topic Re: 2 way ssl per data service in talend runtime in Talend Studio

2 way ssl per data service in talend runtime

Anonymous — Sat, 16 Nov 2024 04:13:16 GMT

Hi community,

I have developped a simple rest api using trestrequest et trestresponse components and i deployed it successfully to work with https and basic authentification after doing some modication in org.ops4j.pax.web.cfg and user.properties files.

For a new need, i have to develop a new rest api wich will be called by another api (amazon api getway) by using the https and 2 way ssl athentification, I've been looking at chapter https://help.talend.com/search/all?query=HTTP+Conduit+OSGi+Configuration+Parameters&content-lang=en, but I think that this configuration is used to allow my rest api to access 3rd party web services over SSL, however what i need is to allow the external api to acces to my talend api over 2 way ssl, so my question is :

- is it possible to set the security in talend runtime per web service ? for example let my first api works with only https and basic athentification, create a new api wich works with https and 2 way ssl, create another wich works with https only ...etc.

Thank you in advance for your answers (andi sorry for my bad english).

Regards.

Re: 2 way ssl per data service in talend runtime

Anonymous — Mon, 04 Nov 2019 10:23:18 GMT

Hi,

you can do this with the Talend Runtime (Apache Karaf) configuration for the Service (HTTPS) port.

Please see: https://help.talend.com/reader/T7hdMN16K129AtayaQluAA/5OIrBL0jqfkI7Z_2~MY1JQ

And also this one can help even so for an older version of Apache Karaf but still close to the things you need to do: http://blog.nanthrax.net/?p=316

Dietmar

Re: 2 way ssl per data service in talend runtime

Anonymous — Mon, 04 Nov 2019 13:07:00 GMT

Hi Dietmar,

Thank you for your aswer, i had already seen this 2 links and for me the solution described in this links allows to set the ssl connection for all the data services developed and deployed in Talend runtime (Karaf).

This is my org.ops4j.pax.web.cfg file configuration :

#org.osgi.service.http.port=8181  ==> disable the http port

org.osgi.service.http.port.secure=9001
org.osgi.service.http.secure.enabled=true
org.ops4j.pax.web.ssl.keystore=./etc/keystores/keystore.jks
org.ops4j.pax.web.ssl.password=password
org.ops4j.pax.web.ssl.keypassword=password
#org.ops4j.pax.web.ssl.clientauthwanted=false
org.ops4j.pax.web.ssl.clientauthneeded=true

Let suppose (this is my case) that i develop 2 talend Rest Api :

- The first one is destinated to be called by an internal application (SAP for example), so we don't need de to set a strong security (Https + basic athentification will suffice and the client doesn't need to provide any certificate)

- The second one will be called only from an external application (Salesforce as it is in the cloud) and in this case, we have to put a strong security (2 way ssl)

If i modify the org.ops4j.pax.web.cfg as described above and restard the runtime (Karaf):

- The second rest api will work as expected.

- The first rest api wich works only with basic authentification will not word and ask for a certificate to be verified ! may be the configuration set in org.ops4j.pax.web.cfg impact all talend data services ?

Did i miss some settings, so my first api will work as expected ?

Thank you in advance.

Re: 2 way ssl per data service in talend runtime

Anonymous — Mon, 04 Nov 2019 14:15:38 GMT

Hi,

well, if you really need different settings - and you mentioned it already in your first post - on our HTTPS port then I would say the only easy way to do this is via two seperate containers. One for the basic auth + SSL and one for the 2 way SSL. Theoretically there might be an option with the jetty config where you can add a new HTTPS Port (addConnector) (see: http://blog.nanthrax.net/?p=352) but I would say the dependencies between pax web and your lower level jetty config are not easy to handle and by this I would not recommend to go this way.

You can run the container multiple times on the same machine and we provide some scripts to configure the second container to not have any port conflicts see: https://help.talend.com/reader/T7hdMN16K129AtayaQluAA/hP9UySpDSk4xcwybQm5s2w it is in my mind the only easy enough option to do what you like to do.

HTH,

Dietmar

Re: 2 way ssl per data service in talend runtime

Anonymous — Thu, 14 Nov 2019 13:17:39 GMT

Hi,

Thank you for all your suggestions, i really appreciate your help.

The two solutions can resolve my issue and i prefer the jetty.xml configuration to have only one container with several connectors but i'm not in this step because the tow solution don't work for me, here is what iam doing :

Solution 1 == > Enabling client authentication for SSL by modifying the org.ops4j.pax.web.cfg file :

I tried to reproduce exactly the example given in the talend help https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/HlVXm6zYbAL14q4Lq84a1w , when i call my rest service from Chrome, Firefox, CURL or Postman after adding the client certificate it always show me "BAD CERTIFICATE", i added our certificate Authority and restarted karaf, always the same error message "BAD CERTIFICATE"

As this solution did not work for me, i tried the second solution by modyfiying the jetty.xml file and tested the one way ssl for example as described here : https://help.talend.com/reader/yovCMqvJzyaSSSIdrlB4FQ/xWGGon_HvMs8tUG8RhStDQ , after restarting karaf i'm not able to call the rest service.

here is my talend rest service :

My first try by modifying the org.ops4j.pax.web.cfg and restarting karaf:

My second try by modifying the jetty.xml file and adding my connector and restarting karaf:

Iam using TOS_ESB-20190620_1446-V7.2.1

Thank for your help in advance.