate Prisma Cloud Certificates for you instead of pulling them out of your browser.