Skip to main content

How to configure a bidirectional secure connection between Talend Studio and Talend Administration Center

By default, Talend Studio supports unidirectional HTTP connection to Talend Administration Center and thus does not need any certificates. If you want to connect to Talend Administration Center using a secure bidirectional connection, you must generate keystores and configure SSL in both the Talend Studio and the Tomcat server.
Resolution Generate the keystore and truststore file on Tomcat side
  1. Generate the keystore in jks format which include the Public key and Private Key. Make sure the passwords are the same for the keypass and storepass parameters:

    keytool -genkey -alias <serverAlias> -keystore <SSLFolderPath>/serverKeystore.jks -keypass <privateKeyPassword> -storepass <keystorePassword> -keyalg RSA  -keysize <keySize> -validity <valDays> -v -dname <Distinguished Name>

    for example:

    keytool -genkey -alias server -keystore E:/ssl/serverKeystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN=127.0.0.1,O=Talend Soft,L=ChaoYang,ST=Beijing,OU=Talend Technology"
  2. Export the server's certificate from the server keystore:

    keytool -export -alias <serverAlias> -keystore <SSLFolderPath>/serverKeystore.jks -storepass <keystorePassword> -file <SSLFolderPath>/server.cer
  3. Import the server.cer to the trust list of the clientTruststore.jks :

    keytool -import -alias <trustServerAlias> -file <SSLFolderPath>/server.cer -keystore <SSLFolderPath>/clientTruststore.jks -storepass <keystorePassword>
Generate the keystore and truststore files on Talend Studio and web browser side
  1. Generate the keystore in . jks format as described previously, but for client:

    keytool -genkey -alias <clientAlias> -keystore <SSLFolderPath>/clientKeystore.jks -keypass <privateKeyPassword> -storepass <keystorePassword> -keyalg RSA  -keysize <keySize> -validity <valDays> -v -dname <Distinguished Name>
  2. Generate the keystore in . p12 format for the client web browser:

    keytool -validity <valDays> -genkeypair -v -alias <clientAlias> -keyalg RSA -storetype PKCS12 -keystore <SSLFolderPath>/client.p12 -storepass <keystorePassword> -keypass <privateKeyPassword> -dname <Distinguished Name>
  3. Export the client's certificate from the client keystore:

    keytool -export -alias <clientAlias> -keystore <SSLFolderPath>/clientKeystore.jks -storepass <keystorePassword> -file <SSLFolderPath>/client.cer
  4. Export the web browser's certificate from the client . p12 file:

    keytool -export -v -alias <clientAlias> -keystore <SSLFolderPath>/client.p12 -storetype PKCS12 -storepass <keystorePassword> -rfc -file <SSLFolderPath>/browser.cer
  5. Import the client.cer file to the trust list of the serverTruststore.jks file:

    keytool -import -alias <trustClientAlias> -file <SSLFolderPath>/client.cer -keystore <SSLFolderPath>/serverTruststore.jks -storepass <keystorePassword>
  6. Import the browser.cer file to the trust list of the serverTruststore.jks file:

    keytool -import -alias <trustBrowserClientAlias> -file <SSLFolderPath>/browser.cer -keystore <SSLFolderPath>/serverTruststore.jks -storepass <keystorePassword> 

You should get the following files in your <SSLFolder> (on your local machine):

Tomcat side: serverKeystore.jks | serverTruststore.jks | server.cer

Talend Studio side: clientKeystore.jks | clientTruststore.jks | client.cer

Browser side: client.p12 | browser.cer

If you want to access Talend Administration Center from a web browser using an SSL protocol, double-click the client.p12 file to install it to your certificate directory for your web browser.

Configure Tomcat
  1. Open the <TomcatPath>/conf/server.xml file, uncomment and edit the SSL part as follows:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="true" sslProtocol="TLS" 
    	keystoreFile="<SSLFolderPath/serverKeystore.jks" 
    	keystorePass=<keystorePassword>
    	truststoreFile="<SSLFolderPath/serverTruststore.jks" 
    	truststorePass=<trustStorePassword> />
Configure Talend Studio
  1. Add the following arguments to:
    • the Talend Studio executable of your VM if you are working in a DEV environment
    • the Talend Studio .ini file if you are working in a build environment
    -Dtac.net.ssl.ClientKeyStore="<SSLFolderPath>/clientKeystore.jks" 
    -Dtac.net.ssl.ClientTrustStore="<SSLFolderPath>/clientTruststore.jks"
    -Dtac.net.ssl.KeyStorePass=<keystorePassword>
    -Dtac.net.ssl.TrustStorePass=<truststorePassword>
  2. By default, the Talend Studio verifies the host name of the Talend Administration Center server against the server certificate in truststore file. To disable this verification, add the following argument to the Talend Studio executable or .ini file:
    -Dtac.net.ssl.EnableHostNameVerification=false

    This parameter defaults to true.

  3. If -Dtac.net.ssl.ClientTrustStore is not set, add the following argument to the Talend Studio executable or .ini file to connect to Talend Administration Center without verifying the server end certificate:
    -Dtac.net.ssl.AcceptAllCertsIfNoTruststore=true

    Otherwise, the Java default verification mechanism will be used.

    This parameter defaults to false.

Note that, if you are using a secured connection and did not configure these arguments, a dialog will pop up at Talend Studio start-up to let you input the arguments.

Check the connection
  1. Start Tomcat (make sure there is no error log, if there are some, check your server.xml file).
  2. Launch Talend Studio and create a remote connection with URL https://localhost:8443/org.talend.administrator, check that it is successful.

  3. Open the web browser and check that you have access to the https://localhost:8443/org.talend.administrator URL address.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!