How to setup Talend IAM for authenticating calls to Data Services

Problem Description

The default Karaf authentication mechanism does not manage users through external Identity and Access Management.


Root Cause

Default authentication in Karaf is managed by properties files. All users, groups, and roles must be defined in the file and passwords are in clear form.



Integrate Karaf authentication using Talend Identity and Access Management (IAM) module that is based on Apache Syncope.


By default, Karaf manages the ESB Service authentication. To separate the authentication and the ESB world, use Syncope. Syncope manages the authentication, and all ESB Services remain in the ESB layer.


Below is a short summary of the process to enable Syncope authentication:



Talend IAM must be installed and running, check your TAC configuration before continuing:



Syncope Configuration

  1. Connect using the URL http://iam_host:9080/syncope-console and login (admin/password):



  2. Once connected, the Dashboard view appears:



  3. Select Realms:



    In this view, you are going to create the users and groups necessary to replace the default Karaf authentication.


  4. Before you create users and groups, double check the default Karaf authentication. The default authentication file named under %container_folder%/etc, contains a list of users, groups, and roles:

    karaf = karaf,_g_:admingroup
    _g_\:admingroup = group,admin,manager,viewer,systembundles

    The file format follows these rules:

    username=password, g_:groupname1,groupname2…
  5. Translate the contents of this file into a Syncope configuration using the rules below and by performing the next steps in Syncope:

    • User in file > User in Syncope

    • Role in file > Group in Syncope

    • Group in file > No corresponding type in Syncope

  6. On the GROUP tab, create the following groups:

    • admin
    • group
    • manager
    • sl_admin
    • sl_maintain
    • systembundles
    • viewer



  7. On the User tab, create the following users:

    • karaf
    • tadmin
    • tesb
    • test (additional user for test purpose)



  8. Users must include a password. In Karaf, default passwords were equals to the users. If you change them, be sure to change the tadmin password on TAC Server (Runtime Server Password). The tadmin user is used for deployment purposes. User and Groups relation must be:





    all groups listed except sl_mantains and sl_admin


    all groups listed except sl_admin


    all groups listed except sl_mantains


    no group

Karaf Configuration


  1. Copy the Blueprint descriptor (syncopeLoginModule.xml) under %container%/deploy folder of your runtime container. The content of the Blueprint descriptor is shown below:

    <?xml version="1.0" encoding="UTF-8"?>
    <blueprint xmlns=""
        <jaas:config name="karaf" rank="2">
            <jaas:module className="org.apache.karaf.jaas.modules.syncope.SyncopeLoginModule"
        <service interface="org.apache.karaf.jaas.modules.BackingEngineFactory">
            <bean class="org.apache.karaf.jaas.modules.syncope.SyncopeBackingEngineFactory"/>

    This file adds the Syncope Login Module to the Karaf container. The deploy folder is dynamically loaded so you are not required to restart the container.


  2. To verify the configuration, connect in SSH to the container:

    • ssh karaf@runtime_server -p runtime_port

    • Password: the one configured in Syncope for the Karaf user

    • Run jaas:realm-list to verify the login module used



ESB Service Configuration


  1. From Studio, create an ESB Service (REST or Soap) and in a cREST/cSOAP component, enable the Use Authentication setting with the value HTTP BASIC. This option enables the authentication. In this example, Syncope manages the authentication.

  2. Publish the ESB Service:


    Note: The same configuration works with a Job, or a Data Service using a tRestRequest component.


  3. Deploy the ESB Service in the ESB Runtime and call if, for sample opening its URL in a browser. The browser asks you to log in. You can use any user you created in the Syncope Console to login. The user does not need to be associated with a specific Syncope group.


For more information about Syncope, see the Apache Syncope Documentation page.

Version history
Revision #:
12 of 12
Last update:
‎04-13-2019 12:35 PM
Updated by: