Skip to main content Skip to complementary content

Securing connections for Talend Data Stewardship

To secure connections between Talend Data Stewardship, the MongoDB server, and Apache Kafka, you need to edit the data-stewardship.properties file.

Information noteImportant: In the following procedure, the MongoDB server module, the Apache Kafka module, and other Talend Data Stewardship modules must all use the same truststore.

Procedure

  1. Open the <installation_folder>\tds\config\data-stewardship.properties file.
  2. To trust the server certificate used by Talend Data Stewardship, add the following properties with the appropriate values:
    #Keystore configuration
    server.ssl.key-store=<keystore_path>/keystore.jks
    server.ssl.key-store-password=<keystore_password>
    server.ssl.key-alias=<certificate_alias>
    server.ssl.key-store-type=JKS
    server.ssl.enabled=true
    server.ssl.protocol=TLS
    server.ssl.client-auth=none
    server.tomcat.max-threads=150
    For the server.ssl.client-auth property, you can set it to want or need to reinforce the security.
    By default, Spring Boot uses the default truststore (cacerts) located in the java/lib/security folder. If the default truststore corresponds to your needs, you do not need to add anything related to the truststore.
  3. <installation_folder>\iam\config\clientstds-client.json, update all http to https.
  4. To secure connections with MongoDB, add the following properties with the appropriate values:
    spring.data.mongodb.ssl=true
    spring.data.mongodb.ssl.trust-store=<truststore_path>
    spring.data.mongodb.ssl.trust-store-password=<truststore_password>
    To enable SSL support on MongoDB, see MongoDB documentation.
  5. To secure connections with Kafka using communication encryption only, add the following properties with the appropriate values:
    kafka.security.protocol=SSL
    kafka.ssl.truststore.location=<truststore_path>
    kafka.ssl.truststore.password=<truststore_password>
  6. To secure connections with Kafka using authentication, add the following properties with the appropriate values:
    kafka.ssl.keystore.location=<keystore_path>
    kafka.ssl.keystore.password=<keystore_password>
    kafka.ssl.key.password=<key_password>
    Note that the communication encryption parameters must also be defined to use authentication.
  7. To secure connections with the message broker, add the following properties with the appropriate values:
    spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=<truststore_path>
    spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=<truststore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=<keystore_path>
    spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=<keystore_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.key.password=<key_password>
    spring.cloud.stream.kafka.binder.configuration.ssl.endpoint.identification.algorithm=<ssl_algorithm>
    spring.kafka.properties.security.protocol=SSL
    spring.kafka.properties.ssl.truststore.location=<truststore_path>
    spring.kafka.properties.ssl.truststore.password=<truststore_password>
    spring.kafka.properties.ssl.keystore.location=<keystore_path>
    spring.kafka.properties.ssl.keystore.password=<keystore_password>
    spring.kafka.properties.ssl.key.password=<key_password>
    To enable SSL support on Kafka, see Kafka documentation.
  8. Change the gateway URLs from http to https:
    frontend.url=https://<server>:${frontend.server.port}
    backend.url=https://<server>:${core.server.port}
    schemaservice.url=https://<server>:${schema.server.port}
    historyservice.url=https://<server>:${history.server.port}
    monitoringservice.url=https://<server>:${monitoring.server.port}
    gateway.url=https://<server>:${gateway.server.port}             

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!