保护 Talend Data Stewardship 的连接 - 7.1

Talend Data Integration 安装指南 (Linux)

EnrichVersion
7.1
EnrichProdName
Talend Data Integration
task
数据治理
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend Log Server
Talend Runtime
Talend Studio

要保护 Talend Data Stewardship、MongoDB 服务器和 Apache Kafka 之间的连接,您需要编辑 application.properties 文件。

请注意,如果在安装过程期间选择了嵌入式 MongoDB 实例,则无法保护 MongoDB 连接。

如果您想要使用 SSL 保护与 MongoDB 的连接,必须在您的计算机上手动安装 MongoDB Enterprise Server。有关更多信息,请参见 https://docs.mongodb.com/v3.2/security/

过程

  1. 打开 <Data_Stewardship_Path>/config/data-stewardship.properties 文件。
  2. 要信任 Talend Data Stewardship 使用的服务器证书,请编辑以下行:
    http.ssl.truststore.location=<path_to_truststore>
    http.ssl.truststore.password=<truststore_password>
  3. 默认情况下,Talend Data Stewardship 不会验证主机名是否匹配证书通用名。
    要启用此验证,请将以下字段的值更改为 true
    http.ssl.verify.hostname=true
  4. 要允许 Talend Data Stewardship 使用私钥身份验证,请编辑以下行:
    http.ssl.keystore.location=<path_to_keystore>
    http.ssl.keystore.password=<keystore_password>
    http.ssl.key.password=<key_password>
  5. 要保护与 MongoDB 的连接,请编辑以下行:
    spring.data.mongodb.ssl=true
    spring.data.mongodb.ssl.trust-store=<path_to_truststore>
    spring.data.mongodb.ssl.trust-store-password=<truststore_password>
  6. 要仅使用通信加密来保护与 Kafka 的连接,请编辑以下行:
    kafka.security.protocol=SSL
    kafka.ssl.truststore.location=<path_to_truststore>
    kafka.ssl.truststore.password=<truststore_password>
  7. 要使用身份验证来保护与 Kafka 的连接,请编辑以下行:
    kafka.ssl.keystore.location=<path_to_keystore>
    kafka.ssl.keystore.password=<keystore_password>
    kafka.ssl.key.password=<key_password>
    请注意,还必须定义通信加密参数以使用身份验证。
  8. 要保护与消息代理的连接,请编辑以下行:
    spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=<path_to_truststore>
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=<truststore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=<path_to_keystore>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=<keystore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.key.password=<key_password>
    spring.kafka.properties.security.protocol=SSL
    spring.kafka.properties.ssl.truststore.location=<path_to_truststore>
    spring.kafka.properties.ssl.truststore.password=<truststore_password>
    spring.kafka.properties.ssl.keystore.location=<path_to_keystore>
    spring.kafka.properties.ssl.keystore.password=<keystore_password>
    spring.kafka.properties.ssl.key.password=<key_password>
  9. 要保护与 Talend Identity and Access Management 的连接,请编辑以下行:
    tds.security=iam
    oidc.url=https://<host_name:port>/oidc
    oidc.userauth.url=https://<host_name:port>/oidc
    scim.url=https://<host_name:port>/scim
  10. 将服务 URL 从 http 更改为 https
    tds.history.service.url==https://${public.ip}:${server.port}/data-history-service
    schema.service.url=https://${public.ip}:${server.port}/schemaservice
  11. 将网关 URL 从 http 更改为 https
    frontend.url=https://<datastewardship_server:port>/internal/frontend
    backend.url=https://<datastewardship_server:port>/internal/data-stewardship
    schemaservice.url=https://<datastewardship_server:port>/internal/schemaservice
    historyservice.url=https://<datastewardship_server:port>/internal/data-history-service
  12. 打开 <Data_Stewardship_Path>/iam/apache_tomcat/clients/tds-client.json 文件并更新 Talend Data Stewardship 的 URL:
    {
      "client_name": "TDS OIDC Gateway",
      "client_id": "tl6K6ac7tSE-LQ",
      "client_secret": "cB/gNxe2SXR3SPDbhshZXzErZoxVy8yUcs/f6K39rsg=",
      "redirect_uris": [
        "https://<datastewardship_url:port>/login",
        "https://localhost:<ssl_port>/login",
        "https://127.0.0.1:<ssl_port>/login"
      ],
      "post_logout_redirect_uris": [
        "https://<datastewardship_url:port>/",
        "https://localhost:<ssl_port>/",
        "https://127.0.0.1:<ssl_port>/"
      ],
      "grant_types": [
        "password",
        "authorization_code",
        "refresh_token"
      ],
      "scope": "openid refreshToken"
    }
    

下一步做什么

要在 Tomcat 上启用 HTTPS 支持,请参阅 https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

要在 MongoDB 上启用 SSL 支持,请参阅 https://docs.mongodb.com/v3.0/tutorial/configure-ssl/

要在 Kafka 上启用 SSL 支持,请参阅 http://kafka.apache.org/documentation.html#security_ssl

要在 Talend Identity and Access Management 上启用 SSL 支持,请参阅保护 Talend Identity and Access Management 的连接