Talend Administration Center advanced configuration

Talend ESB Installation Guide for Solaris

EnrichVersion
6.3
EnrichProdName
Talend ESB
task
Installation and Upgrade

Most of the configuration parameters are stored in the Talend Administration Center database, like backup-related settings, port information, timeout duration, security settings, login delay and so on.

Some parameters can be updated, activated or deactivated from the Configuration page of the Web application or directly in the configuration.properties file, but you might need to edit some of them manually in the configuration table of the Talend Administration Center database. To access this database, open the database web console. To edit this database, open its web console which is accessible from the Database node of the Configuration page of Talend Administration Center.

The following pages detail advanced configuration procedures for Talend Administration Center:

Setting up Talend Administration Center Single Sign-On (SSO)

You have the possibility to implement a unified sign-on and authentication to access Talend Administration Center through different Identity provider systems (IdP) and to manage the roles and project types of the application users:

  1. You need first to enable SSO for Talend Administration Center during installation, either via Talend Installer or from a configuration file, see Enabling Single-Sign On for Talend Administration Center.

  2. Then set up SSO and user roles and project types from your Identity Provider system:

  3. (Optional) You can create an "emergency user" in Talend Administration Center in case your Identity Provider is temporarily unavailable, see Defining an emergency user for Talend Administration Center.

Setting up SSO in your Identity Provider system allows users to access all their applications, including Talend Administration Center, by signing in one time for all services. If a user tries to sign in to Talend Administration Center when SSO is set up, he or she is redirected to the SSO sign-in page.

Enabling Single-Sign On for Talend Administration Center

To activate SSO for Talend Administration Center during installation, you can:

  • activate SSO by editing a configuration file

Note that, if you do not activate SSO during installation, you still have the possibility to do so on the Configuration page once you are logged in the web application. For more information, see the Talend Administration Center User Guide.

In the configuration file:

You also have the possibility to enable SSO directly from a configuration file.

  1. Open the following file to edit it:

    <tomcat_path>WEB-INF\classes\configuration.properties

  2. Set the sso.field.useSSOLogin parameter value to true and save your changes.

    SSO is activated, which means the first time the administrator logs in Talend Administration Center, he or she will be able to configure the link between the application and his or her Identity provider system directly from the Talend Administration Center Database Configuration page.

    For more information, see Talend Administration Center User Guide.

Setting up a Talend Administration Center SSO from Okta

Prerequisite: You have an administrator Okta account in your organization.

Add the Talend Administration Center application in Okta

  1. Log in to your Okta organization.

  2. Click the Admin button.

  3. Click Add Applications, then click the Create New App button.

  4. Select SAML 2.0, then click Create.

  5. In the General Settings step, enter a name and description for your application, for example Talend Administration Center, then click Next.

  6. Fill in the SAML Settings :

    Field

    Value

    Single sign on URL

    http://<host>:<port>/<application_name>/ssologin

    Ex:

    http://localhost:8080/org.talend.administrator/ssologin

    Audience URI(SP Entity ID)

    /ssologin

    Name ID format

    Select Email Address in the list.

    Application username

    Select Email in the list.

  7. Once you have created your application, download the Identity Provider metadata from the Sign On tab of your application.

  8. Click Next and Finish.

Define the user attributes of your application

Single-Sign On is only available for Talend Administration Center, but user information of the related applications can be centralized in Okta: Talend allows you to manage your application user roles and user project types, including roles of Talend Administration Center, Talend Data Preparation and Talend Data Stewardship users, outside of Talend Administration Center from Okta.

Note that once Single-Sign On is enabled, you will not be able to manage from Talend Administration Center all the user settings handled by the Identity Provider, such as user passwords, project types on which users are assigned or user roles.

  1. Select Directory > Profile Editor from the top menu.

  2. Open the user Profile corresponding to the Talend Administration Center application you have just created in Okta.

  3. In the Custom tab, click Add Attribute.

  4. Create the role attribute: In the Add Attribute window, enter the Display Name Attribute (TACRole for example), variable name (tacRole for example), and select string array in the Data type list, then click Add Attribute.

  5. Create the project type attribute: In the Add Attribute window, enter the Display Name Attribute (TACProjectType for example), variable name (tacProject for example), select string in the Data type list, define a field length (between 1 and 10 characters for example) then click Add Attribute.

Add the user attributes to your application

  1. Select your existing application and click Edit in the SAML Settings of the General tab.

  2. In the Attribute Statements area, add four attributes tac.role, tac.projectType, firstName and lastName:

    Talend Administration Center attribute name

    SAML attribute name (Okta)

    Value

    Attribute value in user profile

    Talend Administration Center Role attribute

    tac.role

    user.tacRole

    Any string of your choice that will map the value entered in Talend Administration Center SSO Configuration

    Example:

    tac_admin (for a Talend Administration Center Administrator user)

    tac_om (for a Talend Administration Center Operation Manager user)

    dp_dm (for a Talend Data Preparation Dataset Manageer user)

    Talend Administration Center Project attribute

    tac.projectType

    user.tacProject

    Either, DI (Data Integration), DQ (Data Quality), MDM (Master Data Management) or NPA (No Project Access)

    Optional (if not set, the email address login will be used) - First Name

    firstName

    user.firstName

    User first name

    Optional (if not set, the email address login will be used) - Last Name

    lastName

    user.lastName

    User last name

Define the user information and assign the user to the application

  1. Select Directory > People from the top menu.

  2. Select the user you want to edit then go to the Profile tab to edit this user.

  3. Set the desired roles values (the same role and project type values will have to be used in the Talend Administration Center SSO configuration), and click Add Another to add several user roles.

    Do the same for the project type value ((Either, DI (Data Integration), DQ (Data Quality), MDM (Master Data Management) or NPA (No Project Access)).

  4. Open the People tab in a new browser tab and click Assign to People.

  5. Enter the username(s) and email address(es) of the person(/people) you want to assign to the application.

    Once your application and users are set in Okta, you need to link the Identity Provider to Talend Administration Center in order to retrieve the user information you have defined.

In Talend Administration Center :

  1. From the configuration page, expand the SSO node.

  2. If SSO has not been enabled yet, select true in the Use SSO Login field.

  3. Click Launch Upload in the IDP metadata field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.

  4. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP), ssologin for example.

  5. Select your Identity Provider System in the corresponding list.

    • If your provider is Okta: enter the corresponding Okta administrator Organization URL, as well as the Okta App Embed link which is the link used to sign into Talend Administration Center from a portal outside of Okta (can be found in Okta configuration).

    • If your provider is SiteMinder: enter the corresponding SiteMinder administrator SiteMinder SSO Service URL, http://<host>/affwebservices/public/saml2sso?SPID=<SPEntityName> for example.

  6. In the Use Role Mapping field, map the application user roles with the roles defined in the Identity Provider system.

    Once you have defined roles at the Identity Provider side, you will not be able to edit the user roles from Talend Administration Center.

    Fill in the role fields with the corresponding SAML role attributes previously set in the Identity Provider system.

    Ex: Talend Administration Center Roles > Administrator = tac_admin; Operation Manager = tac_om

    Ex: Talend Data Preparation Roles > Administrator = dp_admin; Data Preparator = dp_dp

    Ex: Talend Data Stewardship Roles > Data Steward = tds_ds

    The roles set in the Identity Provider will override the roles set in Talend Administration Center.

Setting up a Talend Administration Center SSO from SiteMinder

Prerequisite: You have a SiteMinder administrator account and have installed and configured Web Agent and Web Agent OptionPack.

See below the main configuration steps to set up Single-Sign On for Talend Administration Center in SiteMinder.

For more detailed information, see the article about SiteMinder configuration on Talend Help Center.

Configure the SAML2 Identity Provider in SiteMinder

  1. Create a User Directory from the SiteMinder Administrative UI.

    In the LDAP Settings area, set the email address attribute as user search in the LDAP user DN lookup setting.

  2. Protect the authentication URL to establish the user sessions as described in the SiteMinder documentation:

    • Select your Web agent (create and configure it as described in the SiteMinder documentation)

    • Select the User Directory created previously.

    • Select a Basic Authentication Scheme (see the SiteMinder documentation for more information)

    • Clear the Persistent check box in the Session section in order not to store session information.

  3. Create a Signing certificate by importing a key/certificate pair (Infrastructure > X509 Certificate Management > Trusted Certificates and Private Keys)

  4. Create a local Identity Provider Entity (Federation > Partnership Federation > Entities):

    • Select Local and SAML2 IDP in the Entity Type step.

    • Select the Unspecified and Email Address check boxes in the Entity configuration step.

  5. Create a Partnership (Federation > Partnership Federation > Partnerships):

    • Select SAML2 IDP and tac in the Configure Partnership step.

    • Select All Users in Directory in the Federation Users step.

    • In the Assertion Configuration step, enter required information and add tac.role and tac.projectType that will match the custom LDAP User attributes (tacRole and projectType in this example). The values of these attributes will later be retrieved when configuring SSO in Talend Administration Center.

    • In the SSO and SLO step, enter the URL of the web service to redirect.jsp in Authentication URL, select urn:oasis:names:tc:SAML:2.0:classes:Password in Authentication Class, select HTTP-Redirect and HTTP-POST bindings, enter the URL to the Talend Administration Center SSO Servlet (http:// <TACapplicationURL>/<TACapplicationName>/ssologin) in the Remote Assertion Consumer Service URLs area. Then leave the other parameters as is and finish the creation process.

  6. Activate the Partnership you created and export its metadata. You will need to upload the metadata later on the Talend Administration Center SSO configuration page.

  7. On your LDAP server, test the SSO login to the Talend Administration Center application:

    • Create a LDAP user with the custom role and project type attributes you want (tacRole= tac_admin,tac_viewer and projectType=DI for example) and check that the user credentials bind is successful.

      Note that:

      • project type values can only be: DI (Data Integration), DQ (Data Quality), MDM (Master Data Management) or NPA (No Project Access).

      • if you want to add several roles for a user, roles should be separated with a comma.

    • Go to the Authentication URL previously defined (http://<host>/affwebservices/public/saml2sso?SPID=<SPEntityName>) and enter the uid/userPassword values to log in Talend Administration Center.

Once your application and users are set in SiteMinder and LDAP, you need to link the Identity Provider to Talend Administration Center in order to retrieve the user information you have defined.

Note that Single-Sign On is only available for Talend Administration Center, but user information of the related applications can be centralized in SiteMinder: Talend allows you to manage your application user roles and user project types, including roles of Talend Administration Center, Talend Data Preparation and Talend Data Stewardship users, outside of Talend Administration Center from the Identity Provider.

In Talend Administration Center :

  1. From the configuration page, expand the SSO node.

  2. If SSO has not been enabled yet, select true in the Use SSO Login field.

  3. Click Launch Upload in the IDP metadata field and upload the Identity Provider metadata file you have previously downloaded from the Identity Provider system.

  4. In the Service Provider Entity ID field, enter the Entity ID of your Service Provider (available in the configuration of the IdP), ssologin for example.

  5. Select your Identity Provider System in the corresponding list.

    • If your provider is Okta: enter the corresponding Okta administrator Organization URL, as well as the Okta App Embed link which is the link used to sign into Talend Administration Center from a portal outside of Okta (can be found in Okta configuration).

    • If your provider is SiteMinder: enter the corresponding SiteMinder administrator SiteMinder SSO Service URL, http://<host>/affwebservices/public/saml2sso?SPID=<SPEntityName> for example.

  6. In the Use Role Mapping field, map the application user roles with the roles defined in the Identity Provider system.

    Once you have defined roles at the Identity Provider side, you will not be able to edit the user roles from Talend Administration Center.

    Fill in the role fields with the corresponding SAML role attributes previously set in the Identity Provider system.

    Ex: Talend Administration Center Roles > Administrator = tac_admin; Operation Manager = tac_om

    Ex: Talend Data Preparation Roles > Administrator = dp_admin; Data Preparator = dp_dp

    Ex: Talend Data Stewardship Roles > Data Steward = tds_ds

    The roles set in the Identity Provider will override the roles set in Talend Administration Center.

Defining an emergency user for Talend Administration Center

In case your Identity Provider is temporarily unavailable and you need to connect to Talend Administration Center, you have the possibility to create a temporary emergency user.

  1. Open the following file to edit it:

    <tomcat_path>WEB-INF\classes\configuration.properties

  2. Uncomment the parameters sso.emergency.username and sso.emergency.password, edit the credentials of the emergency user if needed then save your changes.

  3. Restart Tomcat.

  4. Log into Talend Administration Center using the previously defined credentials. After logging out from the current session, this user account will be removed.

Migrating database X to database Y

If you want to migrate from one database to another, for example from H2 to MySQL, you need to use the MetaServlet command called migrateDatabase.

The MetaServlet application is located in <TomcatPath>/webapps/<TalendAdministrationCenter>/WEB-INF/classes folder.

Note that, to display the help of this command (with related parameters), you need to enter the following in the MetaServlet application:

./MetaServletCaller.sh --tac-url=<yourApplicationURL> -h migrateDatabase

For more information on the MetaServlet application, see the Talend Administration Center User Guide.

See below an example of migration between H2 and MySQL databases.

Please note that to be able to use this command, you need to put it on one single line first.

./MetaServletCaller.sh --tac-url http://localhost:8080/org.talend.administrator --json-params='{"actionName":"migrateDatabase","dbConfigPassword":"admin","mode":"synchronous","sourcePasswd":"tisadmin","sourceUrl":"jdbc:h2:/home/Talend/6.3.2/tac/apache-tomcat-8.0.20/webapps/org.talend.administrator/WEB-INF/database/talend_administrator","sourceUser":"tisadmin","targetPasswd":"root","targetUrl":"jdbc:mysql://localhost:3306/base","targetUser":"root"}'

Disabling SSL3 in Tomcat

In order to avoid POODLE vulnerability which allows attackers to downgrade SSL/TLS protocol to version SSL v3, and then break the cryptographic security, you might want to disable SSL v3 on the Tomcat server. For more information on how to do this, read the procedure on the Apache website.

Managing the database parameters

The configuration parameters are stored in the database, except for the parameters related to the Talend Administration Center database that are stored in the following file:

<ApplicationPath>/WEB-INF/classes/configuration.properties

The database-related passwords are encrypted at start up, when this file is parsed and loaded in the database.

Change the encrypted default account password

  1. Open the configuration.properties file to edit it.

  2. Note that the encrypted password is followed by: ",Encrypt"

    Remove all that is after the = sign, including ",Encrypt", and type in the new password of the default account.

  3. Save your changes and close the file. At next startup, the password will be encrypted in the database and the file will be updated with this encrypted password.

Change the default password used to configure the database

After the first connection, it is strongly recommended not to use the default user account to access the application for security reasons. You can either change the default credentials of this account (admin@company.com/admin) or create another administrator user and remove the default account.

If you want to change the admin default password that allows you to change the database configuration, do the following:

  1. Scroll down the configuration.properties file until you find the database.config.password parameter.

  2. Change the admin default password to a more individual and secure password.

Managing the connection pool via Tomcat

By default, a third-party application (c3p0) has been embedded into the configuration file of Talend Administration Center, to manage the connection pool.

However if you want Tomcat to manage directly the connection pool, perform the following operations:

In the Web application installation directory, proceed as follows:

  1. In the <ApplicationPath>/WEB-INF/classes folder, change the default setting of the configuration.properties file to:

    database.useContext=True

  2. In the WEB-INF folder, edit the web.xml file and add the following piece of code before the closing tag </web-app>:

    <resource-ref>
    
         <description>Our Datasource</description>
         <res-ref-name>jdbc/ADMINISTRATOR_CONNECTION</res-ref-name>
         <res-type>javax.sql.DataSource</res-type>
         <res-auth>Container</res-auth>
    
    </resource-ref>
  3. In the file <ApplicationPath>/META-INF/context.xml, configure the parameters of connection to the database by modifying the following elements:

    Element name

    Value

    Note

    url

    jdbc:mysql://{ip_address}:3306/{db_name}

    For MySQL, where ip_address corresponds to the database IP address and db_name corresponds to its name.

    jdbc:oracle:thin:@{ip_address}:1521:{db_name}

    For Oracle, where ip_address corresponds to the database IP address and db_name corresponds to its name.

    jdbc:jtds:sqlserver://{ip_address}:1433/{db_name}

    For SQL Server, where ip_address corresponds to the database IP address and db_name corresponds to its name.

    jdbc:h2:file:{dir_path/}<db_name>;MVCC=TRUE;AUTO_SERVER=TRUE; LOCK_TIMEOUT=15000

    For H2, where dir_path corresponds to the database path and db_name corresponds to its name.

    username

    The username used to log in your database, talend_admin by default.

    password

    The password used to log in your database, talend_admin by default.

    driverClassName

    org.gjt.mm.mysql.Driver

    For MySQL.

    oracle.jdbc.driver.OracleDriver

    For Oracle.

    net.sourceforge.jtds.jdbc.Driver

    For SQL Server.

    org.h2.Driver

    For H2.

  4. Copy the relevant .jar file corresponding to the database in which your data is stored in <TomcatPath>/lib/.

You can also deploy Talend Administration Center on a JBoss application server (instead of a Tomcat). So, you can follow the same above instructions for JBoss. For more information on how to deploy the Web application on JBoss, see Deploying Talend Administration Center on JBoss.

Customizing the Talend Administration Center Menu tree view

You also have the possibility to customize the Menu tree view of the Talend Administration Center Web application by adding dynamic links to the website of your choice.

To set up dynamic links:

  1. Open the following file:

    <ApplicationPath>/WEB-INF/classes/configuration.properties

  2. At the end of the file, enter the dynamic link of interest using the given syntax:

    dynamiclink.<key>=<label>#<url>#<order>.

    For example, you can create the link to http://www.talend.com by entering

    dynamiclink.talendcom=Talend#http://www.talend.com#8

    or the link to http://www.talendforge.org by entering

    dynamiclink.talendforge=Talendforge#http://www.talendforge.org#9.

    In this syntax, <key> indicates the technical key of this link configured, <label> is the link name displayed on the Menu tree view, <url> is the website address you need to link to and <order> specifies the position of this link on the Menu tree view.

    dynamiclink.talendcom=Talend#http://www.talend.com#8
    dynamiclink.talendforge=Talendforge#http://www.talendforge.org#9

    Note

    For further information about the order numbers used by Talend Administration Center to arrange the Menu items, check the menuentries.properties file provided in the same classes folder.

  3. Save the configuration.properties file edited.

For more information on how these links are displayed in the Menu tree view of the Talend Administration Center Web application, see the Talend Administration Center User Guide.

Configuring Talend Administration Center login delay

Setting up a login delay allow you to improve the security of your Web application by slowing brute force attacks.

  • In the configuration table of the Talend Administration Center database, change the value of the useLoginDelay parameter to true.

Failed login attempts will now generate a time delay which increases exponentially with each failed attempt.

Configuring LDAP(S) for Talend Administration Center

To configure LDAP(S) for Talend Administration Center, proceed as follows:

Generate a key

  1. Create a folder where you want to store your Keystore.

  2. Open a command prompt.

  3. Using the cd command, go to the folder you created.

  4. Enter the following command:

    <JAVA_HOME>/bin/keytool -genkey -keystore <myKeystoreName> -keyalg RSA

    Replace <JAVA_HOME> with the path to the folder where Java is installed and <myKeystoreName> with the name of your Keystore.

  5. Enter the password you want to create for your Keystore twice. Then, if needed, enter other optional information, such as your name or the name of your organization.

  6. Enter yes to confirm the information you provided.

  7. Enter the password you have previously defined.

Configure LDAP(S) for Talend Administration Center

To set the new Keystore location, edit the JAVA_OPTS environment variable.

  • To edit the JAVA_OPTS environment variable, add the following lines

    -Djavax.net.ssl.keyStore=/<myDirectory>/<myKeystore>
    -Djavax.net.ssl.keyStorePassword=<myPassword>

    to your JAVA_OPTS environment variable, where <myDirectory> is the installation directory of your Keystore, <myKeystore> is the name of your Keystore and <myPassword> is the password you have previously defined for your Keystore.

For more information on how to enable LDAP(S) in Talend Administration Center, see the Talend Administration Center User Guide.