Generating key pairs for Signing and Encryption with ESB - 8.0

Talend ESB Infrastructure Services Configuration Guide

Version
8.0
Language
English
Product
Talend Data Fabric
Talend Data Services Platform
Talend ESB
Talend MDM Platform
Talend Real-Time Big Data Platform
Module
Talend ESB
Talend Runtime
Content
Design and Development
Installation and Upgrade
Last publication date
2024-03-13

Procedure

  1. Generate a keypair for client:
    keytool -genkey -keystore myclientstore.jks -alias myclientalias -dname "CN=client" -keyalg RSA -validity 3650 -storepass myclientstorepass -keypass myclientkeypass
    keytool -export -keystore myclientstore.jks -alias myclientalias -file myclientcertificate.cer -storepass myclientstorepass
  2. Generate a keypair for service:
    keytool -genkey -keystore myservicestore.jks -alias myservicealias -dname "CN={http://services.talend.org/ReservationService}ReservationServiceProvider" -keyalg RSA -validity 3650 -storepass myservicestorepass -keypass myservicekeypass
    keytool -export -keystore myservicestore.jks -alias myservicealias -file myservicecertificate.cer -storepass myservicestorepass
  3. Register public certificate into the XKMS repository:
    For encryption and signing, the public certificates from the client and the service should to be located or validated by the xkms service. To enable this, copy the .cer files under <TalendRuntimePath>/container/esbrepo/xkms/certificates/trusted_cas.
  4. Configure the Service consumer and providers for signing and encryption.
    • For the Service consumer configuration:

      1. Edit the etc/org.talend.esb.job.client.cfg configuration file:

        security.signature.properties = file:${tesb.home}/etc/keystores/clientKeystore.properties
                                        security.signature.username = myclientkey ( configure the alias name of your key in your keystore) as e.g. Above myclientalias
                                        security.signature.password = ckpass ( configure the password of your key in your keystore) as e.g. Above myclientkeypass
      2. Edit the properties file defined in the security.signature.properties = file:${tesb.home}/etc/keystores/clientKeystore.properties parameter of the etc/org.talend.esb.job.client.cfg configuration file as follows:

        org.apache.wss4j.crypto.merlin.keystore.type=jks
                                            org.apache.wss4j.crypto.merlin.keystore.password=cspass ( as eg above myclientstorepass)
                                            org.apache.wss4j.crypto.merlin.keystore.alias= myclientalias (as eg above myservicealias)
                                            org.apache.wss4j.crypto.merlin.keystore.file=./etc/keystores/mykeystore.jks (location of the myclientstore.jks file)
    • For the Service provider configuration:

      1. Edit the etc/org.talend.esb.job.service.cfg configuration file:

        security.signature.properties = file:${tesb.home}/etc/keystores/serviceKeystore.properties (as eg above myservicestore.jks)
                                        security.signature.username = myservicekey ( as e.g. Above myservicealias)
                                        security.signature.password = skpass (as e.g. Above myservicekeypass)
      2. Edit the properties file defined in the security.signature.properties = file:${tesb.home}/etc/keystores/serviceKeystore.properties parameter of the etc/org.talend.esb.job.service.cfg configuration file as follows:

        org.apache.wss4j.crypto.merlin.keystore.type=jks
                                            org.apache.wss4j.crypto.merlin.keystore.password=sspass (myservicestorepass)
                                            org.apache.wss4j.crypto.merlin.keystore.alias=myservicekey (myservicealias)
                                            org.apache.wss4j.crypto.merlin.keystore.file=./etc/keystores/servicestore.jks (myservicestore.jks)