Skip to main content Skip to complementary content
Qlik Resources
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Configuring SSL for Talend JobServer

Configure SSL transport, set up the keystore, and manage cipher suites to encrypt and secure your Talend JobServer's communication channels.

Procedure

  1. Enable SSL in the jobserver/agent/conf/TalendJobServer.properties file. 
    org.talend.remote.jobserver.server.TalendJobServer.USE_SSL=true
  2. Still in the jobserver/agent/conf/TalendJobServer.properties file, specify keystore and truststore settings for the server. 
    org.talend.remote.server.ssl.keyStore=<path_to_jobserver_keystore>
org.talend.remote.server.ssl.keyStorePassword=<jobserver_keystore_password>
org.talend.remote.server.ssl.trustStore=<path_to_jobserver_truststore>
org.talend.remote.server.ssl.trustStorePassword=<jobserver_truststore_password>
org.talend.remote.server.ssl.enabled.protocols=TLSv1.2,TLSv1.3
org.talend.remote.server.ssl.authenticate=<true or false>
    Information noteNote: About keystore and truststore:
    • Server keystore and client truststore: The server keystore holds the server’s private key and certificate chain. The client truststore must contain either the server’s signed certificate (exported from the server keystore using keytool -export) or the Certificate Authority (CA) certificate that signed the server’s certificate, so the client can validate the server’s identity.

      At runtime, the client’s TLS (Transport Layer Security) stack verifies whether it can trust a server's certificate. To do this, it follows the server's certificate chain, through any intermediate certificates, until it finds a certificate already trusted in its truststore. If this verification fails, the secure connection (handshake) is aborted. In other words, the client only connects when it matches the server's certificate with an entry in its truststore.

      If there is no truststore specified on the client side, the client uses its JVM's default truststore from $JAVA_HOME/lib/security/cacerts. This is because the org.talend.remote.client.ssl.disablePeerTrust property on the client side defaults to false.

    • Server truststore and client keystore: The server truststore is used for certificate-based client authorization, ensuring that the server verifies the identity of the client keystore.
      • If the property org.talend.remote.server.ssl.authenticate is set to true, the Talend JobServer client (Talend Administration Center and Talend Studio) must define a keystore holding a certificate chain through which a client's certificate matches an entry in the Talend JobServer truststore.
      • If org.talend.remote.server.ssl.authenticate=false on the server, client authorization is disabled and the client keystore has no effect.
  3. Specify keystore and truststore settings for the client. 
    -Dorg.talend.remote.client.ssl.keyStore=<path_to_client_keystore>
-Dorg.talend.remote.client.ssl.keyStorePassword=<client_keystore_password>
-Dorg.talend.remote.client.ssl.trustStore=<path_to_client_truststore>
-Dorg.talend.remote.client.ssl.trustStorePassword=<client_truststore_password>
-Dorg.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3
-Dorg.talend.remote.client.ssl.disablePeerTrust=false
    • For Talend Studio, it is recommended to specify these system properties in studio/Talend-Studio-linux-gtk-x86_64.ini or studio/Talend-Studio-gtk-aarch64.ini.

    • For Talend Administration Center you can use tac/apache-tomcat/bin/setenv.sh to extend the JAVA_OPTS specification:

      export JAVA_OPTS="$JAVA_OPTS -Xmx2048m -Dfile.encoding=UTF-8 -Dorg.talend.remote.client.ssl.keyStore=..."
  4. Override the existing server keystore file (optional).

    Use the Keytool utility to generate a new server keystore and set the location on the server side. For further information, see Configuring a custom SSL keystore (optional).

  5. Manage SSL cipher suites (optional).
    SSL ciphers are encryption algorithms that are used to establish a secure communication. Some cipher suites offer a lower level of security than others, and you may want to specify the ciphers to enable or disable.

    You can use either a positive or negative list to manage SSL cipher suites:

    • Disable specific cipher suites: Add the list of ciphers to disable in the <root>/conf/TalendJobServer.properties file: 
      org.talend.remote.jobserver.server.TalendJobServer.DISABLED_CIPHER_SUITES=TLS_RSA_WITH_NULL_MD5,SSL_RSA_WITH_RC4_128_MD5,...
    • Enable specific cipher suites (positive list):
      • Server: Define an exclusive positive list of ciphers using the property org.talend.remote.server.ssl.enabled.cipher.suites: 
        org.talend.remote.server.ssl.enabled.cipher.suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,...
      • Client: Define an exclusive positive list of ciphers using the property org.talend.remote.client.ssl.enabled.cipher.suites: 
        -Dorg.talend.remote.client.ssl.enabled.cipher.suites=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,...
      Note that the cipher suites shown in the examples above are for demonstration purposes only. Always consult your security team to determine which cipher suites meet your organization's security requirements.
      You can use the Keytool utility to identify the cipher suites supported by the operating system of the machines running Talend JobServer and its clients. Run the following command:
      keytool -showinfo -tls
      The output provides a list of supported cipher suites, which may resemble the following:
      Enabled Protocols
-----------------
TLSv1.3
TLSv1.2

Enabled Cipher Suites
---------------------
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
...
<!-- Skipped for brevity -->
...
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Results

SSL is enabled, keystore and truststore settings are configured, and cipher suites are managed successfully.

Configuring a custom SSL keystore (optional)

You can choose another server keystore if needed.

About this task

To override the existing server keystore file, you must:
  1. Generate a new keystore with the utility tool called Keytool (Key and Certificate Management Tool).
  2. Set the new keystore location.
  3. Enable the SSL keystore on the server side.

Generate a keystore

Procedure

  1. Open a command prompt and change directory to <root>\keystores where <root> is the Talend JobServer path.
  2. Type in keytool -genkey -keystore <myKeystoreName> -keyalg RSA where <myKeystoreName> refers to the name of the keystore you are creating.
    In the command interface, you are prompted to enter the keystore password twice.
  3. Enter the password for your keystore twice, then enter the other optional information, such as your name, the name of your organization, or your state, if needed.
  4. Type in yes to confirm your information.
  5. Type in the password you have previously defined. The new keystore file has been created in <root>\keystores.

Set the location of the new keystore

To set the new keystore location, you can either edit the JAVA_OPTS environment variable or edit the launching script of the Talend JobServer.

Procedure

  1. Edit the JAVA_OPTS environment variable
  2. Add the following lines: 
    -Djavax.net.ssl.keyStore=/<myDirectory>/<myKeystore>
                           -Djavax.net.ssl.keyStorePassword=<myPassword>
    In those lines, <myDirectory> is the installation directory of your keystore, <myKeystore> is the name of your keystore and <myPassword> is the password you have previously defined for your keystore.
    If you have not created the JAVA_OPTS environment variable yet, you must create it before completing this procedure.
    You can also set the location of the new keystore in the start_rs.bat file as shown in the following code:
    rem set the JVM arguments here
                              set MY_JVM_ARGS=-Dcom.sun.management.jmxremote -Djava.library.path="%MY_ROOT_PATH%sigar-bin\lin>"
                              -Djavax.net.ssl.keyStore=/C:/Builds/Talend/jobserver/keystores/MyKeystore
                              -Djavax.net.ssl.keyStorePassword=

Configure the service

Procedure

  1. Open the jsl_static64.ini file to edit it.
    Sample of the content of the jsl_static64.ini file.
  2. Add two parameters holding the same values you have added to the start_rs.bat file: 
    -Djavax.net.ssl.keyStore=\<myDirectory>\<myKeystore>
                           -Djavax.net.ssl.keyStorePassword=<myPassword>
  3. Update the number in the first line: as you have now eight parameters, type in 8.

What to do next

Enable Secure Sockets Layer as described in Enabling the SSL encryption in Talend Runtime.

In this section

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here