Configuring SSL transport and authentication
This document introduces how to configure SSL transport and authentication for Talend JobServer and Talend Administration Center with the installation of the Talend JobServer and Talend Administration Center patches delivered with TPS-2307.
Backward compatibility: Any old configuration for Talend Administration Center / Talend JobServer should work after the patch. No SSL is used in this case for the JMX monitoring server / client.
Talend JobServer configuration for using SSL for the JMX monitoring server
The JMX based monitoring server is started together with the Talend JobServer using <jobserver_home>/start_rs.sh. Its configuration is in <jobserver_home>/conf/TalendJobServer.properties. To configure SSL for the monitoring server, you need to add the following configuration parameters (the default settings are commented out):
# Set to true to enforce SSL for JMX monitoring server
org.talend.jmxmp.useSSL=true
# Set to true to enforce certificate based client authentication for JMX monitoring server
org.talend.jmxmp.ssl.authenticate=true
org.talend.jmxmp.ssl.keyStore=<path_to_monitoring_server_keystore>
org.talend.jmxmp.ssl.keyStorePassword=<monitoring_server_keystore_password>
#org.talend.jmxmp.ssl.keyStoreType=JKS
org.talend.jmxmp.ssl.trustStore=<path_to_monitoring_server_truststore>
org.talend.jmxmp.ssl.trustStorePassword=<monitoring_server_truststore_password>
#org.talend.jmxmp.ssl.trustStoreType=JKS
#org.talend.jmxmp.ssl.enabled.protocols=TLSv1
#org.talend.jmxmp.ssl.enabled.cipher.suites=SSL_RSA_WITH_NULL_MD5
A list of valid ciphers may be found in Disabling some SSL ciphers (optional). The default value is SSL_RSA_WITH_NULL_MD5
.
Protocol defaults to TLSv1
. Alternatively you may specify
TLSv1.1
or TLSv1.2
.
The truststore is only needed for certificate based client authentication for the JMX
monitoring server. It must correspond to the keystore specified in the monitoring
client. If org.talend.jmxmp.ssl.authenticate=true
, the truststore is
mandatory. Otherwise the Talend Administration Center
client cannot be authenticated.
The keystore defined here is mandatory for SSL and must correspond to the truststore specified in the monitoring client. You may use the same truststore and keystore in the monitoring server and the client, but this is not recommended for production environments.
Note that <jobserver_home>/start_jconsole.sh
does not work with
SSL, because Jconsole cannot remotely connect using SSL via the jmxmp protocol. But
you can connect inside JConsole to the local JobServer process which provides the
same information / MBeans.
Talend Administration Center configuration for using SSL for the JMX monitoring client
The jmx monitoring client used by Talend Administration Center is configured in <tac_home>/apache-tomcat/webapps/org.talend.administrator/WEB-INF/classes/monitoring_jmx_ssl.properties. This configuration contains the following parameters (the default settings are commented out):
# Set to true to enforce SSL for JMX monitoring client
org.talend.jmxmp.useSSL=true
org.talend.jmxmp.ssl.keyStore=<path_to_monitoring_client_keystore>
org.talend.jmxmp.ssl.keyStorePassword=<monitoring_client_keystore_password>
#org.talend.jmxmp.ssl.keyStoreType=JKS
org.talend.jmxmp.ssl.trustStore=<path_to_monitoring_client_truststore>
org.talend.jmxmp.ssl.trustStorePassword=<monitoring_client_truststore_password>
#org.talend.jmxmp.ssl.trustStoreType=JKS
#org.talend.jmxmp.ssl.enabled.protocols=TLSv1
#org.talend.jmxmp.ssl.enabled.cipher.suites=SSL_RSA_WITH_NULL_MD5
It is very similar to the configuration on the server side. The keystore is only used if certificate based client authentication is configured for the JMX monitoring server. In this case the keystore is mandatory. Otherwise the client cannot be authenticated.
The truststore must correspond to the keystore on the server side and the keystore needs to correspond to the truststore on the server side (if needed). If the truststore is undefined, the client trusts any monitoring server.
Enabling SSL for Talend JobServer Command Port and File Port
The UI-Switches in Talend Administration Center/Talend Studio to activate SSL are the same.
The activation of SSL and restriction of cipher suites in jobserver/agent/conf/TalendJobServer.properties are not changed to preserve backward compatibility:
- SSL (Secure Sockets Layer) is used for establishing an encrypted link between the
JobServer and its
clients.
org.talend.remote.jobserver.server.TalendJobServer.USE_SSL=true
- SSL cipher suites (Java standard cipher suite names separated by a comma ',') are
disabled. If not set, all the supported ciphers will be
enabled.
org.talend.remote.jobserver.server.TalendJobServer.DISABLED_CIPHER_SUITES=
Server SSL configuration for Talend JobServer
The file jobserver/agent/conf/TalendJobServer.properties now supports additional properties to specify keystore + truststore for JobServer command port and file port.
org.talend.remote.server.ssl.keyStore=path_to_jobserver_keystore
org.talend.remote.server.ssl.keyStorePassword=jobserver_keystore_password
org.talend.remote.server.ssl.trustStore=path_to_jobserver_truststore
org.talend.remote.server.ssl.trustStorePassword=jobserver_truststore_password
org.talend.remote.server.ssl.enabled.protocols=jobserver_enabled_protocols (comma separated list)
org.talend.remote.server.ssl.authenticate=true or false
Keystore must correspond to client truststore (if specified there), and truststore is for certificate based client authorization.
If the property org.talend.remote.server.ssl.authenticate
in
jobserver/agent/conf/TalendJobServer.properties is set to true, the
JobServer client (Talend Administration Center /
Talend Studio) has to define a
keystore corresponding to the JobServer truststore.
Client SSL configuration for Talend JobServer
Both JobServer clients (Talend Administration Center / Talend Studio) support new system properties specifying client keystore + truststore.
For Talend Studio we recommend specifying these system properties in studio/Talend-Studio-linux-gtk-x86_64.ini:
-Dorg.talend.remote.client.ssl.keyStore=path_to_jobserver_client_keystore
-Dorg.talend.remote.client.ssl.keyStorePassword=jobserver_client_keystore_password
-Dorg.talend.remote.client.ssl.trustStore=path_to_jobserver_client_truststore
-Dorg.talend.remote.client.ssl.trustStorePassword=jobserver_client_truststore_password
-Dorg.talend.remote.client.ssl.enabled.protocols=jobserver_client_enabled_protocols (comma separated list)
For Talend Administration Center you can use tac/apache-tomcat/bin/setenv.sh to extend the JAVA_OPTS specification:
export JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Dfile.encoding=UTF-8 -Dorg.talend.remote.client.ssl.keyStore=..."
The client keystore is used for certificate based client authorization and must correspond to the truststore configured at server side.
But if org.talend.remote.server.ssl.authenticate=false
in
jobserver/agent/conf/TalendJobServer.properties, certificate based client
authorization is switched off and the client keystore has no effect.
The client truststore must correspond to the keystore configured at server side. If there is no truststore specified at client side, the client trusts every server.