Accessing Secure Services Using Talend Studio and Talend Runtime
SSL is the standard security technology used to establish an encrypted link between a web server and a browser (client). Using SSL ensures the encryption of sensitive information sent over the internet so that it can only be understood by the intended recipient. SSL encryption can be used to simply encrypt the data pipeline, or to perform Client/Server authentication. Client/Server authentication is an approach that aims to prevent man-in-the-middle attack by ensuring that either the Client or the Server authenticates the other, or that they both authenticate each other. This is Mutual SSL.
REST and SOAP web services can leverage SSL with the https protocol to encrypt the pipeline between the client and server. It is easy to configure SSL to access services securely in Talend from both Talend Studio and Talend Runtime.
Authentication and authorization using certificates for external services
It is very common to build data services that consume data from other services in Talend. In the following example, you will convert the SSL certificate of the service you want to call to Java KeyStore (JKS).
- It can be provided by the WebService Provider
- You can download the SSL certificate by calling the web service in a browser (by trying to read the WSDL in a browser, for example).
The Client Authentication certificate can only be provided by the calling client, you, in this case, or you can provide your certificate to the WebService Provider to store in its trust. In that case, both SSL and Client certificates are provided by the latter.
When you open a secure location through https, you can always inspect the details of the certificate used to encrypt the communication.
Converting SSL certificates to Java KeyStore
Before you begin
- You have a service configured with SSL available to call.
- You have a valid JDK installation with Java keytool available.
- You have an SSL Certificate file named ServerCertificate.cer, for example.
- You have a certificate provided by your web service provider from server trust named ClientAuth.pfx, for example.
Run the following code to generate a keystore named
keytool -importcert -keystore webservice.jks -storepass talend -alias MYSERVER.talend.com –file ServerCertificate.cer
Run the following command to convert ClientAuth.pfx into a JKS file named clientcert.jks.
keytool -importkeystore -srckeystore ClientAuth.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks –deststoretype JKS
Configuring secure services in Talend Studio
Before you begin
You have a tSoap component with a SOAP request message.
- Select tSetKeystore from the palette.
- Connect your tSetKeystore to tSoap with OnSubjobOk.
- Configure tSetKeystore as follow.
Field Value TrustStore type JKS TrustStore file The location of the SSL Certificate JKS you created. TrustStore password The password you created. Need Client authentication Select the check box.
This is needed if the service provider requires the client to be authenticated.
KeyStore type JKS KeyStore location The location of the JKS you created. KeyStore password The password you created.It is recommended to use context variables, they will enable you to change values easily.
Deploying your secure service in Talend Runtime
Copy the JKS you created in etc/keystores in Talend Runtime.
Create a file in the
etcfolder in Talend Runtime and use the following pattern to name it org.apache.cxf.http.conduits-XXXXX.cfg.Here, XXXXX should be replaced by the same name as your services. Any pattern is picked up by the server. You can create as many http_conduits files as required. Talend Runtime will load all of them and evaluate them in the order defined and according to the URL pattern defined in the http-conduits file.
Edit the file you created and take sample parameters from org.apache.cxf.http.conduits-common.cfg.
This file is provided as sample in the
etcfolder in Talend Runtime. If you only have one service, you can edit the file directly, without making another copy.
Open and edit the file org.apache.cxf.http.conduits-XXXXX.cfg and replace the JKS files locations and password you created using keytool.
Note: The context variables for the tSetKeystore component have no effect in Talend Runtime, but it is a good practice to keep them in sync with the values you have on the server. This way, you can test your client or service both in Talend Studio and in Talend Runtime. The certificate configuration for tSetKeystore will be overridden by org.apache.cxf.http.conduits-XXXXX.cfg in Talend Runtime.
- Restart Talend Runtime to apply the changes to Talend Runtime Container, then test the service using SOAPUI.