To exchange certificates and allow only "trusted" clients to use the Talend Runtime container HTTP service, you need to follow the following instructions.
Enable the HTTP client auth support in the Karaf-based Talend Runtime container.
When you install the HTTP feature, the container leverages Pax-Web to provide HTTP OSGi service:
karaf@trun> feature:install http
Add a custom
etc/org.ops4j.pax.web.cfgfile with the following content:
org.osgi.service.http.port=8181 org.osgi.service.http.port.secure=9001 org.osgi.service.http.secure.enabled=true org.ops4j.pax.web.ssl.keystore=./etc/keystores/keystore.jks org.ops4j.pax.web.ssl.password=password org.ops4j.pax.web.ssl.keypassword=password #org.ops4j.pax.web.ssl.clientauthwanted=false org.ops4j.pax.web.ssl.clientauthneeded=true
clientauthneededproperties are valid for Karaf 2.2.x which uses Pax Web 1.0.x. For more information about the version of Karaf your Talend Runtime container is based on, see the Talend Installation Guide or the Release Notes.
Thanks to the
clientauthneededproperty, the client is "forced" to be trusted.
You are going to use a keytool (provided with the JDK) to manipulate the keys and certificates.
Create two key pairs:
one for the server side (use for SSL),
one as an example of the client side (use for "trust", should be performed for each client, on the client side).
mkdir -p etc/keystores cd etc/keystores keytool -genkey -keyalg RSA -validity 365 -alias serverkey -keypass password -storepass password -keystore keystore.jks keytool -genkey -keyalg RSA -validity 365 -alias clientkey -keypass password -storepass password -keystore client.jks
These key are self-signed. In a production system, you should use a Certificate Authority (CA).
Export the client certificate to be imported in the server keystore:
keytool -export -rfc -keystore clientKeystore.jks -storepass password -alias clientkey -file client.cer keytool -import -trustcacerts -keystore keystore.jdk -storepass password -alias clientkey -file client.cer
Check that the client certificate is trusted in our keystore:
keytool -list -v -keystore keystore.jks ... Alias name: clientkey Creation date: Dec 12, 2012 Entry type: trustedCertEntry ...
You can now remove the
Start the Talend Runtime container:
Install the WebConsole feature:
karaf@trun> feature:install webconsole
If you try to access to the WebConsole (using a simple browser) using
https://localhost:9001/system/console, you get the following message:
An error occurred during a connection to localhost:9001. SSL peer cannot verify your certificate. (Error code: ssl_error_bad_cert_alert)
Which is normal as the browser does not have any trusted certificate.
Add the client certificate in the browser.
Firefox supports the import of PKCS12 keystore. So, you are going to "transform" the JKS keystore into a PKCS12 keystore:
keytool -importkeystore -srckeystore clientKeystore.jks -srcstoretype JKS -destkeystore client.pfx -deststoretype PKCS12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias clientkey successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Now, you can import the client certificate in Firefox. To do so, in the Tools menu, click the Options entry, and click on the Advanced tab.
You can go in Certificates tab and click on View Certificates button.
In the Your Certificates tab, you can click on the Import... button and choose the
If you try to access
https://localhost:9001/system/consoleagain, you will have access as a trusted client and use it.