To secure connections between Talend Data Stewardship, the MongoDB server and Apache
Kafka, you need to edit the application.properties
file.
Note that securing the MongoDB connection is not possible if you select the embedded
MongoDB instance during the installation process.
If you want to secure connections with MongoDB using SSL, MongoDB Enterprise Server has
to be manually installed on your machine. For more information, see https://docs.mongodb.com/v3.2/security/.
Procedure
-
Open the
<Data_Stewardship_Path>/config/data-stewardship.properties
file.
-
To trust the server certificate used by Talend Data Stewardship, edit the following
lines:
http.ssl.truststore.location=<path_to_truststore>
http.ssl.truststore.password=<truststore_password>
-
By default, Talend Data Stewardship will not verify that
the hostname matches the certificate common name.
To enable this verification, change the value of the
following field to
true
:
http.ssl.verify.hostname=true
-
To allow Talend Data Stewardship to use private key
authentication, edit the following lines:
http.ssl.keystore.location=<path_to_keystore>
http.ssl.keystore.password=<keystore_password>
http.ssl.key.password=<key_password>
-
To secure connections with MongoDB, edit the following lines:
spring.data.mongodb.ssl=true
spring.data.mongodb.ssl.trust-store=<path_to_truststore>
spring.data.mongodb.ssl.trust-store-password=<truststore_password>
-
To secure connections with Kafka using communication encryption only, edit the
following lines:
kafka.security.protocol=SSL
kafka.ssl.truststore.location=<path_to_truststore>
kafka.ssl.truststore.password=<truststore_password>
-
To secure connections with Kafka using authentication, edit the following
lines:
kafka.ssl.keystore.location=<path_to_keystore>
kafka.ssl.keystore.password=<keystore_password>
kafka.ssl.key.password=<key_password>
Note that the communication encryption parameters must also be defined to use
authentication.
-
To secure connections with the message broker, edit the following
lines:
spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=<path_to_truststore>
spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=<truststore_password>
spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=<path_to_keystore>
spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=<keystore_password>
spring.cloud.stream.kafka.binder.configuration.ssl.key.password=<key_password>
spring.kafka.properties.security.protocol=SSL
spring.kafka.properties.ssl.truststore.location=<path_to_truststore>
spring.kafka.properties.ssl.truststore.password=<truststore_password>
spring.kafka.properties.ssl.keystore.location=<path_to_keystore>
spring.kafka.properties.ssl.keystore.password=<keystore_password>
spring.kafka.properties.ssl.key.password=<key_password>
-
To secure connection with Talend Identity and Access Management, edit the
following lines:
tds.security=iam
oidc.url=https://<host_name:port>/oidc
oidc.userauth.url=https://<host_name:port>/oidc
scim.url=https://<host_name:port>/scim
-
Change the services URLs from
http
to https
:
tds.history.service.url==https://${public.ip}:${server.port}/data-history-service
schema.service.url=https://${public.ip}:${server.port}/schemaservice
-
Change the gateway URLs from
http
to https
:
frontend.url=https://<datastewardship_server:port>/internal/frontend
backend.url=https://<datastewardship_server:port>/internal/data-stewardship
schemaservice.url=https://<datastewardship_server:port>/internal/schemaservice
historyservice.url=https://<datastewardship_server:port>/internal/data-history-service
-
Open the
<Data_Stewardship_Path>/iam/apache_tomcat/clients/tds-client.json
file and update the URL for Talend Data Stewardship:
{
"client_name": "TDS OIDC Gateway",
"client_id": "tl6K6ac7tSE-LQ",
"client_secret": "cB/gNxe2SXR3SPDbhshZXzErZoxVy8yUcs/f6K39rsg=",
"redirect_uris": [
"https://<datastewardship_url:port>/login",
"https://localhost:<ssl_port>/login",
"https://127.0.0.1:<ssl_port>/login"
],
"post_logout_redirect_uris": [
"https://<datastewardship_url:port>/",
"https://localhost:<ssl_port>/",
"https://127.0.0.1:<ssl_port>/"
],
"grant_types": [
"password",
"authorization_code",
"refresh_token"
],
"scope": "openid refreshToken"
}