Skip to main content Skip to complementary content
Qlik Resources
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Enabling SSL communication between your Remote Engine and its JobServer

Set up a secure connection between the JobServer server and the JobServer client within a Remote Engine.

Starting from Talend Remote Engine v2.13.13, SSL communication can be automatically set up during engine installation or modified later. The SSL setup secures traffic between the engine and its JobServer. For further information about automatic SSL setup with the installer, see Installing the Remote Engine automatically.

Both the JobServer server and its client are specific to Talend Remote Engine and installed inside your engine. When a Remote Engine receives a request from Talend Management Console to run a task, the JobServer client deploys artifacts to the JobServer server. The SSL connection you are establishing thus secures this traffic between these two JobServer sides.

The connection between Talend Management Console and Talend Remote Engine is secured by default and not impacted by this SSL configuration.
Information noteTip: Talend Remote Engine and Talend Studio:

If you use Talend Remote Engine as a remote execution server to run or debug Jobs remotely from Talend Studio, which is typically the case for a development environment, and if SSL is also activated for your engine in this environment, additional configuration is required for Talend Studio integration. For further information, see Configuring Talend Studio as an SSL client to Talend Remote Engine for remote runs and debug runs.

If you use only Talend Management Console to manage and run artifacts, the communication between Talend Management Console and Talend Remote Engine is automatically secured. Talend Studio does not need to directly communicate with Talend Remote Engine.

About this task

The procedure in this section explains how SSL is configured behind the scenes, so you can make manual modifications when needed, such as integrating Talend Studio into SSL communication. The following list provides a brief summary of those modifications:
  • To simplify the process, reuse the engine's JobServer client keystore and truststore for Studio.
  • When modifying SSL after installation, you must manually generate the required keystores and truststores, and update the following configuration files:
    • <RemoteEngineInstallationDirectory>/etc/org.talend.remote.jobserver.server.cfg
    • <RemoteEngineInstallationDirectory>/etc/system.properties

Procedure

  1. Open the <RemoteEngineInstallationDirectory>/etc/org.talend.remote.jobserver.server.cfg file.
    Modify or confirm the following parameters to enable SSL for JobServer server: 
    # Use SSL (Secure Sockets Layer) for establishing an encrypted link between the JobServer and its clients
org.talend.remote.jobserver.server.TalendJobServer.USE_SSL=${org.talend.remote.client.ssl.force}

# Set to true to enforce certificate based client authorization for JobServer
org.talend.remote.server.ssl.authenticate=true

org.talend.remote.server.ssl.keyStore=${karaf.base}/etc/keystores/jobserver-keystore.p12
org.talend.remote.server.ssl.keyStoreType=PKCS12
org.talend.remote.server.ssl.keyStorePassword=${env:TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD}
org.talend.remote.server.ssl.keyPassword=${env:TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD}

org.talend.remote.server.ssl.trustStore=${karaf.base}/etc/keystores/jobserver-truststore.p12
org.talend.remote.server.ssl.trustStoreType=PKCS12
org.talend.remote.server.ssl.trustStorePassword=${env:TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD}

# avoid TLSv < 1.2 for Jobserver if possible for security reasons
org.talend.remote.server.ssl.enabled.protocols=TLSv1.2,TLSv1.3

    By default, all keystore and truststore files are stored in RemoteEngineInstallationDirectory>/etc/keystores, and a single password is set for all stores, using the TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD environment variable. This configuration simplifies SSL management.

  2. Open the <RemoteEngineInstallationDirectory>/etc/system.properties file.
    Modify or confirm the following parameters to enable SSL for JobServer client: 
    # JobServer client SSL configuration
org.talend.remote.client.ssl.force=true
org.talend.remote.client.ssl.keyStore=${karaf.base}/etc/keystores/jobserver-client-keystore.p12
org.talend.remote.client.ssl.keyStoreType=PKCS12
org.talend.remote.client.ssl.keyStorePassword=${env:TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD}
org.talend.remote.client.ssl.keyPassword=${env:TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD}
org.talend.remote.client.ssl.trustStore=${karaf.base}/etc/keystores/jobserver-client-truststore.p12
org.talend.remote.client.ssl.trustStoreType=PKCS12
org.talend.remote.client.ssl.trustStorePassword=${env:TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD}
org.talend.remote.client.ssl.disablePeerTrust=false
org.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3
  3. Restart the engine to apply the changes.

Configuring Talend Studio as an SSL client to Talend Remote Engine for remote runs and debug runs

Securely connect Talend Studio to a Talend Remote Engine JobServer using SSL by configuring the required keystore and truststore settings.

When SSL is enabled on engine's JobServer, Talend Studio must be configured as an SSL client to communicate securely for remote run and debug operations. You can use the same keystore and truststore files as the engine, and specify their locations and passwords in Talend Studio's startup configuration.

If you do not need to use Talend Remote Engine for remote run and debugging, and you only publish artifacts to Talend Management Console to manage task runs from there, skip this section, because your Studio does not need to directly communicate with Talend Remote Engine.

Procedure

  1. Copy the required keystore and truststore files from the Talend Remote Engine to your Talend Studio machine.

    Place jobserver-client-keystore.p12 and jobserver-client-truststore.p12 into a secure directory.

  2. Edit Talend Studio's startup configuration file to specify SSL system properties:

    studio/Talend-Studio-linux-gtk-x86_64.ini or studio/Talend-Studio-gtk-aarch64.ini.

    In this file, add the following lines, adapting the file paths and password as needed: 

    -Dorg.talend.remote.client.ssl.force=true
-Dorg.talend.remote.client.ssl.keyStore=<client-keystore-path>
-Dorg.talend.remote.client.ssl.keyStoreType=PKCS12
-Dorg.talend.remote.client.ssl.keyStorePassword=<client-keystore-password>
-Dorg.talend.remote.client.ssl.keyPassword=<client-keystore-password>
-Dorg.talend.remote.client.ssl.trustStore=<client-truststore-path>
-Dorg.talend.remote.client.ssl.trustStoreType=PKCS12
-Dorg.talend.remote.client.ssl.trustStorePassword=<client-truststore-password>
-Dorg.talend.remote.client.ssl.disablePeerTrust=false
-Dorg.talend.remote.client.ssl.enabled.protocols=TLSv1.2,TLSv1.3
    If you followed the previous procedure or used the installer to automatically activate SSL for Talend Remote Engine, one single password was set for all stores and saved in the environment variable TMC_ENGINE_JOB_SERVER_SSL_KEY_STORE_PASSWORD on the Talend Remote Engine machine.
  3. If Studio is open, restart it.

    This ensures the new SSL settings are applied.

Results

You can now run or debug a Job remotely on the target Talend Remote Engine with SSL-enabled communication.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here