Learned By Doing: How to Configure Talend MDM for SSL + LDAPS authentication

Table of Contents

 

Overview

When connecting to MDM, you may want to configure it to use SSL to encrypt and secure the traffic going back and forth from the MDM Webserver. Likewise, if you are using LDAP as authentication for your users, you may want to use the LDAPS protocol to ensure that connection is secured as well.

 

Environment

This article is based on the following environment:

  • One Virtual Machine containing Windows Server 2012 R2
  • ApacheDS 2.x and Apache Directory Studio installed for our LDAP with an Administrator user added
  • Java Development Kit 1.8 installed
  • Talend MDM Server installed

 

Securing Talend MDM Web Server

  1. Generate your keystore for use with MDM Web Server by running the following command:

    keytool -genkey -alias user -keyalg RSA -keystore c:\talend\mdmkeystore

    Insert details and password for the keystore when it prompts.

    Note: Ensure the Java/bin folder has been added to your path, or that you execute these commands from the $JAVA_HOME/bin/ directory. Also be aware that the Java/bin folder sometimes does not have proper permissions for LDAP or MDM to access, so consider moving them to a different directory or ensuring permissions are correct on that directory.

  2. Add the keystore to the Apache Tomcat connection configurations in MDM_HOME/apache-tomcat/conf/server.xml.

    //...
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
            This connector uses the JSSE configuration, when using APR, the
            connector should be using the OpenSSL style configuration
            described in the APR documentation -->
    
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                  maxThreads="150" scheme="https" secure="true"
                  clientAuth="false" sslProtocol="TLS"
    	       keystoreFile="c:\talend\mdmkeystore"
    	       keystorePass="123123" />
     //...
  3. Save the file and start (or restart) the MDM Server.

 

Testing SSL on MDM Web Server

Navigate to the MDM URL using the SSL port to verify you have an SSL connection.

https.png

 

Configuring LDAP Authentication

Configure authentication of your user through the standard LDAP first, to ensure there are no issues before configuring SSL through LDAPS. This article assumes you have added a user like the one below to your Directory Server.

ldapuser.PNG

 

  1. Make a backup copy of the $INSTALLDIR\conf\jaas_ldap.conf file, where INSTALLDIR indicates your Talend MDM installation directory.
  2. Open the file, then make the changes required for the LDAP authentication.

    MDM {  
      com.amalto.core.server.security.jaas.LDAPLoginModule required
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=true
      principalDNPrefix="uid="
      principalDNSuffix=",ou=Users,dc=example,dc=com";
    };
    
    TDSC {
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=false
      LdapAdminDN="uid=admin,ou=system"
      LdapAdminPassword=secret
      searchBase="ou=Users,dc=example,dc=com"
      searchFilter="(&(objectClass=*)&(cn={0}))";
    };
  3. After the configuration is done, save the jaas_ldap.conf file and rename it to jaas.conf.
  4. Restart the Talend MDM Server for the configuration to take effect.

 

Testing LDAP Authentication

Log in using the password for your administrator user. Make sure it is set to something different from the default, to verify it is connecting through LDAP.

 

Configuring LDAPS Authentication

  1. For LDAPS, go back to your jaas.conf file and change the protocol and port:

    MDM {  
      com.amalto.core.server.security.jaas.LDAPLoginModule required
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldaps://localhost:10636"
      LdapDirect=true
      principalDNPrefix="uid="
      principalDNSuffix=",ou=Users,dc=example,dc=com";
    };
    
    TDSC {
      com.amalto.core.server.security.jaas.LDAPLoginModule sufficient
      useFirstPass=false
      java.naming.factory.initial="com.sun.jndi.ldap.LdapCtxFactory"
      java.naming.security.authentication="simple"
      java.naming.provider.url="ldap://localhost:10389"
      LdapDirect=false
      LdapAdminDN="uid=admin,ou=system"
      LdapAdminPassword=secret
      searchBase="ou=Users,dc=example,dc=com"
      searchFilter="(&(objectClass=*)&(cn={0}))";
    };

     

  2. Generate your LDAP keystore, LDAP cert, and MDM keystore.

    Note: Ensure the Java/bin folder has been added to your path, or that you execute these commands from the $JAVA_HOME/bin/ directory. Also be aware that the Java/bin folder sometimes does not have proper permissions for LDAP or MDM to access, so consider moving them to a different directory or ensuring permissions are correct on that directory.

    keytool -genkey -keyalg RSA -alias ldap_server -dname "cn=administrator" -alias ldap_cert -keystore ldap_server.jks
    keytool -export -keystore ldap_server.jks -alias ldap_cert -file ldap_server.cert
    keytool -import -file ldap_server.cert -alias ldap_cert -keystore mdm_trusted.jks -storepass 123123
    keytool -genkey -keyalg RSA -alias mdm_server -dname "cn=administrator" -alias mdm_cert -keystore mdm_server.jks
  3. Edit MDM_HOME/apache-tomcat/bin/setenv.sh to make use of the keystore.

    @echo off
    set "CATALINA_OPTS=%CATALINA_OPTS% -Xms512m -Xmx1024m -XX:MaxPermSize=256m -Djavax.net.ssl.trustStore=C:/talend/mdm_trusted.jks -Djavax.net.ssl.trustStorePassword=123123 -Djavax.net.ssl.keyStore=C:/talend/mdm_server.jks -Djavax.net.ssl.keyStorePassword=123123"
  4. Configure the Directory Server to use the generated keystore.

    apacheds.PNG

 

Testing LDAPS Authentication

Restart the MDM Webserver and your Directory Server, and try logging in with the administrator user. If the configurations are successful, you should now be logged in through SSL+LDAPS.

loggedin.PNG

 

Configuring Studio to use SSL authentication

Depending on your version of Talend, there are two ways to configure Studio to use SSL.

 

Talend 6.3 and higher

In recent versions of Talend, there is an SSL configuration in the Studio preferences from which you can select your keystore and truststore:

LBD2.PNG

 

Talend 6.2 and lower

You can pass in the parameters through the JVM in the Studio ini file. (for example, $Studio_Directory/Talend-Studio-linux-gtk-x86_64.ini).

-Djavax.net.ssl.trustStore=/opt/Talend/611/mdm/mdm_server.jks
-Djavax.net.ssl.trustStorePassword=changeit 
-Djavax.net.ssl.keyStore=/opt/Talend/611/mdm/mdm_server.jks
-Djavax.net.ssl.keyStorePassword=changeit

 

Testing Studio SSL Authentication

Once you have restarted Studio, go to the MDM perspective and on the server browser, edit your MDM Server to use the proper port, and change HTTP to HTTPS. Then check your connection to make sure it can communicate.

LBD.PNG

 

What if it doesn't work?

If there are connection issues, you can add this parameter to your setenv.sh, which will display more verbose logging specifically for SSL classes:

-Djavax.net.debug=ssl

If you feel the issue is not with SSL, you can use this parameter to see everything:

-Djavax.net.debug=all

 

Version history
Revision #:
11 of 11
Last update:
‎11-14-2017 02:56 PM
Updated by: