Setting up Talend Administration Center to verify custom Job artifact signatures

Configure Talend Administration Center to verify the signature of Job artifacts before task creation.

If you used the default Talend signature, see Configuring Talend Administration Center and Talend JobServer for default Job artifact signature.

Before you begin

The Job artifact to be added must be using custom signatures. For details on signing a Job artifact, see Configuring custom Job artifact signature.
In a continuous integration environment, add the following parameters to your artifact build:
- JKS:
  - -Dsigner.path: the path to your custom Java keystore
  - -Dsigner.keystore.password: the keystore password, either Maven-encrypted or in plain text
  - -Dsigner.key.password: the key password, either Maven-encrypted or in plain text
  - -Dsigner.key.alias: the alias name associated with your keystore
- PKCS12:
  - -Dsigner.path: the path to your custom Java keystore
  - -Dsigner.keystore.password: the keystore password, either Maven-encrypted or in plain text
  - -Dsigner.key.password: the key password, either Maven-encrypted or in plain text
  - -Dsigner.key.alias: the alias name associated with your keystore
  - -Dsigner.disabled: activate or deactivate the entire signature mechanism
  - -Dsigner.keystore.type: the type of the signature. In this case, it is PKCS12
  - -Dsigner.digest.algorithm: the algorithm for the artifact content
  - -Dsigner.signature.algorithm: the algorithm for the signature
The keystore file that contains the CA (Certificate Authority) certificates and the private key for signing Job artifacts must be accessible on the Talend Administration Center machine at a fixed file path.
In addition to Talend Studio, Talend Administration Center also signs the artifact before sending it to Talend JobServer for execution.

Procedure

Open the Configuration.properties file in a text editor.
The file is located in the Talend Administration Center installation directory.
Add the following properties:
```
signature.model=2
signature.key.path=<path_to_store_file>
signature.keystore.password=<store_password>
signature.key.password=<key_password>
signature.key.alias=<key_alias>
signature.keystore.type=<JKS or PKCS12>
signature.digest.algorithm=<digest_algorithm_from_Studio>
signature.algorithm=<signature_algorithm_from_Studio>
```
For signature.model, 0 means default Talend signature, 1 means no signature is needed, and 2 means custom signature is used.

Information noteImportant: The values of signature.digest.algorithm and signature.algorithm must exactly match those configured in Talend Studio and Talend JobServer. A mismatch prevents task execution.
Save the file.
Restart Talend Administration Center for the changes to take effect.
Create and run a test task to confirm that signature verification succeeds.

Results

Talend Administration Center verifies the signature of each Job artifact before creating the task for it. If the verification succeeds, Talend Administration Center signs the artifact before sending it to Talend JobServer for task runs.

Troubleshooting:

If signature verification fails, the following exception is returned:
```
Signature verification failed
```
When the signing certificate expires, you can set signature.timestamp.check to false to allow task creation and task runs to continue after the certificate expires.
By default, this value is true, preventing Talend Administration Center from creating tasks after the expiration.

What to do next

Ensure set up the custom signature verification on Talend JobServer by following Setting up Talend JobServer to verify custom Job artifact signatures.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here