Setting up a root Certificate Authority chain - 8.0

Talend Real-Time Big Data Platform Installation Guide for Linux

Version
8.0
Language
English (United States)
EnrichDitaval
Real-Time Big Data Platform for Linux
Product
Talend Real-Time Big Data Platform
Module
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend ESB
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend Log Server
Talend Runtime
Talend SAP RFC Server
Talend Studio
Content
Installation and Upgrade

A secured HTTPS connection between Talend Administration Center webserver and client applications (Studio, Nexus/artifactory, GIT, etc.) can be achieved through a certificate chain that provides a common and long-term (>10 years) certification.

About this task

Procedure

  1. Generate a certificate .cer file following various sub-steps:
    1. Prepare the below values according to your configuration:
      • server IP: serverIP
      • SAN IP:serverIP or additional domain names (if available)
      • Keystore password: changeit
      • Server Pretty Name: serverPrettyName
    2. In Powershell, generate the private key with the appropriate values.
      keytool -genkey -alias serverIP -keyalg RSA -keysize 4096 -keystore talendKey.jks -dname "CN=serverIP, OU=name of the organizational unit/department, O=name of the company/organization, ST=name of the region or state , C=name of the country" -keypass changeit -storepass changeit -ext SAN=ip:serverIP,dns:serverPrettyName
    3. Perform the Certificate Signing Request with the appropriate values, to obtain a .csr file.
      keytool -certreq -file serverIP.csr -keystore talendKey.jks -storepass changeit -alias serverIP -ext SAN=ip:serverIP,dns:serverPrettyName
    4. Countersign the .csr file using a Certificate Authority.
    5. Download the approved certificate in OpenSSL format.
    6. Extract the first certificate content from the above file and paste it in serverIP.cer file, through a text editor tool.
    7. In case of a change in certificate chain or first installation, the certificate needs to be added to the truststore.
      Extract the first server-related entry from the serverIP.cer file and paste it in the chain.cer file. The chain should include the root and intermediate signatures. keytool -import -file /opt/talend/talend-version/truststore/Talend_certificate/chain.cer -keystore /opt/talend/talend-version/truststore/BitTalend -alias chain
      Note: If you have set self-signed certificates instead of a common Certificate Authority certificate, you can use the certificate chain to initialise the java keystore by importing all certificates. For more information, see the corresponding section Configuring SSL for Talend Administration Center.
  2. Merge the downloaded serverIP.cer file with the key p12 file that is currently available in the JKS store:
    1. Convert JKS to PKCS format using keytool: keytool -importkeystore -srckeystore talendKey.jks -destkeystore talendKey.p12 -deststoretype PKCS12
    2. Extract the key file from PKCS and create a separate key file: openssl pkcs12 -in talendKey.p12 -nodes -nocerts -out talendKey.key
  3. Combine the certificate, the key file and the certificate chain into a new p12 file:
    openssl pkcs12 -export -in <serverIP>.cer -inkey talendKey.key -out certificate.p12 -chain -CAfile chain.cer -name <serverIp>
  4. Convert p12 file to the keystore using java keytool
    Nexus: keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore

    Talend Administration Center:keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore /opt/talend/talend-version/truststore/BitTalend

  5. If you are using Nexus, store the generated keystore (and truststore) in nexusinstall>etc>ssl subfolder. To implement the changes, stop Nexus and restart it.
  6. Make sure that keynames/passwords are correct in etc/jetty/jetty-https.xml file.
  7. To configure the SSL connection:
    • If the certificate is set on Tomcat webserver, enter the following command: /opt/talend/talend-version/truststore/Talend_SSL/Talend_TAC_QA" keystorePass="keystore pass".
      Then configure Tomcat: open the <TomcatPath>/conf/server.xml file, uncomment and edit the SSL part as follows:
      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="true" sslProtocol="TLS" 
      	keystoreFile="<SSLFolderPath/serverKeystore.jks" 
      	keystorePass=<keystorePassword>
      	truststoreFile="<SSLFolderPath/serverTruststore.jks" 
      	truststorePass=<trustStorePassword> />
    • If the certificate is only set on the webapp itself, see this section https://help.talend.com/r/en-US/7.3/installation-guide-big-data-linux/defining-ssl-connection and enter the following command: keytool -delete -alias tomcat -keystore /opt/talend/talend-version/truststore/BitTalend -storepass changeit

Results

Restart Talend Administration Center service.

Enter Talend Administration Center URL: https://localhost:8080/org.talend.administrator in a browser. The application is now displayed together with a green padlock icon: .