Skip to main content Skip to complementary content
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Securing connections for Talend Identity and Access Management

Use SSL with self-signed certificate to connect to Talend Identity and Access Management.

Procedure

  1. Place your JKS file to the <installation_path>/config folder.
  2. Open the <installation_path>/start.sh file to edit it.
  3. Add the following settings. 
    export SERVER_SSL_KEYSTORE=<absolute_path_to_your_jks_file> (for example: /keysotre/server.jks)
export SERVER_SSL_KEYSTOREPASSWORD=<secret>
export SERVER_SSL_KEYPASSWORD=<secret>
  4. Open the <installation_path>/config/iam.properties file and change the URL below from http to https: 
    oidc.url=https://${oidc.host}:${oidc.port}${oidc.context}
  5. Optional: If you have enabled SSL connection for Talend Administration Center, in <installation_path>/config/iam.properties, change the following URL from http to https: 
    tac.url=https://<host_name>:<port>/org.talend.administrator
  6. Optional: If your Talend Administration Center is using self-signed certificates for SSL, as described in Configure TLS/SSL in Talend Administration Center, proceed as follows:
    1. Retrieve the Talend Administration Center certificate, or its Certificate Authority, and add it to the Talend Identity and Access Management truststore using the following command: 
      keytool -import -trustcacerts -alias <cert-alias> -file <TAC_certificate.crt> -keystore <IAM_truststore.jks>
    2. Add the following line to start.sh: 
      JAVA_OPTS="${JAVA_OPTS} -Djavax.net.ssl.trustStore=/path/to/trustStore -Djavax.net.ssl.trustStorePassword=trustStore_password"
  7. Optional: To enable SSL connection for modules such as Talend Data Stewardship or Talend Data Preparation, do the following:
  8. Restart Talend Identity and Access Management.

Additional keystore configuration for Talend Identity and Access Management as service

These configuration changes are only necessary when you have installed Talend Identity and Access Management as a system service.

Make these changes for the OIDC and the SCIM services of Talend Identity and Access Management.

Procedure

  1. Locate the Talend Identity and Access Management service systemd files in the /etc/systemd/system folder.
    The file names are:
    • talend-iam-oidc-8.0.1.service
    • talend-iam-scim-8.0.1.service
    The number 8.0.1 represents the installed version used in this example.
  2. Open the service files in a text editor using sudo privileges, as the files are owned by the root user.
    For example, the content of the talend-iam-oidc-8.0.1.service file is: 
     # systemd descriptor file for IAM service

[Unit]
Description=Talend Identity Access management service (OIDC)
Before=runlevel3.target runlevel5.target
After=local-fs.target remote-fs.target network-online.target time-sync.target postgresql.target systemd-journald-dev-log.socket
Wants=network-online.target
Conflicts=shutdown.target

[Service]
Type=simple
Restart=no
KillMode=process
Restart=no
Environment=SPRING_PROFILES_ACTIVE=onpremise
ExecStart=/usr/lib/jvm/jre-17/bin/java -Dfile.encoding=UTF-8 -Dspring.mvc.locale=en_US -server -Xms2048m -Xmx2048m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:+DisableExplicitGC -Dencryption.keys.file=config/keys.properties -jar lib/oidc.jar
#ExecStop=
User=talenduser
Group=talendgroup
WorkingDirectory=/opt/Talend-8.0.1/iam
SuccessExitStatus=143 SIGKILL

[Install]
WantedBy=multi-user.target
  3. Locate the Environment=SPRING_PROFILES_ACTIVE=onpremise line.
  4. Add the keystore settings after the existing line: 
    Environment=SPRING_PROFILES_ACTIVE=onpremise
Environment=SERVER_SSL_KEYSTORE=/keystore/server.jks
Environment=SERVER_SSL_KEYSTOREPASSWORD=Password1
Environment=SERVER_SSL_KEYPASSWORD=Password2
ExecStart=/usr/lib/jvm/jre-17/bin/java -Dfile.encoding=UTF-8 -Dspring.mvc.locale=en_US -server -Xms2048m -Xmx2048m -XX:NewSize=256m -XX:MaxNewSize=256m -XX:+DisableExplicitGC -Dencryption.keys.file=config/keys.properties -jar lib/oidc.jar
  5. Optional: If your Talend Administration Center is using self-signed certificates for SSL, as described in Configure TLS/SSL in Talend Administration Center, add the truststore configuration of your Talend Identity and Access Management to the ExecStart property: 
    -Djavax.net.ssl.trustStore=/path/to/trustStore -Djavax.net.ssl.trustStorePassword=trustStore_password

    Ensure to add these values in the middle of the string, before -jar <jar name>. The system interprets strings after -jar <jar name> as command-line parameters to the Java main function.

    Information noteWarning:

    Ensure that you have added the Talend Administration Center's certificate to the Talend Identity and Access Management truststore.

    This has been explained in the previous section.

  6. Save the talend-iam-oidc-8.0.1.service file.
  7. Repeat the operations for the talend-iam-scim-8.0.1.service file.
  8. After saving both files, run the following command to reload the systemd environment: 
    sudo systemctl daemon-reload
  9. Restart both services with the following commands: 
    sudo systemctl stop talend-iam-oidc-8.0.1.service
sudo systemctl stop talend-iam-scim-8.0.1.service
sudo systemctl start talend-iam-oidc-8.0.1.service
sudo systemctl start talend-iam-scim-8.0.1.service

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here