Setting up a root Certificate Authority chain
A secured HTTPS connection between Talend Administration Center webserver and client applications (Studio, Nexus/artifactory, GIT, etc.) can be achieved through a certificate chain that provides a common and long-term (>10 years) certification.
Procedure
-
Generate a certificate .cer file following various
sub-steps:
-
Prepare the below values according to your configuration:
- server IP: serverIP
- SAN IP:serverIP or additional domain names (if available)
- Keystore password: changeit
- Server Pretty Name: serverPrettyName
-
In Powershell, generate the private key with the appropriate values.
keytool -genkey -alias serverIP -keyalg RSA -keysize 4096 -keystore talendKey.jks -dname "CN=serverIP, OU=name of the organizational unit/department, O=name of the company/organization, ST=name of the region or state , C=name of the country" -keypass changeit -storepass changeit -ext SAN=ip:serverIP,dns:serverPrettyName
-
Perform the Certificate Signing Request with the appropriate values, to
obtain a .csr file.
keytool -certreq -file serverIP.csr -keystore talendKey.jks -storepass changeit -alias serverIP -ext SAN=ip:serverIP,dns:serverPrettyName
- Countersign the .csr file using a Certificate Authority.
- Download the approved certificate in OpenSSL format.
- Extract the first certificate content from the above file and paste it in serverIP.cer file, through a text editor tool.
-
In case of a change in certificate chain or first installation, the
certificate needs to be added to the truststore.
Extract the first server-related entry from the serverIP.cer file and paste it in the chain.cer file. The chain should include the root and intermediate signatures. keytool -import -file /opt/talend/talend-version/truststore/Talend_certificate/chain.cer -keystore /opt/talend/talend-version/truststore/BitTalend -alias chainInformation noteTip: If you have set self-signed certificates instead of a common Certificate Authority certificate, you can use the certificate chain to initialize the Java keystore by importing all certificates. For more information, see the corresponding section Configuring SSL for Talend Administration Center.
-
Prepare the below values according to your configuration:
-
Merge the downloaded serverIP.cer file with the key p12 file that is currently
available in the JKS store:
- Convert JKS to PKCS format using keytool: keytool -importkeystore -srckeystore talendKey.jks -destkeystore talendKey.p12 -deststoretype PKCS12
- Extract the key file from PKCS and create a separate key file: openssl pkcs12 -in talendKey.p12 -nodes -nocerts -out talendKey.key
-
Combine the certificate, the key file and the certificate chain into a new p12
file:
openssl pkcs12 -export -in <serverIP>.cer -inkey talendKey.key -out certificate.p12 -chain -CAfile chain.cer -name <serverIp>
-
Convert p12 file to the keystore using Java keytool
Nexus: keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore
Talend Administration Center:keytool -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore /opt/talend/talend-version/truststore/BitTalend
- If you are using Nexus, store the generated keystore (and truststore) in nexusinstall>etc>ssl subfolder. To implement the changes, stop Nexus and restart it.
- Make sure that keynames/passwords are correct in etc/jetty/jetty-https.xml file.
-
To configure the SSL connection:
- If the certificate is set on Tomcat webserver, enter the following command:
/opt/talend/talend-version/truststore/Talend_SSL/Talend_TAC_QA"
keystorePass="keystore
pass". Then configure Tomcat: open the <TomcatPath>/conf/server.xml file, and uncomment and edit the SSL part as follows:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" keystoreFile="<SSLFolderPath/serverKeystore.jks" keystorePass=<keystorePassword> truststoreFile="<SSLFolderPath/serverTruststore.jks" truststorePass=<trustStorePassword> />
- If the certificate is only set on the webapp itself, see Defining an SSL connection to other applications and enter the following command: keytool -delete -alias tomcat -keystore /opt/talend/talend-version/truststore/BitTalend -storepass changeit
- If the certificate is set on Tomcat webserver, enter the following command:
/opt/talend/talend-version/truststore/Talend_SSL/Talend_TAC_QA"
keystorePass="keystore
pass".
Results
Enter Talend Administration Center URL: https://localhost:8080/org.talend.administrator in a browser. The application is now displayed together with a green padlock icon: .
Did this page help you?
If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!