How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center

author
Talend Documentation Team
EnrichVersion
6.4
6.3
6.2
6.1
EnrichProdName
Talend Data Management Platform
Talend Real-Time Big Data Platform
Talend Data Integration
Talend Data Fabric
Talend MDM Platform
Talend ESB
Talend Big Data Platform
Talend Big Data
Talend Data Services Platform
task
Installation and Upgrade
EnrichPlatform
Talend Administration Center
Talend Studio

How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center

By default, Talend Studio supports unidirectional HTTP connection to Talend Administration Center and thus does not need any certificates. If you want to connect to Talend Administration Center using a secure bidirectional connection, you have to generate keystores and configure SSL in both the Studio and the Tomcat server.
ResolutionGenerate the keystore and truststore file on Tomcat side
  1. Generate the keystore in jks format which include the Public key and Private Key. Make sure the passwords are the same for the keypass and storepass parameters:

    keytool -genkey -alias <serverAlias> -keystore <SSLFolderPath>/serverKeystore.jks -keypass <privateKeyPassword> -storepass <keystorePassword> -keyalg RSA  -keysize <keySize> -validity <valDays> -v -dname <Distinguished Name>

    for example:

    keytool -genkey -alias server -keystore E:/ssl/serverKeystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN=127.0.0.1,O=Talend Soft,L=ChaoYang,ST=Beijing,OU=Talend Technology"
  2. Export the server's certificate from the server keystore:

    keytool -export -alias <serverAlias> -keystore <SSLFolderPath>/serverKeystore.jks -storepass <keystorePassword> -file <SSLFolderPath>/server.cer
  3. Import the server.cer to the trust list of the clientTruststore.jks :

    keytool -import -alias <trustServerAlias> -file <SSLFolderPath>/server.cer -keystore <SSLFolderPath>/clientTruststo123456<keystorePassword>
Generate the keystore and truststore files on Talend Studio and web browser side
  1. Generate the keystore in . jks format as described previously, but for client:

    keytool -genkey -alias <clientAlias> -keystore <SSLFolderPath>/clientKeystore.jks -keypass <privateKeyPassword> -storepass <keystorePassword> -keyalg RSA  -keysize <keySize> -validity <valDays> -v -dname <Distinguished Name>
  2. Generate the keystore in . p12 format for the client web browser:

    keytool -validity <valDays> -genkeypair -v -alias <clientAlias> -keyalg RSA -storetype PKCS12 -keystore <SSLFolderPath>/client.p12 -storepass <keystorePassword> -keypass <privateKeyPassword> -dname <Distinguished Name>
  3. Export the client's certificate from the client keystore:

    keytool -export -alias <clientAlias> -keystore <SSLFolderPath>/clientKeystore.jks -storepass <keystorePassword> -file <SSLFolderPath>/client.cer
  4. Export the web browser's certificate from the client . p12 file:

    keytool -export -v -alias <clientAlias> -keystore <SSLFolderPath>/client.p12 -storetype PKCS12 -storepass <keystorePassword> -rfc -file <SSLFolderPath>/browser.cer
  5. Import the client.cer file to the trust list of the serverTruststore.jks file:

    keytool -import -alias <trustClientAlias> -file <SSLFolderPath>/client.cer -keystore <SSLFolderPath>/serverTruststore.jks -storepass <keystorePassword>
  6. Import the browser.cer file to the trust list of the serverTruststore.jks file:

    keytool -import -alias <trustBrowserClientAlias> -file <SSLFolderPath>/browser.cer -keystore <SSLFolderPath>/serverTruststore.jks -storepass <keystorePassword> 

You should get the following files in your <SSLFolder> (on your local machine):

Tomcat side: serverKeystore.jks | serverTruststore.jks | server.cer

Studio side: clientKeystore.jks | clientTruststore.jks | client.cer

Browser side: client.p12 | browser.cer

If you want to access Talend Administration Center from a web browser using an SSL protocol, double-click the client.p12 file to install it to your certificate directory for your web browser.

Configure Tomcat
  1. Open the <TomcatPath>/conf/server.xml file, uncomment and edit the SSL part as follows:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="true" sslProtocol="TLS" 
    	keystoreFile="<SSLFolderPath>/serverKeystore.jks" keystorePass=<keystorePassword>
    	truststoreFile="<SSLFolderPath>/serverTruststore.jks" truststorePass=<trustStorePassword> />
Configure Talend Studio
  1. If you are working in a DEV enviroment, add the folowing arguments to the Studio exacutable of your VM:

    -Dtac.net.ssl.ClientKeyStore="<SSLFolderPath>/clientKeystore.jks" 
       -Dtac.net.ssl.ClientTrustStore="<SSLFolderPath>/clientTruststore.jks"
       -Dtac.net.ssl.KeyStorePass=<keystorePassword>
  2. If you are working in a build enviroment, add the same arguments in your *. ini file, Talend-Studio-win-x86_64.ini for example.

Note that, if you are using a secured connection and did not configure these arguments, a dialog will will pop up at Studio start-up to let you input the arguments.

Check the connection
  1. Start Tomcat (make sure there is no error log, if there are some, check your server.xml file).
  2. Launch Talend Studio and create a remote connection with URL " https://localhost:8443/org.talend.administrator ", check that it is successful.

  3. Open the web browser and check that you have access to the https://localhost:8443/org.talend.administrator URL address.
See Also

Article How to configure a secure connection for Kibana .