Accessing Secure Services Using Talend Studio and Talend Runtime

author
Irshad Burtally
EnrichVersion
6.4
EnrichProdName
Talend Data Services Platform
Talend Real-Time Big Data Platform
Talend Data Fabric
Talend ESB
Talend MDM Platform
task
Deployment
Design and Development > Designing Jobs
Data Governance > Third-party systems > Webservice components
Design and Development > Third-party systems > Webservice components
Data Quality and Preparation > Third-party systems > Webservice components
EnrichPlatform
Talend Runtime
Talend Studio

Accessing Secure Services Using Talend Studio and Talend Runtime

This article explains how to configure Secure Sockets Layer (SSL) to access secure services using Talend Studio and Talend Runtime.

SSL is the standard security technology used to establish an encrypted link between a web server and a browser (client). Using SSL ensures the encryption of sensitive information sent over the internet so that it can only be understood by the intended recipient. SSL encryption can be used to simply encrypt the data pipeline, or to perform Client/Server authentication. Client/Server authentication is an approach that aims to prevent man-in-the-middle attack by ensuring that either the Client or the Server authenticates the other, or that they both authenticate each other. This is Mutual SSL.

REST and SOAP web services can leverage SSL with the https protocol to encrypt the pipeline between the client and server. It is easy to configure SSL to access services securely in Talend from both Talend Studio and Talend Runtime.

Authentication and authorization using certificates for external services

It is very common to build data services that consume data from other services in Talend. In the following example, you will convert the SSL certificate of the service you want to call to Java KeyStore (JKS).

You can get the SSL certificate in two ways:
  • It can be provided by the WebService Provider
  • You can download the SSL certificate by calling the web service in a browser (by trying to read the WSDL in a browser, for example).

The Client Authentication certificate can only be provided by the calling client, you, in this case, or you can provide your certificate to the WebService Provider to store in its trust. In that case, both SSL and Client certificates are provided by the latter.

When you open a secure location through https, you can always inspect the details of the certificate used to encrypt the communication.

Converting SSL certificates to Java KeyStore

Before you begin

  • You have a service configured with SSL available to call.
  • You have a valid JDK installation with Java keytool available.
  • You have an SSL Certificate file named ServerCertificate.cer, for example.
  • You have a certificate provided by your web service provider from server trust named ClientAuth.pfx, for example.

Procedure

  1. Run the following code to generate a keystore named webservice.jks from ServerCertificate.cer.
    keytool -importcert -keystore webservice.jks -storepass talend -alias MYSERVER.talend.com –file ServerCertificate.cer
  2. Run the following command to convert ClientAuth.pfx into a JKS file named clientcert.jks.
    keytool -importkeystore -srckeystore ClientAuth.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks –deststoretype JKS

Configuring secure services in Talend Studio

This section explains how to configure secure services in Talend Studio using the tSoap component. tSoap is a very generic component that requires you to build the whole SOAP request message manually. It is generally recommended to use tEsbConsumer, which has more functionalities to call web services.

Before you begin

You have a tSoap component with a SOAP request message.

Procedure

  1. Select tSetKeystore from the palette.
  2. Connect your tSetKeystore to tSoap with OnSubjobOk.
  3. Configure tSetKeystore as follow.
    Field Value
    TrustStore type JKS
    TrustStore file The location of the SSL Certificate JKS you created.
    TrustStore password The password you created.
    Need Client authentication Select the check box.

    This is needed if the service provider requires the client to be authenticated.

    KeyStore type JKS
    KeyStore location The location of the JKS you created.
    KeyStore password The password you created.
    It is recommended to use context variables, they will enable you to change values easily.

Deploying your secure service in Talend Runtime

This section explains how to configure https-conduits in Talend Runtime to deploy your client job or service. You need to follow these steps if you want to deploy your service in Talend Runtime, because the tSetKeystore you created only gives you access to the service provider server and its exposed services in Talend Studio or in standalone Job mode.

Procedure

  1. Copy the JKS you created in etc/keystores in Talend Runtime.
  2. Create a file in the etc folder in Talend Runtime and use the following pattern to name it org.apache.cxf.http.conduits-XXXXX.cfg.
    Here, XXXXX should be replaced by the same name as your services. Any pattern is picked up by the server. You can create as many http_conduits files as required. Talend Runtime will load all of them and evaluate them in the order defined and according to the URL pattern defined in the http-conduits file.
  3. Edit the file you created and take sample parameters from org.apache.cxf.http.conduits-common.cfg.
    This file is provided as sample in the etc folder in Talend Runtime. If you only have one service, you can edit the file directly, without making another copy.
  4. Open and edit the file org.apache.cxf.http.conduits-XXXXX.cfg and replace the JKS files locations and password you created using keytool.
    Note: The context variables for the tSetKeystore component have no effect in Talend Runtime, but it is a good practice to keep them in sync with the values you have on the server. This way, you can test your client or service both in Talend Studio and in Talend Runtime. The certificate configuration for tSetKeystore will be overridden by org.apache.cxf.http.conduits-XXXXX.cfg in Talend Runtime.
  5. Restart Talend Runtime to apply the changes to Talend Runtime Container, then test the service using SOAPUI.