TLS Configuration
Ataccama ONE modules support enabling TLS on gRPC and HTTP communication layers on both the server and the client side. This is applicable to both Java and Python-based modules.
On the server side, the following options are available:
-
The same TLS configuration can be set for all connections.
-
TLS can be enabled only on the gRPC or HTTP servers.
-
gRPC and HTTP servers can use different TLS configurations.
On the client side, you can choose one of the following approaches:
-
The same TLS configuration can be set for all connections.
-
Different TLS configurations can be enabled per connection type, that is, separately for all gRPC connections and all HTTP connections.
-
Each connection can have its own TLS configuration. Optionally, this configuration can be shared for both gRPC and HTTP protocols.
When it comes to securing the communication with dependencies, for most of the dependencies this is done by configuring an HTTP client. It is also possible to enable TLS for database connections.
The following sections provide more information about the necessary configuration changes.
How to configure TLS for ONE modules
Server configuration
Server-related TLS properties have the following prefixes:
-
gRPC:
ataccama.server.grpc.tls
. -
HTTP:
ataccama.server.http.tls
. -
gRPC and HTTP:
ataccama.server.tls
.
The For example, a shared keystore and its password can be provided through the properties |
The following properties are used to enable TLS on the server side and are configured in the corresponding deployment in the Configuration Service or in the <module>/etc/application.properties
configuration file:
Property | Data type | Description | ||
---|---|---|---|---|
|
Boolean |
If set to |
||
|
String |
The full path to the keystore, for example, For more information about how to configure TLS in the latter case, see their respective configurations: Configuring Anomaly Detection, term-suggestions-services-configuration.adoc, Configuring AI Matching.
|
||
|
String |
The password for decrypting the keystore. Used if the keystore is encrypted (recommended). |
||
|
String |
The type of the keystore.
Allowed values: |
||
|
String |
The private key name specified in the provided keystore that is used for TLS.
|
||
|
String |
The password for the private key. Used if the private key is encrypted. |
In Spring Boot applications, the listed HTTPS properties are aliases for standard Spring properties. For more information, see the Spring Boot official documentation. |
When it comes to gRPC, it uses only one port on the server side:
ataccama.server.grpc.port=6565
If the value is set to 0
, a random port number is used instead.
Examples
Sample configuration: TLS enabled for gRPC and HTTP
ataccama.server.tls.enabled=true
ataccama.server.tls.key-store=file:/path/to/keystore
ataccama.server.tls.key-store-type=PKCS12
ataccama.server.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.tls.key-alias=tlscertificate
Sample configuration: TLS enabled only for gRPC
ataccama.server.grpc.tls.enabled=true
ataccama.server.grpc.tls.key-store=file:/path/to/keystore
ataccama.server.grpc.tls.key-store-type=PKCS12
ataccama.server.grpc.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.grpc.tls.key-alias=tlscertificate
Sample configuration: TLS enabled for gRPC and HTTP, different aliases used
ataccama.server.tls.enabled=true
ataccama.server.tls.key-store=file:/path/to/keystore
ataccama.server.tls.key-store-type=PKCS12
ataccama.server.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.grpc.tls.key-alias=alias1
ataccama.server.http.tls.key-alias=alias2
Client configuration
On the client side, it is possible to configure multiple connections of different types.
The connection itself is defined through the properties with the following prefix: ataccama.client.connection.<connection_name>
.
Property | Data type | Description |
---|---|---|
|
String |
The hostname or the IP address where the client is running. |
|
Number |
The number of the client’s gRPC or HTTP port. The correct connection type needs to be set accordingly. |
Depending on the selected combination, the following property prefixes are used:
-
For a single connection:
-
gRPC and HTTP:
ataccama.client.connection.connection-name.tls
. -
gRPC:
ataccama.client.connection.connection-name.grpc.tls
. -
HTTP:
ataccama.client.connection.connection-name.http.tls
.
-
-
All connections:
-
gRPC and HTTP:
ataccama.client.tls
. -
gRPC:
ataccama.client.grpc.tls
. -
HTTP:
ataccama.client.http.tls
.
-
Based on the prefix used, the properties are prioritized in the following order, starting from the highest priority:
|
The following properties are used to enable TLS on the client side and are configured in the corresponding deployment in the Configuration Service or in the <module>/etc/application.properties
configuration file:
Property | Data type | Description | ||
---|---|---|---|---|
|
Boolean |
If set to |
||
|
String |
The full path to the truststore with all the trusted certification authorities (CA), for example,
|
||
|
String |
The type of the truststore.
Allowed values: |
||
|
String |
The password for decrypting the truststore. Used if the truststore is encrypted (recommended). |
||
|
Boolean |
Defines whether the client should verify the certificate of the server with which it communicates.
If set to |
Examples
Sample configuration: gRPC and HTTP connection settings for the same server, TLS disabled
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for the same server, TLS enabled
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.tls.enabled=true
ataccama.client.connection.mmm.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for different servers, TLS enabled
ataccama.client.tls.enabled=true
ataccama.client.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.dpe.host=dpe.domain.org
ataccama.client.connection.dpe.http.port=8080
ataccama.client.connection.dpe.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for the same server, TLS enabled for gRPC only
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.mmm.grpc.tls.enabled=true
ataccama.client.connection.mmm.grpc.tls.trust-store=file:/path/to/truststore
Sample configuration: gRPC and HTTP connection settings for different servers, TLS enabled individually for gRPC and HTTP
# Enable TLS for all connections
ataccama.client.tls.enabled=true
ataccama.client.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.dpe.host=dpe.domain.org
ataccama.client.connection.dpe.http.port=8080
ataccama.client.connection.dpe.grpc.port=5132
ataccama.client.connection.dpm.host=dpm.domain.org
# HTTP connectiion to DPM uses a different truststore
ataccama.client.connection.dpm.http.port=8080
ataccama.client.connection.dpm.http.tls.trust-store=file:/path/to/another/truststore.p12
# Disable TLS for the gRPC connection to DPM
ataccama.client.connection.dpm.grpc.port=5132
ataccama.client.connection.dpm.grpc.tls.enabled=false
Sample configuration: TLS settings of DPE during hybrid installation, TLS enabled
# Set to true to enable TLS communication.
ataccama.client.connection.dpm.grpc.tls.enabled=true
# Select one of the following methods:
# Set to true to trust all TLS certificates.
# This is not recommended as a permanent solution.
# ataccama.client.connection.dpm.grpc.tls.trust-all=false
# Or set the path to certificate collection.
# ataccama.client.grpc.connection.dpm.tls.trust-cert-collection=./path/to/trust/cert/chain.crt1
# Or configure these properties to access a certificate trust store.
# ataccama.client.grpc.connection.dpm.tls.trust-store=file:path/to/trust/cert/trust-store.pfx
# ataccama.client.grpc.connection.dpm.tls.trust-store-password=pswd
# ataccama.client.grpc.connection.dpm.tls.trust-store-type=PKCS12|JCEKS
How to configure TLS for dependencies
Client configuration
The following properties are used to configure secured client connections for some of the dependencies such as Keycloak and ONE Object Storage (MinIO).
Property | Data type | Description |
---|---|---|
|
Boolean |
If set to |
|
Boolean |
Enables TLS authentication when communicating with the dependency. |
|
String |
The full path to the truststore, for example, |
|
String |
The type of the truststore.
Allowed values: |
|
String |
The password for the trusstore. Used if the truststore is encrypted. |
Keycloak
TLS configuration for Keycloak is supplied in the following modules:
Module | Location of configuration files |
---|---|
Metadata Management Module (MMM) |
MMM deployment in the Configuration Service or |
Data Processing Module (DPM) |
DPM deployment in the Configuration Service or |
Data Processing Engine (DPE) |
DPE deployment in the Configuration Service or |
Keycloak uses the HTTP client name keycloak
and the following options need to be provided:
ataccama.client.connection.keycloak.http.enabled
ataccama.client.connection.keycloak.http.tls.enabled
ataccama.client.connection.keycloak.http.tls.trust-store
ataccama.client.connection.keycloak.http.tls.trust-store-password
Elasticsearch
Depending on your needs, you can configure Elasticsearch to use HTTP basic authentication, TLS, or mTLS. In all three cases, changes are made to the MMM configuration and Elasticsearch settings.
HTTP basic authentication
The following properties need to be added to the MMM deployment in the Configuration Service or to the be/etc/application.properties
file:
plugin.catalog-search.ataccama.one.engine.elasticsearch.basic-auth.enabled=true
plugin.catalog-search.ataccama.one.engine.elasticsearch.basic-auth.username=<;username>
plugin.catalog-search.ataccama.one.engine.elasticsearch.basic-auth.password=<password>
On the Elasticsearch side, the following properties are added to the etc/elasticsearch/elasticsearch.yml
file:
xpack.license.self_generated.type: basic
xpack.security.enabled: true
TLS
To enable TLS, the following properties need to be set for MMM.
This is done either in the MMM deployment in the Configuration Service or in the be/etc/application.properties
file.
The HTTP client name for Elasticsearch is es_search
.
ataccama.client.connection.es_search.http.tls.enabled=true
ataccama.client.connection.es_search.http.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.es_search.http.tls.trust-store-type=PKCS12
ataccama.client.connection.es_search.http.tls.trust-store-password=<;password>
# For all Elasticsearch hosts, the scheme needs to be updated to HTTPS.
plugin.catalog-search.ataccama.one.engine.elasticsearch.hosts=https://localhost:9200
For Elasticsearch, in the etc/elasticsearch/elasticsearch.yml
configuration file, set the properties:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: path/to/truststore.p12
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.password: <password>
mTLS
A prerequisite for configuring mTLS is enabling TLS for MMM and Elasticsearch.
Additional properties for MMM are set in the MMM deployment in the Configuration Service or in the be/etc/application.properties
file.
ataccama.client.connection.es_search.http.tls.mtls=true
ataccama.client.connection.es_search.http.tls.trust-store=file:/path/to/keystore.p12
ataccama.client.connection.es_search.http.tls.trust-store-type=PKCS12
ataccama.client.connection.es_search.http.tls.trust-store-password=<password>
For Elasticsearch, the following properties need to be supplied in the etc/elasticsearch/elasticsearch.yml
configuration file.
xpack.security.http.ssl.client_authentication: required
xpack.security.http.ssl.truststore.path: path/to/keystore.p12
xpack.security.http.ssl.truststore.type: PKCS12
xpack.security.http.ssl.truststore.password: <password>
MinIO
MinIO is the default provider for ONE Object Storage Configuration. To enable secured communication for MinIO, you need to configure an HTTP client for MinIO in the following modules:
Module | Location of configuration files |
---|---|
MMM |
|
DPM |
|
DPE |
|
The default HTTP client name for MinIO is object-storage1
.
The following options need to be provided:
ataccama.client.connection.object-storage1.http.enabled=true
ataccama.client.connection.object-storage1.http.tls.enabled=true
ataccama.client.connection.object-storage1.http.tls.trust-store=file:/path/to/truststore.jks
ataccama.client.connection.object-storage1.http.tls.trust-store-password=<password>
If you are using several object storage instances or want to change the client name, add this property as well:
Make sure to replace the HTTP client name in all related properties as well. |
PostgreSQL
PostgreSQL offers native support for SSL communication between the server and the client side that is configured through PostgreSQL settings and JDBC connection string parameters.
Configure JDBC connection string
The SSL mode is specified by adding the sslmode
parameter to the JDBC connection string.
Depending on the level of security that you want, the parameter can be set to the following options:
-
require
: The client requires SSL to be enabled on the server, otherwise the connection fails. The server needs to be configured so that it can recognize the client’s identity. -
verify-full
: Enforces the highest level of security. In this case, the server certificate chain is fully checked before a connection is established, including verifying the server host name against the name provided in the server certificate. If these conditions are not met, the connection fails.
For a full overview of the SSL client configuration, see the official PostgreSQL guide on SSL Client. |
To secure the communication with PostgreSQL for all components relying on a PostgreSQL database, the following parameters need to be added when configuring the connection: ssl=true&sslmode=require
.
Component | Location of configuration files | Property | Example JDBC connection string |
---|---|---|---|
MMM |
MMM deployment in the Configuration Service or |
|
|
DPM |
DPM deployment in the Configuration Service or |
|
|
Term Suggestions |
Term Suggestions deployment in the Configuration Service or |
|
|
Event Storage |
MMM deployment in the Configuration Service or |
|
|
Keycloak |
The configuration file |
The |
|
External Lineage (MANTA) |
MMM deployment in the Configuration Service or be/etc/application.properties. |
|
|
Audit |
Audit deployment in the Configuration Service or |
|
|
If you are using sslmode=verify-full
, additional parameters are required, such as sslfactory
(default value: org.postgresql.ssl.DefaultJavaSSLFactory
), sslcert
, sslkey
, and others.
For more information about additional SSL settings, refer to the PostgreSQL official guide: Connecting to the Database. |
How to configure PostgreSQL
By default, PostgreSQL is configured to use a self-signed certificate and key created by post-installation scripts of the ssl-cert
package.
To replace these with your own certificate, edit the following values in the /etc/postgresql/<psql_version>/main
file and provide your own certificate and key files:
ssl = on
# ssl_ca_file = ''
ssl_cert_file = '/path/to/cert.pem'
# ssl_crl_file = ''
ssl_key_file = '/path/to/cert.key'
Event storage
Given that the Event Storage and modules communicate through PostgreSQL, the same guidelines apply as for configuring TLS for PostgreSQL.
MANTA
To enable TLS for MANTA, the following properties need to be supplied to the Data Processing Engine (DPE).
This can be done in the DPE deployment in the Configuration Service or in the dpe/etc/application.properties
configuration file.
The HTTP client name for MANTA is manta
.
ataccama.client.connection.manta.http.enabled=true
ataccama.client.connection.manta.http.tls.enabled=true
ataccama.client.connection.manta.http.tls.trust-store=file:/path/to/truststore.pfx
ataccama.client.connection.manta.http.tls.trust-store-password=<;password>
# The scheme for the MANTA Admin GUI needs to be updated to HTTPS.
plugin.manta-integration.ataccama.one.manta-integration.url-admin-gui=https://localhost:8181/manta-admin-gui/
For more information about how to secure the communication with the PostgreSQL database, see the section on PostgreSQL.
The following property is used for MANTA: plugin.relationships-graph.ataccama.one.relationships.external.url
.
Was this page useful?