(Optional) Encrypting credentials for Talend Runtime access - Cloud

Talend Remote Engine User Guide for Linux

Version
Cloud
Language
English
Operating system
Linux
Product
Talend Cloud
Module
Talend Remote Engine
Content
Design and Development
Installation and Upgrade
Last publication date
2024-02-23

Encrypt Talend Runtime credentials to strengthen secure access.

To ensure the security of sensitive information, encrypt your credentials as explained in the following procedure.

Before you begin

Before you proceed to encrypt your credentials, determine first the encryption algorithm to be used and define the master password as encryption secret.
  • Master password.
    1. In Talend Runtime, define the master password as the encryption secret by following the procedure Encrypting clear text parameters and passwords.

      Talend Remote Engine uses this password to read the encrypted password for access to Talend Runtime.

      As explained in Encrypting clear text parameters and passwords, this master password must be set as an environment variable or a Java system property, TESB_ENV_PASSWORD.

      While technically not required to be added to the OS level, it is still recommended to include these variables in your OS environment for enhanced security and easy access by Talend Remote Engine when installed as system service.

    2. In <RemoteEngineInstallationDirectory>/etc/org.talend.ipaas.rt.dsrunner.talendruntime.client.cfg, ensure that the properties.encryption.password property reads like this:
      properties.encryption.password=${env:TESB_ENV_PASSWORD:-${TESB_ENV_PASSWORD}}
      This configuration ensures that Talend Remote Engine can correctly read the encryption secret you set with TESB_ENV_PASSWORD on the Talend Runtime side.
  • Encryption algorithm.
    1. To use the default algorithm, open the <RemoteEngineInstallationDirectory>/etc/org.talend.ipaas.rt.dsrunner.talendruntime.client.cfg file and verify that the properties.encryption.algorithm property reads like this:
      properties.encryption.algorithm=${env:TESB_ENV_ALGORITHM:-${TESB_ENV_ALGORITHM:-PBEWITHSHA256AND256BITAES-CBC-BC}}
      The default algorithm is PBEWITHSHA256AND256BITAES-CBC-BC.
    2. If a custom algorithm is required, add the TESB_ENV_ALGORITHM variable with your chosen algorithm to your OS environment variables or Java system properties.

      Do not modify the default expression used by the properties.encryption.algorithm property in the file <RemoteEngineInstallationDirectory>/etc/org.talend.ipaas.rt.dsrunner.talendruntime.client.cfg.

Procedure

  1. In Talend Runtime, follow the same Encrypting clear text parameters and passwords procedure to obtain the encrypted string of the Talend Runtime access password.
    At the end of the procedure, you obtain an encrypted string of the access password, reading like this:
    ENC(encrypted_password_string) 

    You can use the same procedure to encrypt both your username and password. In this example, only password is encrypted.

  2. Configure Talend Remote Engine to use the encrypted password to replace the plain text password you defined in the previous section: Connecting Talend Remote Engine to Talend Runtime.
    Make the change where you previously put the plain text password:
    • OS environment variables.

      If you have added the RUNTIME_JMX_USERNAME and the RUNTIME_JMX_PASSWORD variables to your OS environment variables, replace the value of RUNTIME_JMX_PASSWORD with the ENC(encrypted_password_string) encrypted string you obtained in previous steps.

      Ensure not to modify the default expressions used by the talendruntime.jmx.username and the talendruntime.jmx.password properties in org.talend.ipaas.rt.dsrunner.talendruntime.client.cfg. This ensures that the environment variables are correctly used by these two properties.

    • Java system properties.

      If you have set the RUNTIME_JMX_USERNAME and RUNTIME_JMX_PASSWORD Java system properties, replace the value of RUNTIME_JMX_PASSWORD with ENC(encrypted_password_string).

      Ensure not to modify the default expressions used by the talendruntime.jmx.username and the talendruntime.jmx.password properties in org.talend.ipaas.rt.dsrunner.talendruntime.client.cfg. This ensures that the Java system properties are correctly used by talendruntime.jmx.username and talendruntime.jmx.password.
    • Direct configuration.
      If you have directly defined your plain text password for the talendruntime.jmx.password property in <RemoteEngineInstallationDirectory>/etc/org.talend.ipaas.rt.dsrunner.talendruntime.client.cfg, replace it with the encrypted password string. For example
      talendruntime.jmx.username=<username_you_want_to_use>
      talendruntime.jmx.password=ENC(encrypted_password_string)
  3. Restart Talend Remote Engine and Talend Runtime.
    Follow this procedure to gracefully shut down Talend Remote Engine for a restart.