How to configure Talend Services to use SSL

The following Talend services can be configured to use SSL:

  1. Talend ESB
  2. Job server
  3. Nexus
  4. TAC

 

Talend ESB/Karaf runtime

Talend Runtime provides support for HTTP and HTTPS by default with the help of the pax web component. HTTP / HTTPS configuration for Talend Runtime is done in the org.ops4j.pax.web.cfg configuration file, located in TalendRuntimePath/container/etc/org.ops4j.pax.web.cfg.

 

To encrypt communication and secure the identification of a server, you can use the HTTPS protocol. HTTPS is based on SSL, which supports the encryption of messages sent via HTTP. To secure communication, HTTPS uses key pairs containing one public key and one private key. Data is encrypted with one key and can only be decrypted with the other key of the key pair. This establishes trust and privacy in message transfers.

 

For more information about the How-to steps, refer to SSL configuration.

 

Job Server

The execution servers allow you to execute the Jobs (processes) developed with Talend Studio from the TAC Web application. The JobServer application provided by Talend allows you to choose a different JVM than the one used by default to launch your Jobs. Talend offers a Job server secured via SSL.

 

Generate key stores, set the location of the new Keystore, and configure in Job server. For more information about the How-to steps, refer to Installing and configuring JobServers.

 

Nexus

Configure Nexus to Serve via SSL installed outside the Talend Runtime container. Providing access to the Nexus user interface and content via HTTPS only is a recommended best practice for any deployment.

 

The recommended approach to implementation is to proxy Nexus behind a server that is configured to serve content via SSL and leave Nexus configured for http. The advantage of this approach is that Nexus can easily be upgraded and there is no need to work with the JVM truststore. In addition, you can use the expertise of your system administrators and the preferred server for achieving the proxying, which in most cases will already be in place for other systems.

 

Alternatively, the Jetty instance that is part of the default Nexus install can be configured to serve SSL content directly, and if you would like to avoid the extra work of putting a web server like Apache httpd in front of Nexus. To configure Nexus to serve SSL directly to clients, you need to perform the following steps:

  1. Add the file jetty-https.xml to the Jetty startup configuration in wrapper.conf.
  2. Define the HTTP port you want to use for the HTTPS connection by setting the application-port-ssl property in nexus.properties, for example application-port-ssl=8443.

For more details, refer to http://books.sonatype.com/nexus-book/reference/ssl-sect-ssl-direct.html

 

Kibana and TAC

Talend Administration Center and Kibana are Web applications. Kibana and TAC are installed outside the Talend Runtime container. They can be deployed on any Web server like Tomcat or JBOSS. First, the Webserver needs to be SSL enabled. Then, deployed applications (Kibana and TAC) can also be accessible using SSL. To install and configure SSL support on Tomcat, you need to install the SSL keystore file, and configure Tomcat.

 

Install SSL keystore file

  1. Generate a Self-Certified Keystore File.

    Sample keytool command invocation to create a 2048 bit key+"TalendKey" keystore file for the domain "talend.com":

    “keytool -genkey -alias talend -keyalg RSA -keysize 2048 -keystore talendKey”.

    Now provide the required key information and it generates the key.

  2. Generate and Install a Browser Certificate File.

    To import the above certificate into the client browser (IE + Chrome), we need to first export the .cer file from the above keystore:

    keytool -export -keystore talendKey -alias talend
    -file c:\tmp\talend.cer
    Enter keystore password:
    Certificate stored in file c:\tmp\talend.cer
  3. To avoid further warnings in the browser (IE and/or Chrome), install the above certificate onto the client machine as follows:
    1. Open the Internet Optionsdialog in IE.
    2. Select the Content tab.
    3. Click the Certificates button.

    Import the .cer file created above into the Trusted Root Certification Authorities section.

 

Tomcat Configuration

  1. Shut down Tomcat.
  2. Navigate to the Tomcat conf sub-folder.
  3. Edit the server.xml file.
  4. Locate and uncomment the SSL-enabled HTTP connector (it is commented out by default).
  5. Modify the connector config* as follows:
    <Connector port="8080" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="full path to keystore file from above"
    keystorePass="talend"/>
  6. Remove/disable the tcnative-1.dll DLL from the Tomcat bin folder (move to an archive directory or rename if you are unsure - e.g.: re-name to tcnative-1.dll.DISABLED).
  7. Restart Tomcat, and check that the https protocol is supported by navigating to the base Tomcat landing page over HTTPS.

 

Known Limitations

    • Logserver

Logserver cannot currently be configured to use SSL, but it may be possible to enable SSL via proxy server.

 

Bookshelf references

http://team.ops4j.org/wiki/display/paxweb/Documentation

http://books.sonatype.com/nexus-book/reference/ssl-sect-ssl-direct.html

Version history
Revision #:
16 of 16
Last update:
‎05-17-2017 01:09 AM
Updated by:
 
Tags (1)
Comments
AdrienAustralia
regarding the Known limitations of Logserv,
I would say logserv can be served with SSL natively with a specific license (from ELK). Otherwise, reverse proxy is the best free option.