Configuring Talend Data Stewardship - 6.4

Talend MDM Platform Installation Guide for Windows

EnrichVersion
6.4
EnrichProdName
Talend MDM Platform
task
Installation and Upgrade
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend DQ Portal
Talend ESB
Talend Identity Management
Talend Installer
Talend JobServer
Talend Log Server
Talend MDM Server
Talend MDM Web UI
Talend Project Audit
Talend Repository Manager
Talend Runtime
Talend SAP RFC Server
Talend Studio

This section contains information on how to secure connections for Talend Data Stewardship and how to configure the application logs.

Generating an SSL certificate

To configure Talend Data Stewardship to run securely using the Secure Sockets Layer (SSL) protocol, you need to start by generating a trusted signed certificate.

  1. Generate an SSL certificate.

    For more information about how to generate a keystore file, see Keystore files on the Talend Help Center Talend Help Center.

  2. As an administrator, import the certificate into your JVM using the command:

    keytool -import -trustcacerts -file <certificate_path> -alias <certificate_name> -keystore "%JAVA_HOME%/jre/lib/security/cacerts".

Talend Data Stewardship only supports the Java Key Store (.jks) format to store keys and certificates.

Securing connections for Talend Data Stewardship

To secure connections between Talend Data Stewardship, the MongoDB server and Apache Kafka, you need to edit the application.properties file.

Note that securing the MongoDB connection is not possible if you select the embedded MongoDB instance during the installation process. If you want to secure connections with MongoDB using SSL, MongoDB Enterprise Server has to be manually installed on your machine. For more information, see https://docs.mongodb.com/v3.2/security/.

  1. Open the <Data_Stewardship_Path>/config/data-stewardship.properties file.

  2. To trust the server certificate used by Talend Data Stewardship, edit the following lines:

    http.ssl.truststore.location=<path_to_truststore>
    http.ssl.truststore.password=<truststore_password>
  3. By default, Talend Data Stewardship will not verify that the hostname matches the certificate common name.

    To enable this verification, change the value of the following field to true:

    http.ssl.verify.hostname=true
  4. To allow Talend Data Stewardship to use private key authentication, edit the following lines:

    http.ssl.keystore.location=<path_to_keystore>
    http.ssl.keystore.password=<keystore_password>
    http.ssl.key.password=<key_password>
  5. To secure connections with MongoDB, edit the following lines:

    spring.data.mongodb.ssl=true
    spring.data.mongodb.ssl.trust-store=<path_to_truststore>
    spring.data.mongodb.ssl.trust-store-password=<truststore_password>
  6. To secure connections with Kafka using communication encryption only, edit the following lines:

    kafka.security.protocol=SSL
    kafka.ssl.truststore.location=<path_to_truststore>
    kafka.ssl.truststore.password=<truststore_password>
  7. To secure connections with Kafka using authentication, edit the following lines:

    kafka.ssl.keystore.location=<path_to_keystore>
    kafka.ssl.keystore.password=<keystore_password>
    kafka.ssl.key.password=<key_password>

    Note that the communication encryption parameters must also be defined to use authentication.

  8. To secure connections with the message broker, edit the following lines:

    spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=<path_to_truststore>
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=<truststore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=<path_to_keystore>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=<keystore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.key.password=<key_password>
  9. To secure connection with Talend Identity and Access Management, edit the following lines:

    tds.security=iam
    oidc.url=https://<host_name:port>/oidc
    oidc.userauth.url=https://<host_name:port>/oidc
    scim.url=https://<host_name:port>/scim
  10. Change the services URLs from http to https:

    tds.history.service.url==https://${public.ip}:${server.port}/data-history-service
    schema.service.url=https://${public.ip}:${server.port}/schemaservice
  11. Change the gateway URLs from http to https:

    frontend.url=https://<datastewardship_server:port>/internal/frontend
    backend.url=https://<datastewardship_server:port>/internal/data-stewardship
    schemaservice.url=https://<datastewardship_server:port>/internal/schemaservice
    historyservice.url=https://<datastewardship_server:port>/internal/data-history-service
  12. Open the <Data_Stewardship_Path>/iam/apache_tomcat/clients/tds-client.json file and update the URL for Talend Data Stewardship:

    {
      "client_name": "TDS OIDC Gateway",
      "client_id": "tl6K6ac7tSE-LQ",
      "client_secret": "cB/gNxe2SXR3SPDbhshZXzErZoxVy8yUcs/f6K39rsg=",
      "redirect_uris": [
        "https://<datastewardship_url:port>/login",
        "https://localhost:<ssl_port>/login",
        "https://127.0.0.1:<ssl_port>/login"
      ],
      "post_logout_redirect_uris": [
        "https://<datastewardship_url:port>/",
        "https://localhost:<ssl_port>/",
        "https://127.0.0.1:<ssl_port>/"
      ],
      "grant_types": [
        "password",
        "authorization_code",
        "refresh_token"
      ],
      "scope": "openid refreshToken"
    }
    

To enable HTTPS support on Tomcat, see https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html.

To enable SSL support on MongoDB, see https://docs.mongodb.com/v3.0/tutorial/configure-ssl/.

To enable SSL support on Kafka, see http://kafka.apache.org/documentation.html#security_ssl.

To enable SSL support on Talend Identity and Access Management, see Securing connections for Talend Identity and Access Management.

Securing connections for Talend Administration Center

To enable SSL support on Talend Administration Center, do the following:

  1. Open the <Data_Stewardship_Path>/tac/apache-tomcat/conf/server.xml file and comment the non-SSL part:

    <!-- <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" /> -->
  2. Uncomment the following lines:

    <!-- <Connector port="8443" 
    protocol="org.apache.coyote.http11.Http11NioProtocol" 
    maxThreads="150" 
    SSLEnabled="true" 
    scheme="https" secure="true" 
    clientAuth="false" 
    sslProtocol="TLS"/> -->
  3. Add the following lines:

    keystoreFile="<certificate_path>/server.keystore.jks" 
    keystorePass="<certificate_password>"
    

Configuring logs for Talend Data Stewardship

Talend Data Stewardship logs allows you to analyze and debug the activity of Talend Data Stewardship.

Talend Data Stewardship logs are located in <Data_Stewardship_Path>/apache-tomcat/logs.

The catalina.out file is an aggregated version of all the available log files.

To configure the information level of your log files, proceed as follows:

  1. Open the following files:

    • <Data_Stewardship_Path>/apache-tomcat/conf/data-stewardship-core-logback.xml for the core backend service log

    • <Data_Stewardship_Path>/apache-tomcat/conf/data-stewardship-history-logback.xml for the history service log

    • <Data_Stewardship_Path>/apache-tomcat/conf/data-stewardship-schema-logback.xml for the schemas management service log

  2. Add the following line before the <root> element: <logger name="org.talend" level="DEBUG"/>.

    The log information level is now set to DEBUG, but you can set it to another value. For more information on log levels, see http://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/Level.html.