ONE Desktop ONE DQG ONE MDM ONE RDM ONE Runtime Server
latest (15.1.0) 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x 13.5.0 13.4.x 13.3.x 13.2.x
User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

TLS Configuration

Ataccama ONE modules support enabling TLS on gRPC and HTTP communication layers on both the server and the client side. This is applicable to both Java and Python-based modules.

On the server side, the following options are available:

  • The same TLS configuration can be set for all connections.

  • TLS can be enabled only on the gRPC or HTTP servers.

  • gRPC and HTTP servers can use different TLS configurations.

On the client side, you can choose one of the following approaches:

  • The same TLS configuration can be set for all connections.

  • Different TLS configurations can be enabled per connection type, that is, separately for all gRPC connections and all HTTP connections.

  • Each connection can have its own TLS configuration. Optionally, this configuration can be shared for both gRPC and HTTP protocols.

When it comes to securing the communication with dependencies, for most of the dependencies this is done by configuring an HTTP client. It is also possible to enable TLS for database connections.

The following sections provide more information about the necessary configuration changes.

How to configure TLS for ONE modules

Server configuration

Server-related TLS properties have the following prefixes:

  • gRPC: ataccama.server.grpc.tls.

  • HTTP: ataccama.server.http.tls.

  • gRPC and HTTP: ataccama.server.tls.

The ataccama.server.grpc.tls. and ataccama.server.http.tls. properties have higher priority compared to the ataccama.server.tls.* properties. As property fallback is handled on the property level, this lets you configure which properties should have specific values for gRPC or HTTP layer.

For example, a shared keystore and its password can be provided through the properties ataccama.server.tls.key-store and ataccama.server.tls.key-store-password prefix while the key aliases are supplied in the properties ataccama.server.grpc.tls.key-alias and ataccama.server.http.tls.key-alias.

The following properties are used to enable TLS on the server side and are configured in the corresponding deployment in the Configuration Service or in the <module>/etc/application.properties configuration file:

Property Data type Description

ataccama.server.{grpc|http}.tls.enabled

Boolean

If set to true, TLS communication is enabled.

ataccama.server.{grpc|http}.tls.key-store

String

The full path to the keystore, for example, file:/path/to/keystore.p12. The classpath is applicable only for Java applications and is not used for the Python-based services (Anomaly Detection, Term Suggestions, AI Matching).

For more information about how to configure TLS in the latter case, see their respective configurations: Configuring Anomaly Detection, term-suggestions-services-configuration.adoc, Configuring AI Matching.

Currently, keystores cannot be automatically generated for Java applications.

ataccama.server.{grpc|http}.tls.key-store-password

String

The password for decrypting the keystore. Used if the keystore is encrypted (recommended).

ataccama.server.{grpc|http}.tls.key-store-type

String

The type of the keystore. Allowed values: PKCS12 (recommended), JCEKS (recommended), JKS.

ataccama.server.{grpc|http}.tls.key-alias

String

The private key name specified in the provided keystore that is used for TLS.

The following applies for Java applications:

  • If the keystore contains multiple keys and this property is not set, a built-in Java mechanism selects the correct certificate. This mechanism requires all items to share the same password if they are encrypted. Otherwise, only the keystore encryption is used.

  • If the keystore contains multiple items and this property is not set, the correct server certificate is selected based on the client configuration as the client trusts only one of the server certificates.

ataccama.server.{grpc|http}.tls.key-password

String

The password for the private key. Used if the private key is encrypted.
In Spring Boot applications, the listed HTTPS properties are aliases for standard Spring properties. For more information, see the Spring Boot official documentation.

When it comes to gRPC, it uses only one port on the server side:

ataccama.server.grpc.port=6565

If the value is set to 0, a random port number is used instead.

Examples

Sample configuration: TLS enabled for gRPC and HTTP 
ataccama.server.tls.enabled=true
ataccama.server.tls.key-store=file:/path/to/keystore
ataccama.server.tls.key-store-type=PKCS12
ataccama.server.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.tls.key-alias=tlscertificate
Sample configuration: TLS enabled only for gRPC 
ataccama.server.grpc.tls.enabled=true
ataccama.server.grpc.tls.key-store=file:/path/to/keystore
ataccama.server.grpc.tls.key-store-type=PKCS12
ataccama.server.grpc.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.grpc.tls.key-alias=tlscertificate
Sample configuration: TLS enabled for gRPC and HTTP, different aliases used 
ataccama.server.tls.enabled=true
ataccama.server.tls.key-store=file:/path/to/keystore
ataccama.server.tls.key-store-type=PKCS12
ataccama.server.tls.key-store-password=w3ryS3cr3tP4ss0rd

ataccama.server.grpc.tls.key-alias=alias1
ataccama.server.http.tls.key-alias=alias2

Client configuration

On the client side, it is possible to configure multiple connections of different types. The connection itself is defined through the properties with the following prefix: ataccama.client.connection.<connection_name>.

Property Data type Description

ataccama.client.connection.<connection_name>.host

String

The hostname or the IP address where the client is running.

ataccama.client.connection.<connection_name>.<grpc|http>.port

Number

The number of the client’s gRPC or HTTP port. The correct connection type needs to be set accordingly.

Depending on the selected combination, the following property prefixes are used:

  • For a single connection:

    • gRPC and HTTP: ataccama.client.connection.connection-name.tls.

    • gRPC: ataccama.client.connection.connection-name.grpc.tls.

    • HTTP: ataccama.client.connection.connection-name.http.tls.

  • All connections:

    • gRPC and HTTP: ataccama.client.tls.

    • gRPC: ataccama.client.grpc.tls.

    • HTTP: ataccama.client.http.tls.

Based on the prefix used, the properties are prioritized in the following order, starting from the highest priority:

  • ataccama.client.tls.*

  • ataccama.client.{grpc|http}.tls.*

  • ataccama.client.connection.<connection_name>.tls.*

  • ataccama.client.connection.<connection_name>.{grpc|http}.tls.*

The following properties are used to enable TLS on the client side and are configured in the corresponding deployment in the Configuration Service or in the <module>/etc/application.properties configuration file:

Property Data type Description

ataccama.client.{connection.<connection_name>}.{grpc|http}.tls.enabled

Boolean

If set to true, TLS communication is enabled on the client side.

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-store

String

The full path to the truststore with all the trusted certification authorities (CA), for example, file:/path/to/truststore.p12.

For Java applications, a truststore can be used if the public certificate of the certificate authority that signed the server certificate is available. In the current version, if you want to configure the client so that it trusts only a particular server public certificate, use the property trust-cert-collection instead.

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-store-type

String

The type of the truststore. Allowed values: PKCS12 (recommended), JCEKS (recommended), JKS.

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-store-password

String

The password for decrypting the truststore. Used if the truststore is encrypted (recommended).

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-all

Boolean

Defines whether the client should verify the certificate of the server with which it communicates. If set to false, the server certificate is not checked.

Examples

Sample configuration: gRPC and HTTP connection settings for the same server, TLS disabled 
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for the same server, TLS enabled 
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.tls.enabled=true
ataccama.client.connection.mmm.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for different servers, TLS enabled 
ataccama.client.tls.enabled=true
ataccama.client.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.dpe.host=dpe.domain.org
ataccama.client.connection.dpe.http.port=8080
ataccama.client.connection.dpe.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for the same server, TLS enabled for gRPC only 
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.mmm.grpc.tls.enabled=true
ataccama.client.connection.mmm.grpc.tls.trust-store=file:/path/to/truststore
Sample configuration: gRPC and HTTP connection settings for different servers, TLS enabled individually for gRPC and HTTP 
# Enable TLS for all connections
ataccama.client.tls.enabled=true
ataccama.client.tls.trust-store=file:/path/to/truststore.p12

ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132

ataccama.client.connection.dpe.host=dpe.domain.org
ataccama.client.connection.dpe.http.port=8080
ataccama.client.connection.dpe.grpc.port=5132

ataccama.client.connection.dpm.host=dpm.domain.org
# HTTP connectiion to DPM uses a different truststore
ataccama.client.connection.dpm.http.port=8080
ataccama.client.connection.dpm.http.tls.trust-store=file:/path/to/another/truststore.p12
# Disable TLS for the gRPC connection to DPM
ataccama.client.connection.dpm.grpc.port=5132
ataccama.client.connection.dpm.grpc.tls.enabled=false
Sample configuration: TLS settings of DPE during hybrid installation, TLS enabled 
# Set to true to enable TLS communication.
ataccama.client.connection.dpm.grpc.tls.enabled=true

# Select one of the following methods:

# Set to true to trust all TLS certificates.
# This is not recommended as a permanent solution.
# ataccama.client.connection.dpm.grpc.tls.trust-all=false

# Or set the path to certificate collection.
# ataccama.client.grpc.connection.dpm.tls.trust-cert-collection=./path/to/trust/cert/chain.crt1

# Or configure these properties to access a certificate trust store.
# ataccama.client.grpc.connection.dpm.tls.trust-store=file:path/to/trust/cert/trust-store.pfx
# ataccama.client.grpc.connection.dpm.tls.trust-store-password=pswd
# ataccama.client.grpc.connection.dpm.tls.trust-store-type=PKCS12|JCEKS

How to configure TLS for dependencies

Client configuration

The following properties are used to configure secured client connections for some of the dependencies such as Keycloak and ONE Object Storage (MinIO).

Property Data type Description

ataccama.client.connection.<client_name>.http.enabled

Boolean

If set to true, an HTTP client is created for this dependency.

ataccama.client.connection.<client_name>.http.tls.enabled

Boolean

Enables TLS authentication when communicating with the dependency.

ataccama.client.connection.<client_name>.http.tls.trust-store

String

The full path to the truststore, for example, file:/path/to/truststore.p12.

ataccama.client.connection.<client_name>.http.tls.trust-store-type

String

The type of the truststore. Allowed values: PKCS12, JCEKS, JKS.

ataccama.client.connection.<client_name>.http.tls.trust-store-password

String

The password for the trusstore. Used if the truststore is encrypted.

Keycloak

TLS configuration for Keycloak is supplied in the following modules:

Module Location of configuration files

Metadata Management Module (MMM)

MMM deployment in the Configuration Service or be/etc/application.properties.

Data Processing Module (DPM)

DPM deployment in the Configuration Service or dpm/etc/application.properties.

Data Processing Engine (DPE)

DPE deployment in the Configuration Service or dpe/etc/application.properties.

Keycloak uses the HTTP client name keycloak and the following options need to be provided:

ataccama.client.connection.keycloak.http.enabled
ataccama.client.connection.keycloak.http.tls.enabled
ataccama.client.connection.keycloak.http.tls.trust-store
ataccama.client.connection.keycloak.http.tls.trust-store-password

Elasticsearch

Depending on your needs, you can configure Elasticsearch to use HTTP basic authentication, TLS, or mTLS. In all three cases, changes are made to the MMM configuration and Elasticsearch settings.

HTTP basic authentication

The following properties need to be added to the MMM deployment in the Configuration Service or to the be/etc/application.properties file:

plugin.catalog-search.ataccama.one.engine.elasticsearch.basic-auth.enabled=true
plugin.catalog-search.ataccama.one.engine.elasticsearch.basic-auth.username=<;username>
plugin.catalog-search.ataccama.one.engine.elasticsearch.basic-auth.password=<password>

On the Elasticsearch side, the following properties are added to the etc/elasticsearch/elasticsearch.yml file:

xpack.license.self_generated.type: basic
xpack.security.enabled: true

TLS

To enable TLS, the following properties need to be set for MMM. This is done either in the MMM deployment in the Configuration Service or in the be/etc/application.properties file.

The HTTP client name for Elasticsearch is es_search.

ataccama.client.connection.es_search.http.tls.enabled=true
ataccama.client.connection.es_search.http.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.es_search.http.tls.trust-store-type=PKCS12
ataccama.client.connection.es_search.http.tls.trust-store-password=<;password>
# For all Elasticsearch hosts, the scheme needs to be updated to HTTPS.
plugin.catalog-search.ataccama.one.engine.elasticsearch.hosts=https://localhost:9200

For Elasticsearch, in the etc/elasticsearch/elasticsearch.yml configuration file, set the properties:

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: path/to/truststore.p12
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.password: <password>

mTLS

A prerequisite for configuring mTLS is enabling TLS for MMM and Elasticsearch. Additional properties for MMM are set in the MMM deployment in the Configuration Service or in the be/etc/application.properties file.

ataccama.client.connection.es_search.http.tls.mtls=true
ataccama.client.connection.es_search.http.tls.trust-store=file:/path/to/keystore.p12
ataccama.client.connection.es_search.http.tls.trust-store-type=PKCS12
ataccama.client.connection.es_search.http.tls.trust-store-password=<password>

For Elasticsearch, the following properties need to be supplied in the etc/elasticsearch/elasticsearch.yml configuration file.

xpack.security.http.ssl.client_authentication: required
xpack.security.http.ssl.truststore.path: path/to/keystore.p12
xpack.security.http.ssl.truststore.type: PKCS12
xpack.security.http.ssl.truststore.password: <password>

MinIO

MinIO is the default provider for ONE Object Storage Configuration. To enable secured communication for MinIO, you need to configure an HTTP client for MinIO in the following modules:

Module Location of configuration files

MMM

MMM deployment in the Configuration Service or be/etc/application.properties.

DPM

DPM deployment in the Configuration Service or dpm/etc/application.properties.

DPE

DPE deployment in the Configuration Service or dpe/etc/application.properties.

The default HTTP client name for MinIO is object-storage1. The following options need to be provided:

ataccama.client.connection.object-storage1.http.enabled=true
ataccama.client.connection.object-storage1.http.tls.enabled=true
ataccama.client.connection.object-storage1.http.tls.trust-store=file:/path/to/truststore.jks
ataccama.client.connection.object-storage1.http.tls.trust-store-password=<password>

If you are using several object storage instances or want to change the client name, add this property as well:

ataccama.one.object-storage.storages[0].http-client=<http_client_name>

Make sure to replace the HTTP client name in all related properties as well.

PostgreSQL

PostgreSQL offers native support for SSL communication between the server and the client side that is configured through PostgreSQL settings and JDBC connection string parameters.

Configure JDBC connection string

The SSL mode is specified by adding the sslmode parameter to the JDBC connection string. Depending on the level of security that you want, the parameter can be set to the following options:

  • require: The client requires SSL to be enabled on the server, otherwise the connection fails. The server needs to be configured so that it can recognize the client’s identity.

  • verify-full: Enforces the highest level of security. In this case, the server certificate chain is fully checked before a connection is established, including verifying the server host name against the name provided in the server certificate. If these conditions are not met, the connection fails.

For a full overview of the SSL client configuration, see the official PostgreSQL guide on SSL Client.

To secure the communication with PostgreSQL for all components relying on a PostgreSQL database, the following parameters need to be added when configuring the connection: ssl=true&sslmode=require.

Component Location of configuration files Property Example JDBC connection string

MMM

MMM deployment in the Configuration Service or be/etc/application.properties.

spring.datasource.url

jdbc:postgresql://localhost:5432/mmm?currentSchema=public&ssl=true&sslmode=require

DPM

DPM deployment in the Configuration Service or dpm/etc/application.properties.

spring.datasource.url

jdbc:postgresql://localhost:5432/dpm?ssl=true&sslmode=require

Term Suggestions

Term Suggestions deployment in the Configuration Service or term-suggestions/etc/application.properties.

ataccama.one.aicore.database.connection-string

jdbc:postgresql://localhost:5432/ai?ssl=true&sslmode=require

Event Storage

MMM deployment in the Configuration Service or be/etc/application.properties.

ataccama.one.event.storage.backend.global.jdbcUrl

jdbc:postgresql://localhost:5432/events?ssl=true&sslmode=require

Keycloak

The configuration file /one20/dep/keycloak/standalone/configuration/standalone.xml.

The <connection-url> element nested in <datasource jndi-name="java:jboss/datasources/KeycloakDS" pool-name="KeycloakDS" enabled="true" use-java-context="true">.

jdbc:postgresql://localhost:5432/keycloak?ssl=true&sslmode=require

External Lineage (MANTA)

MMM deployment in the Configuration Service or be/etc/application.properties.

plugin.relationships-graph.ataccama.one.relationships.external.url

jdbc:postgresql://localhost:5432/mmm?currentSchema=public&ssl=true&sslmode=require

Audit

Audit deployment in the Configuration Service or audit/etc/application.properties.

ataccama.audit.spring.datasource.jdbcUrl

jdbc:postgresql://localhost:5432/audit?ssl=true&sslmode=require

If you are using sslmode=verify-full, additional parameters are required, such as sslfactory (default value: org.postgresql.ssl.DefaultJavaSSLFactory), sslcert, sslkey, and others.

For more information about additional SSL settings, refer to the PostgreSQL official guide: Connecting to the Database.

How to configure PostgreSQL

By default, PostgreSQL is configured to use a self-signed certificate and key created by post-installation scripts of the ssl-cert package. To replace these with your own certificate, edit the following values in the /etc/postgresql/<psql_version>/main file and provide your own certificate and key files:

ssl = on
# ssl_ca_file = ''
ssl_cert_file = '/path/to/cert.pem'
# ssl_crl_file = ''
ssl_key_file = '/path/to/cert.key'

Event storage

Given that the Event Storage and modules communicate through PostgreSQL, the same guidelines apply as for configuring TLS for PostgreSQL.

MANTA

To enable TLS for MANTA, the following properties need to be supplied to the Data Processing Engine (DPE). This can be done in the DPE deployment in the Configuration Service or in the dpe/etc/application.properties configuration file. The HTTP client name for MANTA is manta.

ataccama.client.connection.manta.http.enabled=true
ataccama.client.connection.manta.http.tls.enabled=true
ataccama.client.connection.manta.http.tls.trust-store=file:/path/to/truststore.pfx
ataccama.client.connection.manta.http.tls.trust-store-password=<;password>
# The scheme for the MANTA Admin GUI needs to be updated to HTTPS.
plugin.manta-integration.ataccama.one.manta-integration.url-admin-gui=https://localhost:8181/manta-admin-gui/

For more information about how to secure the communication with the PostgreSQL database, see the section on PostgreSQL. The following property is used for MANTA: plugin.relationships-graph.ataccama.one.relationships.external.url.

Was this page useful?