Configuring SSL for Talend JobServer
Procedure
-
Enable SSL in the
jobserver/agent/conf/TalendJobServer.properties file.
org.talend.remote.jobserver.server.TalendJobServer.USE_SSL=true -
Still in the jobserver/agent/conf/TalendJobServer.properties file, specify keystore and truststore settings for the server.
org.talend.remote.server.ssl.keyStore=<path_to_jobserver_keystore> org.talend.remote.server.ssl.keyStorePassword=<jobserver_keystore_password> org.talend.remote.server.ssl.trustStore=<path_to_jobserver_truststore> org.talend.remote.server.ssl.trustStorePassword=<jobserver_truststore_password> org.talend.remote.server.ssl.enabled.protocols=TLSv1.2,TLSv1.3 org.talend.remote.server.ssl.authenticate=<true or false>Information noteNote: About keystore and truststore:- Server keystore and client truststore: The server keystore holds the
server’s private key and certificate chain. The client truststore must
contain either the server’s signed certificate (exported from the server
keystore using keytool -export) or the Certificate
Authority (CA) certificate that signed the server’s certificate, so the
client can validate the server’s identity.
At runtime, the client’s TLS (Transport Layer Security) stack verifies whether it can trust a server's certificate. To do this, it follows the server's certificate chain, through any intermediate certificates, until it finds a certificate already trusted in its truststore. If this verification fails, the secure connection (handshake) is aborted. In other words, the client only connects when it matches the server's certificate with an entry in its truststore.
If there is no truststore specified on the client side, the client uses its JVM's default truststore from $JAVA_HOME/lib/security/cacerts. This is because the org.talend.remote.client.ssl.disablePeerTrust property on the client side defaults to false.
- Server truststore and client keystore: The server truststore is used for
certificate-based client authorization, ensuring that the server verifies
the identity of the client keystore.
- If the property org.talend.remote.server.ssl.authenticate is set to true, the Talend JobServer client (Talend Administration Center and Talend Studio) must define a keystore holding a certificate chain through which a client's certificate matches an entry in the Talend JobServer truststore.
- If org.talend.remote.server.ssl.authenticate=false on the server, client authorization is disabled and the client keystore has no effect.
- Server keystore and client truststore: The server keystore holds the
server’s private key and certificate chain. The client truststore must
contain either the server’s signed certificate (exported from the server
keystore using keytool -export) or the Certificate
Authority (CA) certificate that signed the server’s certificate, so the
client can validate the server’s identity.
-
Specify keystore and truststore settings for the client.
-Dorg.talend.remote.client.ssl.keyStore=<path_to_client_keystore> -Dorg.talend.remote.client.ssl.keyStorePassword=<client_keystore_password> -Dorg.talend.remote.client.ssl.trustStore=<path_to_client_truststore> -Dorg.talend.remote.client.ssl.trustStorePassword=<client_truststore_password> -Dorg.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3 -Dorg.talend.remote.client.ssl.disablePeerTrust=false- For Talend Studio, it is recommended to specify these system properties in studio/Talend-Studio-linux-gtk-x86_64.ini or studio/Talend-Studio-gtk-aarch64.ini.
-
For Talend Administration Center you can use tac/apache-tomcat/bin/setenv.sh to extend the JAVA_OPTS specification:
export JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Dfile.encoding=UTF-8 -Dorg.talend.remote.client.ssl.keyStore=..."
-
Manage SSL cipher suites (optional).
SSL ciphers are encryption algorithms that are used to establish a secure communication. Some cipher suites offer a lower level of security than others, and you may want to specify the ciphers to enable or disable.
You can use either a positive or negative list to manage SSL cipher suites:
- Disable specific cipher suites: Add the list of ciphers to disable in the
<root>/conf/TalendJobServer.properties file:
org.talend.remote.jobserver.server.TalendJobServer.DISABLED_CIPHER_SUITES=TLS_RSA_WITH_NULL_MD5,SSL_RSA_WITH_RC4_128_MD5,... - Enable specific cipher suites (positive list):
- Server: Define an exclusive positive list of ciphers using the property
org.talend.remote.server.ssl.enabled.cipher.suites:
org.talend.remote.server.ssl.enabled.cipher.suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,... - Client: Define an exclusive positive list of ciphers using the property
org.talend.remote.client.ssl.enabled.cipher.suites:
-Dorg.talend.remote.client.ssl.enabled.cipher.suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,...
You can use the Keytool utility to identify the cipher suites supported by the operating system of the machines running Talend JobServer and its clients. Run the following command:The output provides a list of supported cipher suites, which may resemble the following:keytool -showinfo -tlsEnabled Protocols ----------------- TLSv1.3 TLSv1.2 Enabled Cipher Suites --------------------- TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ... <!-- Skipped for brevity --> ... TLS_RSA_WITH_AES_128_CBC_SHA TLS_EMPTY_RENEGOTIATION_INFO_SCSV - Server: Define an exclusive positive list of ciphers using the property
org.talend.remote.server.ssl.enabled.cipher.suites:
- Disable specific cipher suites: Add the list of ciphers to disable in the
<root>/conf/TalendJobServer.properties file:
Results
SSL is enabled, keystore and truststore settings are configured, and cipher suites are managed successfully.
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!