Certificate Authority Bundle Management in Looker 5.18+

(Carter Moar) #1

In Looker 5.18 we are moving away from having a hardcoded bundle of Certificate Authority (CA) root certificates used for outbound SSL certificate verification. Instead, we will be using the Java maintained and supplied CA certificate bundle going forward.

What is a Certificate Authority bundle and why does it matter?

SSL and TLS are used for end to end encryption over a public channel and to verify that you are talking to who you think you’re talking to.

The mechanism that these protocols use to verify the authenticity of the host they are talking to is by certificate signing and verification.

A certificate authority is a trusted third party that issues certificates to entities verifying that that entity is who they say they are. By examining an entity’s certificate, you can see which CA signed that certificate and if was signed by one of the CAs that you trust, you can verify that you’re talking to who you think you are.

Determining which CAs you trust is done by keeping around a file of trusted certificate authorities and the “root certificates” that they use for signing other entity’s certificates. For example, your operating system has a list of these root certificates, and so do common web browsers. These “list of root certificates” is called a CA bundle.

When does Looker need to use a CA bundle?

Looker needs to verify the authenticity of the hosts it communicates with when making outbound requests from the Looker server and uses a CA bundle to do so. This includes things like making requests to outbound webhooks, S3 backups, various forms of authentication, and the license-verification server.

How have we done this historically?

Historically we have included a list of root certificates in the JAR file to verify certificates for this purpose. This CA bundle was pulled from Firefox in 2012 and has not been modified since.

Why don’t we want to do that anymore?

Managing a list of trusted CAs can be cumbersome. You need to need to decide when to revoke certain certificates if their root certificate gets compromised and when to add new certificates. This is something that is already well managed by various entities, including operating systems, web browsers, and Java.

How does it work in Looker 5.18?

Looker uses the CA bundle that resides on disk and is provided by Java. This allows for customization and puts the management of CA certs on Java. If you host your own Looker instance, your system administrators will have greater control of certificates and can now add or remove things from your bundle.

1 Like