How to configure SSL-enabled Git or SVN with TAC and Studio

Introduction

There are two ways to configure SSL-enabled Git or SVN with TAC and Studio, depending on whether you are using a custom certificate or creating (or reusing) a new keystore file.

 

Talend Administrator Console

Using a custom certificate

  1. Import the custom certificate into your cacerts file from $JAVA_HOME/jre/lib/security using the following command:

    keytool -import -trustcacerts -alias mycert -file mycompany.crt -keystore cacerts
  2. Start Talend Administrator Console and configure SVN/Git.

 

Creating a new keystore file

  1. Create the new keystore file using the following command. You must provide the required key information:

    keytool -genkey -alias mydomain -keyalg RSA -keystore KeyStore.jks -keysize 2048
  2. Import the certificate to that keystore using the following command:

    keytool -import -trustcacerts -alias mydomain -file mycompany.crt -keystore KeyStore.jks
  3. Edit the TAC_home/bin/setenv.sh/bat file and add the following Java flags to the JAVA_OPTS variable:

    -Djavax.net.ssl.trustStore=complete path to truststore file
    -Djavax.net.ssl.trustStorePassword=password
  4. Start Talend Administrator Console and configure SVN/Git.

 

Studio

Using a custom certificate

  1. Import the custom certificate into your cacerts file from $JAVA_HOME/jre/lib/security using the following command:

    keytool -import -trustcacerts -alias mycert -file mycompany.crt -keystore cacerts
  2. Alternatively, you could copy the cacerts file from the TAC server and replace the one in the Studio Java directory.

 

Using the newly-created keystore file

  1. Copy the keystore file from the TAC server and paste it into any directory of the Studio machine.
  2. Edit the Studio_home/Talend-Studio-win-x86_64.ini file and add the following Java flags:

    -Djavax.net.ssl.trustStore=complete path to truststore file
    -Djavax.net.ssl.trustStorePassword=password

Note:

  • In the case of hierarchy of certificate, all the root to top through intermediate certificate should be imported to the truststore file
  • If the certificate changes often, it's not feasible to follow these steps in Studio, as there will be multiple developers doing the same actions. In that case, keep the keystore file in a shared directory (which should be accessible from all Studio machines) and set the preceding Java flags. If the certificate changes, an administrator must copy the keystore file to the shared location, and individual copies of Studio must be restarted (assuming there were no changes in the keystore file name and password).
Version history
Revision #:
4 of 4
Last update:
‎04-11-2018 12:43 AM
Updated by:
 
Comments
psmith

I think when we mention 'custom certificate' here, we are really saying 'any certificate that is not trusted by a public certificate authority (CA)'.

 

To be trusted by a public CA, the server that wants to be trusted has to be reachable by the CA -- that is, the server has to be public.

 

So, private/corporate servers cannot, in general, use 'trusted certificates' -- the kind that browsers and Studio and TAC/servers and other tools automatically connect to without warning or error (because these tools can properly 'certify' the certificates associated with these servers).

 

If using Github.com or Bitbucket.com or Gitlab.com, for instance, these are public servers, so they are trusted by a well-known public Certificate Authority. You can see the certificate, export it, etc., by clicking the lock icon in your browser's 'Location' bar. When Studio or TAC or any program connects to these servers, they can 'certify' the SSL certificate attached to these servers without problem.

 

So when we say 'custom certificate' above, we are talking about the probably-self-signed SSL certificate that was generated for and is being used by your Git server (e.g. https://mycompany.github.com, https://bitbucket.mycorp.com, etc.). These certificates are not trusted by a public well-known CA, so we have to do one of two things to allow your TAC/Studio to connect to your git server:


  1. Download the self-signed certificate and import it (and any/all intermediate certificates) into your Java truststore (described above), or
  2. Turn off the git 'http.sslVerify' flag

 To get your git server's certificate, you can ask the sysadmin-type person who set it up, or export it using openssl (the method might look slightly different for Windows).