Client SSL configuration for Talend JobServer - 8.0

Configure SSL transport and authentication for JobServer

Version
8.0
Language
English
Product
Talend Big Data
Talend Big Data Platform
Talend Data Fabric
Talend Data Integration
Talend Data Management Platform
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend JobServer
Content
Security
Last publication date
2024-02-06

Both Talend JobServer clients (Talend Administration Center / Talend Studio) support new system properties specifying client keystore + truststore.

For Talend Studio, it is recommended to specify these system properties in studio/Talend-Studio-linux-gtk-x86_64.ini or studio/Talend-Studio-gtk-aarch64.ini:

-Dorg.talend.remote.client.ssl.keyStore=<path_to_jobserver_client_keystore>
-Dorg.talend.remote.client.ssl.keyStorePassword=<jobserver_client_keystore_password>
-Dorg.talend.remote.client.ssl.trustStore=<path_to_jobserver_client_truststore>
-Dorg.talend.remote.client.ssl.trustStorePassword=<jobserver_client_truststore_password>
-Dorg.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3
-Dorg.talend.remote.client.ssl.disablePeerTrust=false
Note: From version 7.2.x, peer trust is enabled by default with the Dorg.talend.remote.client.ssl.disablePeerTrust=false property. To disable peer trust, set this property to true.

For Talend Administration Center you can use tac/apache-tomcat/bin/setenv.sh to extend the JAVA_OPTS specification:

export JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Dfile.encoding=UTF-8 -Dorg.talend.remote.client.ssl.keyStore=..."

The client keystore is used for certificate based client authorization and must correspond to the truststore configured at server side.

But if org.talend.remote.server.ssl.authenticate=false in jobserver/agent/conf/TalendJobServer.properties, certificate based client authorization is switched off and the client keystore has no effect.

The client truststore must correspond to the keystore configured at server side. If there is no truststore specified at client side, the client trusts every server.