splunk · ashah-splunk · Jan 18, 2023 · Jan 19, 2023 · l00py · Sep 13, 2023
diff --git a/README.md b/README.md
@@ -109,9 +109,21 @@ To build the documentation for the SDK, it is being automatically generated with
     cd splunk
     mvn javadoc:javadoc
 
+###SSL Certificate Verification
+SSL Certificate validation is turned ON by default in Splunk Java SDK. Set SSL Certificate as shown below.
+```java
+    HttpService.setSSLCert(<byte[] sslCert>);
+```
+Note:- For local/Non-production/any other use cases SSL Certificate validation can be disabled as shown below.
+```java
+    HttpService.setValidateCertificates(false).
+```
+
+
 ### Usage
 #### Login using username and password
 ```java
+import com.splunk.HttpService;
 import com.splunk.Service;
 import com.splunk.ServiceArgs;
 
@@ -129,6 +141,9 @@ public class SplunkLogin {
         loginArgs.setUsername("USERNAME"); // Use your username
         loginArgs.setPassword("PASSWORD"); // Use your password
 
+        //set SSL Certificate for verification
+        byte[] sslCert = <read Certificate file into byte array>
+        HttpService.setSSLCert(sslCert);
         // Initialize the SDK client
         service = Service.connect(loginArgs);
     }
@@ -137,6 +152,7 @@ public class SplunkLogin {
 
 #### Login using Session Token
 ```java
+import com.splunk.HttpService;
 import com.splunk.Service;
 import com.splunk.ServiceArgs;
 
@@ -159,6 +175,9 @@ public class SplunkLogin {
         loginArgs.setScheme("https");
         loginArgs.setToken(String.format("Splunk %s", token));
 
+        //set SSL Certificate for verification
+        byte[] sslCert = <read Certificate file into byte array>
+        HttpService.setSSLCert(sslCert);
         // Initialize the SDK client
         service = Service.connect(loginArgs);
     }
@@ -173,6 +192,7 @@ public class SplunkLogin {
 
 #### Login using Authentication Token (RECOMMENDED)
 ```java
+import com.splunk.HttpService;
 import com.splunk.Service;
 import com.splunk.ServiceArgs;
 
@@ -195,6 +215,9 @@ public class SplunkLogin {
         loginArgs.setScheme("https");
         loginArgs.setToken(String.format("Bearer %s", token));
 
+        //set SSL Certificate for verification
+        byte[] sslCert = <read Certificate file into byte array>
+        HttpService.setSSLCert(sslCert);
         // Initialize the SDK client
         service = Service.connect(loginArgs);
     }
@@ -206,6 +229,7 @@ public class SplunkLogin {
 import com.splunk.Job;
 import com.splunk.ResultsReader;
 import com.splunk.ResultsReaderXml;
+import com.splunk.HttpService;
 import com.splunk.Service;
 import com.splunk.ServiceArgs;
 
@@ -233,6 +257,9 @@ public class SearchExample {
         loginArgs.setScheme("https");
         loginArgs.setToken(String.format("Bearer %s", token));
 
+        //set SSL Certificate for verification
+        byte[] sslCert = <read Certificate file into byte array>
+        HttpService.setSSLCert(sslCert);
         // Initialize the SDK client
         service = Service.connect(loginArgs);
 

diff --git a/splunk/src/main/java/com/splunk/HttpService.java b/splunk/src/main/java/com/splunk/HttpService.java
@@ -17,11 +17,10 @@
 package com.splunk;
 
 import javax.net.ssl.*;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.OutputStreamWriter;
+import java.io.*;
 import java.net.*;
+import java.security.KeyStore;
+import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.util.HashMap;
 import java.util.List;
@@ -46,6 +45,7 @@ public class HttpService {
      * Default Value: TRUE
      */
     protected static boolean validateCertificates = true;
+    protected static byte[] sslCert = null;
 
     private static SSLSocketFactory sslSocketFactory = createSSLFactory();
     private static String HTTPS_SCHEME = "https";
@@ -436,6 +436,11 @@ Socket open() throws IOException {
      * @return The HTTP response.
      */
     public ResponseMessage send(String path, RequestMessage request) {
+
+        if(HttpService.validateCertificates && HttpService.sslCert == null){
+            throw new RuntimeException("Set missing SSL Certificate for verification or Disable SSL verification and try again");
+        }
+
         // Construct a full URL to the resource
         URL url = getUrl(path);
         // Create and initialize the connection object
@@ -566,6 +571,12 @@ public static void setValidateCertificates(boolean validateCertificate) {
         }
     }
 
+    public static void setSSLCert(byte[] sslCertificate) {
+        // update the SSL_SOCKET_FACTORY when sslCert is set
+        sslCert = sslCertificate;
+        sslSocketFactory = createSSLFactory();
+    }
+
     public static SSLSocketFactory createSSLFactory() {
 
         try {
@@ -578,12 +589,23 @@ public static SSLSocketFactory createSSLFactory() {
             } else {
                 context = SSLContext.getDefault();
             }
-
             if (validateCertificates) {
-                context.init(null, null, null);
-                // For now this check is set as null.
-                // TODO: Implementation logic for validating client certificate.
-            } else {
+                if(sslCert == null){
+                    // On initialising before ssCert is set, TM and KM set to null
+                    context.init(null, null, null);
+                }else{
+                    InputStream is = new ByteArrayInputStream(sslCert);
+                    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                    X509Certificate cert = (X509Certificate)cf.generateCertificate(is);
+                    TrustManagerFactory tmf = TrustManagerFactory
+                            .getInstance(TrustManagerFactory.getDefaultAlgorithm());
+                    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+                    ks.load(null); // You don't need the KeyStore instance to come from a file.
+                    ks.setCertificateEntry("cert", cert);
+                    tmf.init(ks);
+                    context.init(null, tmf.getTrustManagers(), null);
+                }
+            } else{
                 TrustManager[] trustAll = new TrustManager[]{
                         new X509TrustManager() {
                             public X509Certificate[] getAcceptedIssuers() {

diff --git a/splunk/src/test/java/com/splunk/SDKTestCase.java b/splunk/src/test/java/com/splunk/SDKTestCase.java
@@ -92,9 +92,23 @@ public static Integer getJavaVersion() {
     }
 
     @BeforeClass
-    public static void preClassLoadActions() {
-        // Bypass the certification validation here.
+    public static void preClassLoadActions() throws IOException {
+        // To Bypass the certification validation.
         HttpService.setValidateCertificates(false);
+
+        // To Set SSL Certificate use below code block
+        /*
+        InputStream sslCertificate = ResourceRoot.class.getResourceAsStream("/Certificate.pem");
+        ByteArrayOutputStream os = new ByteArrayOutputStream();
+        byte[] buffer = new byte[1024];
+        int len;
+        // read bytes from the input stream and store them in the buffer
+        while ((len = sslCertificate.read(buffer)) != -1)
+        {
+            os.write(buffer, 0, len);
+        }
+        HttpService.setSSLCert(os.toByteArray());
+        */
     }
 
     @Before