Skip to main content Skip to complementary content

Securing connections for Talend Identity and Access Management

Use SSL with self-signed certificate to connect to Talend Identity and Access Management.

Procedure

  1. Place your JKS file to the <installation_path>/config folder.
  2. Open the <installation_path>/start.sh file to edit it.
  3. Add the following settings. 
    export SERVER_SSL_KEYSTORE=<absolute_path_to_your_jks_file> (for example: /keysotre/server.jks)
export SERVER_SSL_KEYSTOREPASSWORD=<secret>
export SERVER_SSL_KEYPASSWORD=<secret>
  4. Open the <installation_path>/config/iam.properties file and change the URL below from http to https: 
    oidc.url=https://${oidc.host}:${oidc.port}${oidc.context}
  5. Optional: If you have enabled SSL for Talend Administration Center, change the following URL from http to https: 
    tac.url=https://<host_name>:<port>/org.talend.administrator
  6. Optional: If SSL has been enabled for modules such as Talend Data Stewardship or Talend Data Preparation, do the following:
    1. Navigate to the <installation_path>/config/clients folder.
    2. Open the corresponding client configuration files, for example, tdp-client.json for Talend Data Preparation, or tds-client.json for Talend Data Stewardship.
    3. In the redirect_uris property, change all URLs from http to https.
  7. Restart Talend Identity and Access Management.

Additional keystore configuration for Talend Identity and Access Management as service

These configuration changes are only necessary when you have installed Talend Identity and Access Management as a system service.

Make these changes for the OIDC and the SCIM services of Talend Identity and Access Management.

Procedure

  1. Locate the Talend Identity and Access Management service systemd files in the /etc/systemd/system folder.
    The file names are:
    • talend-iam-oidc-8.0.1.service
    • talend-iam-scim-8.0.1.service
    The number 8.0.1 represents the installed version used in this example.
  2. Open the service files in a text editor using sudo privileges, as the files are owned by the root user.
    For example, the content of the talend-iam-oidc-8.0.1.service file is: 
     # systemd descriptor file for IAM service

[Unit]
Description=Talend Identity Access management service (OIDC)
Before=runlevel3.target runlevel5.target
After=local-fs.target remote-fs.target network-online.target time-sync.target postgresql.target systemd-journald-dev-log.socket
Wants=network-online.target
Conflicts=shutdown.target

[Service]
Type=simple
Restart=no
KillMode=process
Restart=no
Environment=SPRING_PROFILES_ACTIVE=onpremise
ExecStart=/usr/lib/jvm/jre-17/bin/java -Dfile.encoding=UTF-8 -Dspring.mvc.locale=en_US -server -Xms2048m -Xmx2048m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:+DisableExplicitGC -Dencryption.keys.file=config/keys.properties -jar lib/oidc.jar
#ExecStop=
User=talenduser
Group=talendgroup
WorkingDirectory=/opt/Talend-8.0.1/iam
SuccessExitStatus=143 SIGKILL

[Install]
WantedBy=multi-user.target
  3. Locate the Environment=SPRING_PROFILES_ACTIVE=onpremise line.
  4. Add the keystore settings after the existing line: 
    Environment=SPRING_PROFILES_ACTIVE=onpremise
Environment=SERVER_SSL_KEYSTORE=/keystore/server.jks
Environment=SERVER_SSL_KEYSTOREPASSWORD=Password1
Environment=SERVER_SSL_KEYPASSWORD=Password2
ExecStart=/usr/lib/jvm/jre-17/bin/java -Dfile.encoding=UTF-8 -Dspring.mvc.locale=en_US -server -Xms2048m -Xmx2048m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:+DisableExplicitGC -Dencryption.keys.file=config/keys.properties -jar lib/oidc.jar
  5. Save the talend-iam-oidc-8.0.1.service file.
  6. Repeat the operations for the talend-iam-scim-8.0.1.service file.
  7. After saving both files, run the following command to reload the systemd environment: 
    sudo systemctl daemon-reload
  8. Restart both services with the following commands: 
    sudo systemctl stop talend-iam-oidc-8.0.1.service
sudo systemctl stop talend-iam-scim-8.0.1.service
sudo systemctl start talend-iam-oidc-8.0.1.service
sudo systemctl start talend-iam-scim-8.0.1.service

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here