TLS configuration for agent management versioned app retrieval

Prerequisites

Before configuring TLS, ensure you have:

• Administrator access to the Splunk instance
• Root CA certificate file in PEM format
• Write permissions to $SPLUNK_HOME/etc/apps directory
• External repository server certificate information

Configure TLS

Append your root CA certificate to the $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/lib/certifi/cacert.pem file to enable the add-on to verify your external repository server.

The certificate must be in PEM format and include the BEGIN CERTIFICATE and END CERTIFICATE markers.

Example: Add a CA certificate

To add your CA certificate, append it to the cacert.pem file:

cat /path/to/your/ca-certificate.pem >> $SPLUNK_HOME/etc/apps/agent_management_versioned_app_retrieval/lib/certifi/cacert.pem

On Windows systems:

type C:\path\to\your\ca-certificate.pem >> %SPLUNK_HOME%\etc\apps\agent_management_versioned_app_retrieval\lib\certifi\cacert.pem

Verify the TLS configuration

After adding your CA certificate, verify the TLS connection:

1. Check the add-on logs at $SPLUNK_HOME/var/log/splunk/agent_management_versioned_app_retrieval.log for SSL errors.
2. Confirm that artifact downloads complete successfully without certificate warnings.
3. Review the log entries for successful TLS handshake messages.

Troubleshooting

If you encounter SSL certificate verification errors:

• Verify that the CA certificate is in PEM format
• Ensure the certificate includes the complete certificate chain
• Check that the certificate is not expired
• Verify that the certificate was appended correctly to cacert.pem

Related information

• For installation procedures, see Install the agent management versioned app retrieval add-on .
• For configuration details, see Input parameters for agent management versioned app retrieval .
• For troubleshooting, see Log files for agent management versioned app retrieval add-on .