How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center
-
Generate the keystore in jks format which include the Public key and Private Key. Make sure the passwords are the same for the
keypass
andstorepass
parameters:keytool -genkey -alias <serverAlias> -keystore <SSLFolderPath>/serverKeystore.jks -keypass <privateKeyPassword> -storepass <keystorePassword> -keyalg RSA -keysize <keySize> -validity <valDays> -v -dname <Distinguished Name>
for example:
keytool -genkey -alias server -keystore E:/ssl/serverKeystore.jks -keypass 123456 -storepass 123456 -keyalg RSA -keysize 512 -validity 365 -v -dname "CN=127.0.0.1,O=Talend Soft,L=ChaoYang,ST=Beijing,OU=Talend Technology"
-
Export the server's certificate from the server keystore:
keytool -export -alias <serverAlias> -keystore <SSLFolderPath>/serverKeystore.jks -storepass <keystorePassword> -file <SSLFolderPath>/server.cer
-
Import the server.cer to the trust list of the clientTruststore.jks :
keytool -import -alias <trustServerAlias> -file <SSLFolderPath>/server.cer -keystore <SSLFolderPath>/clientTruststo123456<keystorePassword>
-
Generate the keystore in . jks format as described previously, but for client:
keytool -genkey -alias <clientAlias> -keystore <SSLFolderPath>/clientKeystore.jks -keypass <privateKeyPassword> -storepass <keystorePassword> -keyalg RSA -keysize <keySize> -validity <valDays> -v -dname <Distinguished Name>
-
Generate the keystore in . p12 format for the client web browser:
keytool -validity <valDays> -genkeypair -v -alias <clientAlias> -keyalg RSA -storetype PKCS12 -keystore <SSLFolderPath>/client.p12 -storepass <keystorePassword> -keypass <privateKeyPassword> -dname <Distinguished Name>
-
Export the client's certificate from the client keystore:
keytool -export -alias <clientAlias> -keystore <SSLFolderPath>/clientKeystore.jks -storepass <keystorePassword> -file <SSLFolderPath>/client.cer
-
Export the web browser's certificate from the client . p12 file:
keytool -export -v -alias <clientAlias> -keystore <SSLFolderPath>/client.p12 -storetype PKCS12 -storepass <keystorePassword> -rfc -file <SSLFolderPath>/browser.cer
-
Import the client.cer file to the trust list of the serverTruststore.jks file:
keytool -import -alias <trustClientAlias> -file <SSLFolderPath>/client.cer -keystore <SSLFolderPath>/serverTruststore.jks -storepass <keystorePassword>
-
Import the browser.cer file to the trust list of the serverTruststore.jks file:
keytool -import -alias <trustBrowserClientAlias> -file <SSLFolderPath>/browser.cer -keystore <SSLFolderPath>/serverTruststore.jks -storepass <keystorePassword>
You should get the following files in your <SSLFolder> (on your local machine):
Tomcat side: serverKeystore.jks | serverTruststore.jks | server.cer
Studio side: clientKeystore.jks | clientTruststore.jks | client.cer
Browser side: client.p12 | browser.cer
If you want to access Talend Administration Center from a web browser using an SSL protocol, double-click the client.p12 file to install it to your certificate directory for your web browser.
Configure Tomcat-
Open the <TomcatPath>/conf/server.xml file, uncomment and edit the SSL part as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="<SSLFolderPath>/serverKeystore.jks" keystorePass=<keystorePassword> truststoreFile="<SSLFolderPath>/serverTruststore.jks" truststorePass=<trustStorePassword> />
- Add the following arguments to:
- the Studio executable of your VM if you are working in a DEV environment
- the Studio .ini file if you are working in a build environment
-Dtac.net.ssl.ClientKeyStore="<SSLFolderPath>/clientKeystore.jks" -Dtac.net.ssl.ClientTrustStore="<SSLFolderPath>/clientTruststore.jks" -Dtac.net.ssl.KeyStorePass=<keystorePassword> -Dtac.net.ssl.TrustStorePass=<truststorePassword>
Note that, if you are using a secured connection and did not configure these arguments, a dialog will will pop up at Studio start-up to let you input the arguments.
Check the connection- Start Tomcat (make sure there is no error log, if there are some, check your server.xml file).
- Launch Talend Studio and create a remote connection with URL https://localhost:8443/org.talend.administrator, check that it is successful.
- Open the web browser and check that you have access to the https://localhost:8443/org.talend.administrator URL address.
Article How to configure a secure connection for Kibana .