Securing Remote Engine

Enhance Remote Engine security by encrypting sensitive configuration values and implementing safeguards against potentially harmful artifact archive content.

Tip: Talend Remote Engine provides additional security features beyond the basic measures. These include managing user access, protecting sensitive data within Jobs, securing network communication using SSL, and ensuring the authenticity of executed artifacts through signature verification. For further information, see Configuring Remote Engine.

Encrypting sensitive values before the first start of Talend Remote Engine

Encrypt sensitive engine configuration values to protect against unauthorized access.

Procedure

Set up encryption by creating an environment variable:
- Variable name: TMC_ENGINE_CONFIG_ENCRYPT_PASSWORD.
- Value: Your chosen encryption password.
Start the engine.

Results

After starting up the engine, the following configuration values are protected:

Protected Configuration Values
Services	Files	Properties
ActiveMQ	org.talend.ipaas.rt.eventsource.amq.cfg	activemq.broker.password
Artifacts cloud storage	org.ops4j.pax.url.mvn.cfg	org.ops4j.pax.url.mvn.servers.<account-id>.release.secretKey
Logs cloud storage	org.talend.ipaas.rt.logs.cfg	account.secret.key
Artifact execution metrics vault	org.talend.ipaas.engine.metrics.vault.cfg	vault.secretId
Observability metrics	org.talend.observability.omc.appender.vault.cfg	vault.secretId

Improving security against malicious archive content

Talend JobServer, one of the core parts of Talend Remote Engine, has built-in protection against ZIP Slip and ZIP Symlink attacks. To enhance security further, you can set limits for archive properties. This protects Talend JobServer from potentially harmful Job archive content.

About this task

Malicious Job archive content can lead to Denial of Service attacks that aim to compromise the file system or consume all available disk space.

To mitigate this risk, you can set stricter limits for folders and files names, ensuring sufficient space needed for your Job deployments. The default values for these limits are stored in the org.talend.remote.jobserver.server.cfg file in the etc directory.

When setting these values, ensure they do not exceed the limitations supported by the file system used for the TalendJobServersFiles folder. If any of the specified limits are surpassed during deployment, an error message is displayed and the deployment is rejected. This approach helps maintain system integrity and prevents potential security breaches.

Note: On Linux systems, you can check current name length limits using this command: getconf -a | grep -i name_max.

This command displays all system configuration variables related to maximum file name lengths.

Procedure

Evaluate the default values of the following properties and make changes if necessary:

These properties all start with

org.talend.remote.jobserver.commons.config.JobServerConfiguration.

Security parameters for malicious archive protection
Parameters	Description
`MAX_UNZIPPED_SIZE`	Maximum size for the archive ZIP file that is being extracted during the deployment. The default value is `1` GB.
`MAX_ZIPPED_ENTRIES`	Number of entries in the archive file. The default maximum value is `2048`.
`MAX_ZIP_NAME_LENGTH`	Length of the archive ZIP file name. The default maximum value is `240` characters.
`MAX_UNZIPPED_FOLDER_NAME_LENGTH`	Length of folder names inside the archive ZIP file. The default maximum length of the unzipped folder name is `240` characters.
`MAX_UNZIPPED_FILE_NAME_LENGTH`	Length of file names inside the archive ZIP file. The default maximum value is `240` characters.
`MAX_ZIP_DEPTH`	Depth limit for folders inside the archive ZIP file. The default value is `64` levels.
`MAX_ARCHIVES_DIR_SIZE`	Size limit for the sum of all archives stored in TalendJobServersFiles/archiveJobs folder. The default size limit is `100`GB.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here