Skip to main content Skip to complementary content

Securing Remote Engine

Enhance Remote Engine security by encrypting sensitive configuration values and implementing safeguards against potentially harmful artifact archive content.

Information noteTip: Talend Remote Engine provides additional security features beyond the basic measures. These include managing user access, protecting sensitive data within Jobs, securing network communication using SSL, and ensuring the authenticity of executed artifacts through signature verification. For further information, see Configuring Remote Engine.

Encrypting sensitive values before the first start of Talend Remote Engine

Encrypt sensitive engine configuration values to protect against unauthorized access.

Procedure

  1. Set up encryption by creating an environment variable:
    • Variable name: TMC_ENGINE_CONFIG_ENCRYPT_PASSWORD.
    • Value: Your chosen encryption password.
  2. Start the engine.

Results

After starting up the engine, the following configuration values are protected:

Protected Configuration Values
Services Files Properties
ActiveMQ org.talend.ipaas.rt.eventsource.amq.cfg activemq.broker.password
Artifacts cloud storage org.ops4j.pax.url.mvn.cfg org.ops4j.pax.url.mvn.servers.<account-id>.release.secretKey
Logs cloud storage org.talend.ipaas.rt.logs.cfg account.secret.key
Artifact execution metrics vault org.talend.ipaas.engine.metrics.vault.cfg vault.secretId
Observability metrics org.talend.observability.omc.appender.vault.cfg vault.secretId

Improving security against malicious archive content

Talend JobServer, one of the core parts of Talend Remote Engine, has built-in protection against ZIP Slip and ZIP Symlink attacks. To enhance security further, you can set limits for archive properties. This protects Talend JobServer from potentially harmful Job archive content.

About this task

Malicious Job archive content can lead to Denial of Service attacks that aim to compromise the file system or consume all available disk space.

To mitigate this risk, you can set stricter limits for folders and files names, ensuring sufficient space needed for your Job deployments. The default values for these limits are stored in the org.talend.remote.jobserver.server.cfg file in the etc directory.

When setting these values, ensure they do not exceed the limitations supported by the file system used for the TalendJobServersFiles folder. If any of the specified limits are surpassed during deployment, an error message is displayed and the deployment is rejected. This approach helps maintain system integrity and prevents potential security breaches.

Information noteNote: On Linux systems, you can check current name length limits using this command: getconf -a | grep -i name_max.

This command displays all system configuration variables related to maximum file name lengths.

Procedure

Evaluate the default values of the following properties and make changes if necessary:
These properties all start with
org.talend.remote.jobserver.commons.config.JobServerConfiguration.
Security parameters for malicious archive protection
Parameters Description
MAX_UNZIPPED_SIZE

Maximum size for the archive ZIP file that is being extracted during the deployment.

The default value is 1 GB.

MAX_ZIPPED_ENTRIES 

Number of entries in the archive file.

The default maximum value is 2048.
MAX_ZIP_NAME_LENGTH

Length of the archive ZIP file name.

The default maximum value is 240 characters.

MAX_UNZIPPED_FOLDER_NAME_LENGTH

Length of folder names inside the archive ZIP file.

The default maximum length of the unzipped folder name is 240 characters.
MAX_UNZIPPED_FILE_NAME_LENGTH

Length of file names inside the archive ZIP file.

The default maximum value is 240 characters.

MAX_ZIP_DEPTH

Depth limit for folders inside the archive ZIP file.

The default value is 64 levels.
MAX_ARCHIVES_DIR_SIZE

Size limit for the sum of all archives stored in TalendJobServersFiles/archiveJobs folder.

The default size limit is 100GB.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!