SSL Certificates in truststores

[jkozlowski]

I am looking for guidance around SSL certificates for talking to Splunk for an app (data input) implemented using your Java SDK. Currently, the Script gets access to "server_host", "session_key" which are great because they allow the app to know how talk to Splunk and be authorized to do things, EXCEPT there's no truststore that could be used to make sure this communication can be done securely.

It might be that I'm misunderstanding something, so I would appreciate some context around this:

1. Is server_host ALWAYS guaranteed to be "localhost" or loopback address?
2. If not, how is my application supposed to figure out which certificate to trust? If I want to deploy to splunk marketplace, I cannot really ship a trust store, because wherever my app is installed is going to have a different certificate to trust.
3. As I understand it, the current sdk implementation would probably load the truststore using the standard "javax.net.ssl.trustStore" property; who is supposed to set that? Should I tell my users to extract the certificate from their splunk server and add it to my truststore somehow? This feels like an unnecessary extra step. Can I somehow find out the location of the certificate on disk and load it from there?

My gut feeling is that along with "server_host" etc. variables, the app should be given the certificate it should trust, but I'm not sure if that fits your deployment model.

Any help would be appreciated, I couldn't find any guidance in available documentation.

[ashah-splunk]

Hi @jkozlowski , we are looking at couple of approaches for SSL security through SDK using self signed or Splunk generated SSL certificates. We would like to hear from you as well, if you have any suggestions for the same.

[jkozlowski]

Hey @ashah-splunk, thanks for coming back to me.

The way I would solve this is how I already outlined it: your splunk server is responsible for deploying applications and is therefore a trusted piece of infrastructure. It should provide a path to a truststore file with a certificate that should be trusted when talking back to it, same way you provide the session key and host information.

Technically this information is already I’m the splunk config, I was looking through the APIs you provide for reading config, but I think it’s per app? My preference is still for the server to provide all this config to the app, but whatever you come up with here is obviously not going to be backwards compatible, is there a way right now for me to read the splunk config somehow? Other than assuming I’m running on the same host and trying to find it on local disk?

I think this is a pretty important problem to solve for a security product, so would appreciate some guidance and a way forward.

[jkozlowski]

Another question: the value of server_uri passed to a modular input from my observation (from deploying a splunk docker container locally) is always something like https://127.0.0.1:<port>; whereas server_host contains the actual hostname, that I presume the certificate presented by splunkd will be signed for. I think that means I should splice the hostname into the uri to make sure that certificate checking works?