Configuring SSL or TLS support for the MDM server

Talend MDM Platform Installation Guide

EnrichVersion
6.1
EnrichProdName
Talend MDM Platform
task
Installation and Upgrade
EnrichPlatform
Talend Identity Management
Talend Administration Center
Talend Artifact Repository
Talend Activity Monitoring Console
Talend MDM Server
Talend Project Audit
Talend Studio
Talend ESB
Talend SAP RFC Server
Talend DQ Portal
Talend JobServer
Talend CommandLine
Talend Log Server
Talend Installer
Talend Repository Manager
Talend Runtime
Talend MDM Web UI

You can configure the MDM Server to run securely on an HTTP server using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols.

SSL or TLS support for the MDM server can be configured from Talend Studio or Tomcat. For more information, see Configuring SSL or TLS support for the MDM server from Talend Studio and Configuring SSL or TLS support for the MDM server from Tomcat.

Configuring SSL or TLS support for the MDM server from Talend Studio

To configure the TLS/SSL connection from Talend Studio, do the following.

  1. In your Studio, click Window > Preferences.

    The [Preferences] dialog box opens.

  2. Expand Talend > MDM, and then click SSL.

    A page opens in which you can specify the details of your SSL configuration.

  3. Define the Security Configuration.

    1. Select the security protocol to use from the SSL Algorithm drop-down list: TLS or SSL.

    2. Select the host verification method to use by selecting the allow all (which does not check the hostname) or strict verify (which performs a check of the hostname certificate) radio button.

  4. Define the Keystore Configuration for the local credentials to be sent to the remote host.

    1. Click Browse and browse to the location where your local credentials are stored.

    2. Enter the password required to access the certificate.

    3. Specify which type of keystore to use by selecting the appropriate option in the drop-down list: JKS, JCEKS, or PKCS12.

  5. Define the Truststore Configuration for the certificate containing the remote authentication credentials.

    1. Click Browse and browse to the location where your security certificates are stored.

    2. Enter the password required to access the certificate.

    3. Specify which type of keystore to use by selecting the appropriate option in the drop-down list: JKS, JCEKS, or PKCS12.

  6. Click OK to confirm your changes.

You can also configure SSL or TLS support for the MDM server from Tomcat. For more information, see Configuring SSL or TLS support for the MDM server from Tomcat.

Configuring SSL or TLS support for the MDM server from Tomcat

To ensure a secure communication environment, you can configure Transport Layer Security (TLS) or Secure Sockets Layer (SSL) support on Tomcat.

Note

You are recommended to configure Tomcat with SSL or TLS support only when running Tomcat as standalone web server. It is not necessary to configure SSL support when Tomcat runs behind another web server such as Apache.

Prerequisite: JRE 1.8.0 or higher must be installed. You should also make sure that the JAVA_HOME environment variable is set to point to the JRE directory. For example, if the path is C:\Java\JREx.x.x\bin, you must set the JAVA_HOME environment variable to point to: C:\Java\JREx.x.x.

Firstly, you need to generate a keystore file containing a self signed certificate for SSL.

The following gives an example of how to generate a self signed certificate using Java Keytool.

  1. Open a command prompt window.

  2. Run the following command to generate a new file named ".keystore" in your home directory.

    "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA

    Note

    If you want to specify a different location or file name, add the -keystore parameter to the command. For example, you can add -keystore talendmdm.keystore to the command to generate a keystore file named talendmdm.keystore.

  3. Enter the keystore password as prompted, and then enter the password again to confirm it. By default, it is "changeit".

  4. Enter the general information about this Certificate, such as the organization name or the city. Make sure that the information you entered matches the information expected by users who attempt to access a secure page in your application.

  5. Enter the key password as prompted, which is the password specifically for this Certificate.

    Warning

    You are recommended to use the same password for the keystore file and the key.

  6. Go to your home directory and verify that a .keystore file is newly generated.

Now that the keystore file is prepared, you can configure SSL or TLS support on Tomcat as follows:

  1. Browse to the directory <TomcatPath>/conf, and then open the file server.xml.

  2. Uncomment the following text.

     <!--
        <Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" />
        -->
  3. Add the information of the complete path to the keystore file and the password for the keystore file.

    <Connector port="8543" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   keystoreFile="${user.home}/.keystore" keystorePass="changeit"
                   clientAuth="false" sslProtocol="TLS" />
    

    Warning

    Make sure that the keystoreFile contains the path and file name of the keystore, and the keystorePass matches the password for the keystore.

  4. Save your changes into the file.

  5. Restart Tomcat to take into account your updates.

You can also configure SSL or TLS support for the MDM server from Talend Studio. For more information, see Configuring SSL or TLS support for the MDM server from Talend Studio.

Configuring the MDM server to respond to HTTPS requests only

With the SSL or TLS support configuration, an MDM server can respond to both HTTP and HTTPS requests.

To ensure the security of communication with the MDM server, you can configure the MDM server to respond to HTTPS requests only by modifying the file web.xml under the directory <TomcatPath>/webapps/talendmdm/WEB-INF.

Open the file web.xml, and then uncomment the following text:

    <!-- Uncomment the following to configure webapp to always require HTTPS -->
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>HTTPSOnly</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

After such configuration, if you enter a URL starting with http in your browser, you will be redirected to the secure URL starting with https automatically.