保护 Talend Data Stewardship 的连接 - 7.1

Talend Data Fabric 安装与升级指南 (Windows)

EnrichVersion
7.1
EnrichProdName
Talend Data Fabric
task
数据治理
EnrichPlatform
Talend Activity Monitoring Console
Talend Administration Center
Talend Artifact Repository
Talend CommandLine
Talend Data Preparation
Talend Data Stewardship
Talend DQ Portal
Talend ESB
Talend Identity and Access Management
Talend Installer
Talend JobServer
Talend Log Server
Talend MDM Server
Talend MDM Web UI
Talend Repository Manager
Talend Runtime
Talend SAP RFC Server
Talend Studio

要保护 Talend Data Stewardship、MongoDB 服务器和 Apache Kafka 之间的连接,您需要编辑 data-stewardship.properties 文件。

注:

如果在安装过程期间选择了嵌入式 MongoDB 实例,则无法保护 MongoDB 连接。

若要使用 SSL 保护与 MongoDB 的连接,必须在您的计算机上手动安装 MongoDB Enterprise Server。有关更多信息,请参阅 https://docs.mongodb.com/v3.2/security/

过程

  1. 打开 <Data_Stewardship_Path>\apache-tomcat\config\data-stewardship.properties 文件。
  2. 要信任 Talend Data Stewardship 使用的服务器证书,请添加以下属性并设定适当的值:
    http.ssl.truststore.location=<path_to_truststore>
    http.ssl.truststore.password=<truststore_password>
  3. 默认情况下,Talend Data Stewardship 不会验证主机名是否匹配证书通用名。
    要启用此验证,请添加以下属性并将值设为 true
    http.ssl.verify.hostname=true
  4. 要允许 Talend Data Stewardship 使用私钥身份验证,请添加以下属性并设定适当的值:
    http.ssl.keystore.location=<path_to_keystore>
    http.ssl.keystore.password=<keystore_password>
    http.ssl.key.password=<key_password>
  5. 要保护与 MongoDB 的连接,请添加以下属性并设定适当的值:
    spring.data.mongodb.ssl=true
    spring.data.mongodb.ssl.trust-store=<path_to_truststore>
    spring.data.mongodb.ssl.trust-store-password=<truststore_password>
  6. 要仅使用通信加密来保护与 Kafka 的连接,请添加以下属性并设定适当的值:
    kafka.security.protocol=SSL
    kafka.ssl.truststore.location=<path_to_truststore>
    kafka.ssl.truststore.password=<truststore_password>
  7. 要使用身份验证来保护与 Kafka 的连接,请添加以下属性并设定适当的值:
    kafka.ssl.keystore.location=<path_to_keystore>
    kafka.ssl.keystore.password=<keystore_password>
    kafka.ssl.key.password=<key_password>
    注: 此外,若想使用身份验证,还必须定义通信加密参数。
  8. 要保护与消息代理之间的连接,请添加以下属性并设定适当的值:
    spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=<path_to_truststore>
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=<truststore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=<path_to_keystore>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=<keystore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.key.password=<key_password>
    spring.kafka.properties.security.protocol=SSL
    spring.kafka.properties.ssl.truststore.location=<path_to_truststore>
    spring.kafka.properties.ssl.truststore.password=<truststore_password>
    spring.kafka.properties.ssl.keystore.location=<path_to_keystore>
    spring.kafka.properties.ssl.keystore.password=<keystore_password>
    spring.kafka.properties.ssl.key.password=<key_password>
  9. 要保护与 Talend Identity and Access Management 的连接,请编辑以下行:
    tds.security=iam
    oidc.url=https://<host_name:port>/oidc
    oidc.userauth.url=https://<host_name:port>/oidc
    scim.url=https://<host_name:port>/scim
  10. 将服务 URL 从 http 更改为 https
    tds.history.service.url==https://${public.ip}:${server.port}/data-history-service
    schema.service.url=https://${public.ip}:${server.port}/schemaservice
  11. 将网关 URL 从 http 更改为 https
    frontend.url=https://<datastewardship_server:port>/internal/frontend
    backend.url=https://<datastewardship_server:port>/internal/data-stewardship
    schemaservice.url=https://<datastewardship_server:port>/internal/schemaservice
    historyservice.url=https://<datastewardship_server:port>/internal/data-history-service
  12. 打开 <Talend_Installation_Path>/iam/apache_tomcat/clients/tds-client.json 文件。向 post_logout_redirect_urisredirect_uris 添加 Talend Data Stewardship URL:
    {
      "client_name": "TDS OIDC Gateway",
      "client_id": "tl6K6ac7tSE-LQ",
      "client_secret": "cB/gNxe2SXR3SPDbhshZXzErZoxVy8yUcs/f6K39rsg=",
      "redirect_uris": [
        "https://<datastewardship_url:port>/login",
        "https://localhost:<ssl_port>/login",
        "https://127.0.0.1:<ssl_port>/login"
      ],
      "post_logout_redirect_uris": [
        "https://<datastewardship_url:port>/",
        "https://localhost:<ssl_port>/",
        "https://127.0.0.1:<ssl_port>/"
      ],
      "grant_types": [
        "password",
        "authorization_code",
        "refresh_token"
      ],
      "scope": "openid refreshToken"
    }
    

下一步做什么

要在 Tomcat 上启用 HTTPS 支持,请参阅 https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html

要在 MongoDB 上启用 SSL 支持,请参阅 https://docs.mongodb.com/v3.0/tutorial/configure-ssl/

要在 Kafka 上启用 SSL 支持,请参阅 http://kafka.apache.org/documentation.html#security_ssl

要在 Talend Identity and Access Management 上启用 SSL 支持,请参阅保护 Talend Identity and Access Management 的连接