Securing Remote Engine
Enhance Remote Engine security by encrypting sensitive configuration values and implementing safeguards against potentially harmful artifact archive content.
Encrypting sensitive values before the first start of Talend Remote Engine
Procedure
Results
After starting up the engine, the following configuration values are protected:
Services | Files | Properties |
---|---|---|
ActiveMQ | org.talend.ipaas.rt.eventsource.amq.cfg | activemq.broker.password |
Artifacts cloud storage | org.ops4j.pax.url.mvn.cfg | org.ops4j.pax.url.mvn.servers.<account-id>.release.secretKey |
Logs cloud storage | org.talend.ipaas.rt.logs.cfg | account.secret.key |
Artifact execution metrics vault | org.talend.ipaas.engine.metrics.vault.cfg | vault.secretId |
Observability metrics | org.talend.observability.omc.appender.vault.cfg | vault.secretId |
Improving security against malicious archive content
About this task
Malicious Job archive content can lead to Denial of Service attacks that aim to compromise the file system or consume all available disk space.
To mitigate this risk, you can set stricter limits for folders and files names, ensuring sufficient space needed for your Job deployments. The default values for these limits are stored in the org.talend.remote.jobserver.server.cfg file in the etc directory.
When setting these values, ensure they do not exceed the limitations supported by the file system used for the TalendJobServersFiles folder. If any of the specified limits are surpassed during deployment, an error message is displayed and the deployment is rejected. This approach helps maintain system integrity and prevents potential security breaches.
This command displays all system configuration variables related to maximum file name lengths.
Procedure
org.talend.remote.jobserver.commons.config.JobServerConfiguration.
Parameters | Description |
---|---|
|
Maximum size for the archive ZIP file that is being extracted during the deployment. The default value is 1 GB. |
|
Number of entries in the archive file. The default maximum value is 2048. |
|
Length of the archive ZIP file name. The default maximum value is 240 characters. |
|
Length of folder names inside the archive ZIP file. The default maximum length of the unzipped folder name is 240 characters. |
|
Length of file names inside the archive ZIP file. The default maximum value is 240 characters. |
|
Depth limit for folders inside the archive ZIP file. The default value is 64 levels. |
|
Size limit for the sum of all archives stored in TalendJobServersFiles/archiveJobs folder. The default size limit is 100GB. |