Configure SSL transport and authentication for JobServer - 7.1

EnrichVersion
7.1
EnrichProdName
Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
EnrichPlatform
Talend JobServer
task
Administration and Monitoring > Monitoring services

Configuring SSL transport and authentication

Subscription

This document introduces how to configure SSL transport and authentication for Talend JobServer and Talend Administration Center with the installation of the Talend JobServer and Talend Administration Center patches delivered with TPS-2307.

Backward compatibility: Any old configuration for Talend Administration Center / Talend JobServer should work after the patch. No SSL is used in this case for the JMX monitoring server / client.

Talend JobServer configuration for using SSL for the JMX monitoring server

The JMX based monitoring server is started together with the Talend JobServer using <jobserver_home>/start_rs.sh. Its configuration is in <jobserver_home>/conf/TalendJobServer.properties. To configure SSL for the monitoring server, you need to add the following configuration parameters (the default settings are commented out): 

# Set to true to enforce SSL for JMX monitoring server
org.talend.jmxmp.useSSL=true
# Set to true to enforce certificate based client authentication for JMX monitoring server
org.talend.jmxmp.ssl.authenticate=true

org.talend.jmxmp.ssl.keyStore=<path_to_monitoring_server_keystore>
org.talend.jmxmp.ssl.keyStorePassword=<monitoring_server_keystore_password>
#org.talend.jmxmp.ssl.keyStoreType=JKS
    
org.talend.jmxmp.ssl.trustStore=<path_to_monitoring_server_truststore>
org.talend.jmxmp.ssl.trustStorePassword=<monitoring_server_truststore_password>
#org.talend.jmxmp.ssl.trustStoreType=JKS

#org.talend.jmxmp.ssl.enabled.protocols=TLSv1
#org.talend.jmxmp.ssl.enabled.cipher.suites=SSL_RSA_WITH_NULL_MD5

A list of valid ciphers may be found in Disabling some SSL ciphers (optional). The default value is SSL_RSA_WITH_NULL_MD5.

Protocol defaults to TLSv1. Alternatively you may specify TLSv1.1 or TLSv1.2.

The truststore is only needed for certificate based client authentication for the JMX monitoring server. It must correspond to the keystore specified in the monitoring client. If org.talend.jmxmp.ssl.authenticate=true, the truststore is mandatory. Otherwise the Talend Administration Center client cannot be authenticated.

The keystore defined here is mandatory for SSL and must correspond to the truststore specified in the monitoring client. You may use the same truststore and keystore in the monitoring server and the client, but this is not recommended for production environments.

Note:

Note that <jobserver_home>/start_jconsole.sh does not work with SSL, because Jconsole cannot remotely connect using SSL via the jmxmp protocol. But you can connect inside JConsole to the local JobServer process which provides the same information / MBeans.

Talend Administration Center configuration for using SSL for the JMX monitoring client

The jmx monitoring client used by Talend Administration Center is configured in <tac_home>/apache-tomcat/webapps/org.talend.administrator/WEB-INF/classes/monitoring_jmx_ssl.properties. This configuration contains the following parameters (the default settings are commented out): 

# Set to true to enforce SSL for JMX monitoring client
org.talend.jmxmp.useSSL=true

org.talend.jmxmp.ssl.keyStore=<path_to_monitoring_client_keystore>
org.talend.jmxmp.ssl.keyStorePassword=<monitoring_client_keystore_password>
#org.talend.jmxmp.ssl.keyStoreType=JKS
    
org.talend.jmxmp.ssl.trustStore=<path_to_monitoring_client_truststore>
org.talend.jmxmp.ssl.trustStorePassword=<monitoring_client_truststore_password>
#org.talend.jmxmp.ssl.trustStoreType=JKS

#org.talend.jmxmp.ssl.enabled.protocols=TLSv1
#org.talend.jmxmp.ssl.enabled.cipher.suites=SSL_RSA_WITH_NULL_MD5

It is very similar to the configuration on the server side. The keystore is only used if certificate based client authentication is configured for the JMX monitoring server. In this case the keystore is mandatory. Otherwise the client cannot be authenticated.

The truststore must correspond to the keystore on the server side and the keystore needs to correspond to the truststore on the server side (if needed). If the truststore is undefined, the client trusts any monitoring server.

Enabling SSL for Talend JobServer Command Port and File Port

Note: Backward compatibility: Any old SSL configurations for Talend Administration Center, Talend Studio and Talend JobServer still works.

The UI-Switches in Talend Administration Center/Talend Studio to activate SSL are the same.

The activation of SSL and restriction of cipher suites in jobserver/agent/conf/TalendJobServer.properties are not changed to preserve backward compatibility:

  • SSL (Secure Sockets Layer) is used for establishing an encrypted link between the JobServer and its clients.
    org.talend.remote.jobserver.server.TalendJobServer.USE_SSL=true
  • SSL cipher suites (Java standard cipher suite names separated by a comma ',') are disabled. If not set, all the supported ciphers will be enabled.
    org.talend.remote.jobserver.server.TalendJobServer.DISABLED_CIPHER_SUITES=

Server SSL configuration for Talend JobServer

The file jobserver/agent/conf/TalendJobServer.properties now supports additional properties to specify keystore + truststore for JobServer command port and file port. 

org.talend.remote.server.ssl.keyStore=path_to_jobserver_keystore
org.talend.remote.server.ssl.keyStorePassword=jobserver_keystore_password
org.talend.remote.server.ssl.trustStore=path_to_jobserver_truststore
org.talend.remote.server.ssl.trustStorePassword=jobserver_truststore_password
org.talend.remote.server.ssl.enabled.protocols=jobserver_enabled_protocols (comma separated list)
org.talend.remote.server.ssl.authenticate=true or false

Keystore must correspond to client truststore (if specified there), and truststore is for certificate based client authorization.

If the property org.talend.remote.server.ssl.authenticate in jobserver/agent/conf/TalendJobServer.properties is set to true, the JobServer client (Talend Administration Center / Talend Studio) has to define a keystore corresponding to the JobServer truststore.

Client SSL configuration for Talend JobServer

Both JobServer clients (Talend Administration Center / Talend Studio) support new system properties specifying client keystore + truststore.

For Talend Studio we recommend specifying these system properties in studio/Talend-Studio-linux-gtk-x86_64.ini:

-Dorg.talend.remote.client.ssl.keyStore=path_to_jobserver_client_keystore
-Dorg.talend.remote.client.ssl.keyStorePassword=jobserver_client_keystore_password
-Dorg.talend.remote.client.ssl.trustStore=path_to_jobserver_client_truststore
-Dorg.talend.remote.client.ssl.trustStorePassword=jobserver_client_truststore_password
-Dorg.talend.remote.client.ssl.enabled.protocols=jobserver_client_enabled_protocols (comma separated list)

For Talend Administration Center you can use tac/apache-tomcat/bin/setenv.sh to extend the JAVA_OPTS specification:

export JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Dfile.encoding=UTF-8 -Dorg.talend.remote.client.ssl.keyStore=..."

The client keystore is used for certificate based client authorization and must correspond to the truststore configured at server side.

But if org.talend.remote.server.ssl.authenticate=false in jobserver/agent/conf/TalendJobServer.properties, certificate based client authorization is switched off and the client keystore has no effect.

The client truststore must correspond to the keystore configured at server side. If there is no truststore specified at client side, the client trusts every server.