To secure connections between Talend Data Stewardship, the MongoDB server, and Apache
Kafka, you need to edit the data-stewardship.properties file.
Important: In the following procedure, the MongoDB server module, the Apache
Kafka module, and other Talend Data Stewardship
modules must all use the same truststore.
Note:
If you select the embedded MongoDB instance during the installation
process, securing the MongoDB connection is not possible.
To secure connections with MongoDB using SSL, MongoDB Enterprise
Server has to be manually installed on your machine. For more information, see https://docs.mongodb.com/v3.2/security/.
Procedure
-
Open the <Data_Stewardship_Path>/apache-tomcat/conf/data-stewardship.properties
file.
-
To trust the server certificate used by Talend Data Stewardship, add the following
properties with the appropriate values:
http.ssl.truststore.location=<path_to_truststore>
http.ssl.truststore.password=<truststore_password>
Note: To be able to work with Talend Data Stewardship, make sure you only use one truststore.
-
By default, Talend Data Stewardship does not verify that the
hostname matches the certificate common name.
To enable this verification, add the following
property and set the value to
true:
http.ssl.verify.hostname=true
-
To allow Talend Data Stewardship to use private key authentication, add the following
properties with the appropriate values:
http.ssl.keystore.location=<path_to_keystore>
http.ssl.keystore.password=<keystore_password>
http.ssl.key.password=<key_password>
-
To secure connections with MongoDB, add the
following properties with the appropriate values:
spring.data.mongodb.ssl=true
spring.data.mongodb.ssl.trust-store=<path_to_truststore>
spring.data.mongodb.ssl.trust-store-password=<truststore_password>
-
To secure connections with Kafka using
communication encryption only, add the following properties with the appropriate
values:
kafka.security.protocol=SSL
kafka.ssl.truststore.location=<path_to_truststore>
kafka.ssl.truststore.password=<truststore_password>
-
To secure connections with Kafka using
authentication, add the following properties with the appropriate values:
kafka.ssl.keystore.location=<path_to_keystore>
kafka.ssl.keystore.password=<keystore_password>
kafka.ssl.key.password=<key_password>
Note that the communication encryption
parameters must also be defined to use authentication.
-
To secure connections with the message broker,
add the following properties with the appropriate values:
spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=<path_to_truststore>
spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=<truststore_password>
spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=<path_to_keystore>
spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=<keystore_password>
spring.cloud.stream.kafka.binder.configuration.ssl.key.password=<key_password>
spring.cloud.stream.kafka.binder.configuration.ssl.endpoint.identification.algorithm=<ssl_algorithm>
spring.kafka.properties.security.protocol=SSL
spring.kafka.properties.ssl.truststore.location=<path_to_truststore>
spring.kafka.properties.ssl.truststore.password=<truststore_password>
spring.kafka.properties.ssl.keystore.location=<path_to_keystore>
spring.kafka.properties.ssl.keystore.password=<keystore_password>
spring.kafka.properties.ssl.key.password=<key_password>
-
Change the services URLs from
http to https:
tds.history.service.url=https://${public.ip}:${server.port}/data-history-service
schema.service.url=https://${public.ip}:${server.port}/schemaservice
-
Change the gateway URLs from
http
to https:
frontend.url=https://<datastewardship_server:port>/internal/frontend
backend.url=https://<datastewardship_server:port>/internal/data-stewardship
schemaservice.url=https://<datastewardship_server:port>/internal/schemaservice
historyservice.url=https://<datastewardship_server:port>/internal/data-history-service