ONE Desktop ONE DQG ONE MDM ONE RDM ONE Runtime Server
latest (15.1.0) 14.5.x 13.9.x 13.8.x 13.7.x 13.6.x
User Community Service Desk Downloads
If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

TLS Configuration

Ataccama ONE modules support enabling TLS on gRPC and HTTP communication layers on both the server and the client side. This is applicable to both Java and Python-based modules.

On the server side, the following options are available:

  • The same TLS configuration can be set for all connections.

  • TLS can be enabled only on the gRPC or HTTP servers.

  • gRPC and HTTP servers can use different TLS configurations.

On the client side, you can choose one of the following approaches:

  • The same TLS configuration can be set for all connections.

  • Different TLS configurations can be enabled per connection type, that is, separately for all gRPC connections and all HTTP connections.

  • Each connection can have its own TLS configuration. Optionally, this configuration can be shared for both gRPC and HTTP protocols.

When it comes to securing the communication with dependencies, for most of the dependencies this is done by configuring an HTTP client. It is also possible to enable TLS for database connections.

The following sections provide more information about the necessary configuration changes.

How to configure TLS for ONE modules

Server configuration

Server-related TLS properties have the following prefixes:

  • gRPC: ataccama.server.grpc.tls.

  • HTTP: ataccama.server.http.tls.

  • gRPC and HTTP: ataccama.server.tls.

The ataccama.server.grpc.tls. and ataccama.server.http.tls. properties have higher priority compared to the ataccama.server.tls.* properties. As property fallback is handled on the property level, this lets you configure which properties should have specific values for gRPC or HTTP layer.

For example, a shared keystore and its password can be provided through the properties ataccama.server.tls.key-store and ataccama.server.tls.key-store-password prefix while the key aliases are supplied in the properties ataccama.server.grpc.tls.key-alias and ataccama.server.http.tls.key-alias.

The following properties are used to enable TLS on the server side and are configured in the corresponding deployment in the <module>/etc/application.properties configuration file:

Property Data type Description

ataccama.server.{grpc|http}.tls.enabled

Boolean

If set to true, TLS communication is enabled.

ataccama.server.{grpc|http}.tls.key-store

String

The full path to the keystore, for example, file:/path/to/keystore.p12. The classpath is applicable only for Java applications and is not used for the Python-based services (Anomaly Detection, Term Suggestions, AI Matching).

For more information about how to configure TLS in the latter case, see their respective configurations: anomaly-detection-configuration.adoc, term-suggestions-services-configuration.adoc, Configuring AI Matching.

Currently, keystores cannot be automatically generated for Java applications.

ataccama.server.{grpc|http}.tls.key-store-password

String

The password for decrypting the keystore. Used if the keystore is encrypted (recommended).

ataccama.server.{grpc|http}.tls.key-store-type

String

The type of the keystore. Allowed values: PKCS12 (recommended), JCEKS (recommended), JKS.

ataccama.server.{grpc|http}.tls.key-alias

String

The private key name specified in the provided keystore that is used for TLS.

The following applies for Java applications:

  • If the keystore contains multiple keys and this property is not set, a built-in Java mechanism selects the correct certificate. This mechanism requires all items to share the same password if they are encrypted. Otherwise, only the keystore encryption is used.

  • If the keystore contains multiple items and this property is not set, the correct server certificate is selected based on the client configuration as the client trusts only one of the server certificates.

ataccama.server.{grpc|http}.tls.key-password

String

The password for the private key. Used if the private key is encrypted.
In Spring Boot applications, the listed HTTPS properties are aliases for standard Spring properties. For more information, see the Spring Boot official documentation.

When it comes to gRPC, it uses only one port on the server side:

ataccama.server.grpc.port=6565

If the value is set to 0, a random port number is used instead.

Examples

Sample configuration: TLS enabled for gRPC and HTTP 
ataccama.server.tls.enabled=true
ataccama.server.tls.key-store=file:/path/to/keystore
ataccama.server.tls.key-store-type=PKCS12
ataccama.server.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.tls.key-alias=tlscertificate
Sample configuration: TLS enabled only for gRPC 
ataccama.server.grpc.tls.enabled=true
ataccama.server.grpc.tls.key-store=file:/path/to/keystore
ataccama.server.grpc.tls.key-store-type=PKCS12
ataccama.server.grpc.tls.key-store-password=w3ryS3cr3tP4ss0rd
ataccama.server.grpc.tls.key-alias=tlscertificate
Sample configuration: TLS enabled for gRPC and HTTP, different aliases used 
ataccama.server.tls.enabled=true
ataccama.server.tls.key-store=file:/path/to/keystore
ataccama.server.tls.key-store-type=PKCS12
ataccama.server.tls.key-store-password=w3ryS3cr3tP4ss0rd

ataccama.server.grpc.tls.key-alias=alias1
ataccama.server.http.tls.key-alias=alias2

Client configuration

On the client side, it is possible to configure multiple connections of different types. The connection itself is defined through the properties with the following prefix: ataccama.client.connection.<connection_name>.

Property Data type Description

ataccama.client.connection.<connection_name>.host

String

The hostname or the IP address where the client is running.

ataccama.client.connection.<connection_name>.<grpc|http>.port

Number

The number of the client’s gRPC or HTTP port. The correct connection type needs to be set accordingly.

Depending on the selected combination, the following property prefixes are used:

  • For a single connection:

    • gRPC and HTTP: ataccama.client.connection.connection-name.tls.

    • gRPC: ataccama.client.connection.connection-name.grpc.tls.

    • HTTP: ataccama.client.connection.connection-name.http.tls.

  • All connections:

    • gRPC and HTTP: ataccama.client.tls.

    • gRPC: ataccama.client.grpc.tls.

    • HTTP: ataccama.client.http.tls.

Based on the prefix used, the properties are prioritized in the following order, starting from the highest priority:

  • ataccama.client.tls.*

  • ataccama.client.{grpc|http}.tls.*

  • ataccama.client.connection.<connection_name>.tls.*

  • ataccama.client.connection.<connection_name>.{grpc|http}.tls.*

The following properties are used to enable TLS on the client side and are configured in the corresponding <module>/etc/application.properties configuration file:

Property Data type Description

ataccama.client.{connection.<connection_name>}.{grpc|http}.tls.enabled

Boolean

If set to true, TLS communication is enabled on the client side.

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-store

String

The full path to the truststore with all the trusted certification authorities (CA), for example, file:/path/to/truststore.p12.

For Java applications, a truststore can be used if the public certificate of the certificate authority that signed the server certificate is available. In the current version, if you want to configure the client so that it trusts only a particular server public certificate, use the property trust-cert-collection instead.

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-store-type

String

The type of the truststore. Allowed values: PKCS12 (recommended), JCEKS (recommended), JKS.

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-store-password

String

The password for decrypting the truststore. Used if the truststore is encrypted (recommended).

ataccama.{connection.<connection_name>}.{grpc|http}.tls.trust-all

Boolean

Defines whether the client should verify the certificate of the server with which it communicates. If set to false, the server certificate is not checked.

Examples

Sample configuration: gRPC and HTTP connection settings for the same server, TLS disabled 
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for the same server, TLS enabled 
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.tls.enabled=true
ataccama.client.connection.mmm.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for different servers, TLS enabled 
ataccama.client.tls.enabled=true
ataccama.client.tls.trust-store=file:/path/to/truststore.p12
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.dpe.host=dpe.domain.org
ataccama.client.connection.dpe.http.port=8080
ataccama.client.connection.dpe.grpc.port=5132
Sample configuration: gRPC and HTTP connection settings for the same server, TLS enabled for gRPC only 
ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132
ataccama.client.connection.mmm.grpc.tls.enabled=true
ataccama.client.connection.mmm.grpc.tls.trust-store=file:/path/to/truststore
Sample configuration: gRPC and HTTP connection settings for different servers, TLS enabled individually for gRPC and HTTP 
# Enable TLS for all connections
ataccama.client.tls.enabled=true
ataccama.client.tls.trust-store=file:/path/to/truststore.p12

ataccama.client.connection.mmm.host=mmm.domain.org
ataccama.client.connection.mmm.http.port=8080
ataccama.client.connection.mmm.grpc.port=5132

ataccama.client.connection.dpe.host=dpe.domain.org
ataccama.client.connection.dpe.http.port=8080
ataccama.client.connection.dpe.grpc.port=5132

ataccama.client.connection.dpm.host=dpm.domain.org
# HTTP connectiion to DPM uses a different truststore
ataccama.client.connection.dpm.http.port=8080
ataccama.client.connection.dpm.http.tls.trust-store=file:/path/to/another/truststore.p12
# Disable TLS for the gRPC connection to DPM
ataccama.client.connection.dpm.grpc.port=5132
ataccama.client.connection.dpm.grpc.tls.enabled=false
Sample configuration: TLS settings of DPE during hybrid installation, TLS enabled 
# Set to true to enable TLS communication.
ataccama.client.connection.dpm.grpc.tls.enabled=true

# Select one of the following methods:

# Set to true to trust all TLS certificates.
# This is not recommended as a permanent solution.
# ataccama.client.connection.dpm.grpc.tls.trust-all=false

# Or set the path to certificate collection.
# ataccama.client.grpc.connection.dpm.tls.trust-cert-collection=./path/to/trust/cert/chain.crt1

# Or configure these properties to access a certificate trust store.
# ataccama.client.grpc.connection.dpm.tls.trust-store=file:path/to/trust/cert/trust-store.pfx
# ataccama.client.grpc.connection.dpm.tls.trust-store-password=pswd
# ataccama.client.grpc.connection.dpm.tls.trust-store-type=PKCS12|JCEKS

How to configure TLS for dependencies

Client configuration

The following properties are used to configure secured client connections for some of the dependencies such as Keycloak and ONE Object Storage (MinIO).

Property Data type Description

ataccama.client.connection.<client_name>.http.enabled

Boolean

If set to true, an HTTP client is created for this dependency.

ataccama.client.connection.<client_name>.http.tls.enabled

Boolean

Enables TLS authentication when communicating with the dependency.

ataccama.client.connection.<client_name>.http.tls.trust-store

String

The full path to the truststore, for example, file:/path/to/truststore.p12.

ataccama.client.connection.<client_name>.http.tls.trust-store-type

String

The type of the truststore. Allowed values: PKCS12, JCEKS, JKS.

ataccama.client.connection.<client_name>.http.tls.trust-store-password

String

The password for the trusstore. Used if the truststore is encrypted.

Keycloak

TLS configuration for Keycloak is supplied in the following modules:

Module Location of configuration files

Metadata Management Module (MMM)

mmm-backend/etc/application.properties

Data Processing Module (DPM)

dpm/etc/application.properties

Data Processing Engine (DPE)

dpe/etc/application.properties

Keycloak uses the HTTP client name keycloak and the following options need to be provided:

ataccama.client.connection.keycloak.http.enabled
ataccama.client.connection.keycloak.http.tls.enabled
ataccama.client.connection.keycloak.http.tls.trust-store
ataccama.client.connection.keycloak.http.tls.trust-store-password

OpenSearch

To enable SSL for OpenSearch:

  1. Update the OpenSearch configuration /usr/share/opensearch/config/opensearch.yml by adding the following lines to the end of the file:

    # SSL
plugins.security.ssl.transport.keystore_type: JKS
plugins.security.ssl.transport.keystore_filepath: server.jks
plugins.security.ssl.transport.keystore_password: changeit

  2. Copy the server.jks keystore to the /usr/share/opensearch/config/ folder:

    cp /opt/ataccama/mtls/server.jks /usr/share/opensearch/config/.
chmod 660 /usr/share/opensearch/config/server.jks
chown opensearch:opensearch /usr/share/opensearch/config/server.jks
For more information, see the official OpenSearch documentation, Configuring TLS certificates.

MinIO

MinIO is the default provider for ONE Object Storage Configuration. To enable secured communication for MinIO, you need to configure an HTTP client for MinIO in the following modules:

Module Location of configuration files

MMM

mmm-backend/etc/application.properties

DPM

dpm/etc/application.properties

DPE

dpe/etc/application.properties

The default HTTP client name for MinIO is object-storage1. The following options need to be provided:

ataccama.client.connection.object-storage1.http.enabled=true
ataccama.client.connection.object-storage1.http.tls.enabled=true
ataccama.client.connection.object-storage1.http.tls.trust-store=file:/path/to/truststore.jks
ataccama.client.connection.object-storage1.http.tls.trust-store-password=<password>

If you are using several object storage instances or want to change the client name, add this property as well:

ataccama.one.object-storage.storages[0].http-client=<http_client_name>

Make sure to replace the HTTP client name in all related properties as well.

PostgreSQL

PostgreSQL offers native support for SSL communication between the server and the client side that is configured through PostgreSQL settings and JDBC connection string parameters.

Configure JDBC connection string

The SSL mode is specified by adding the sslmode parameter to the JDBC connection string. Depending on the level of security that you want, the parameter can be set to the following options:

  • require: The client requires SSL to be enabled on the server, otherwise the connection fails. The server needs to be configured so that it can recognize the client’s identity.

  • verify-full: Enforces the highest level of security. In this case, the server certificate chain is fully checked before a connection is established, including verifying the server host name against the name provided in the server certificate. If these conditions are not met, the connection fails.

For a full overview of the SSL client configuration, see the official PostgreSQL guide on SSL Client.

To secure the communication with PostgreSQL for all components relying on a PostgreSQL database, the following parameters need to be added when configuring the connection: ssl=true&sslmode=require.

Component Location of configuration files Property Example JDBC connection string

MMM

mmm-backend/etc/application.properties

spring.datasource.url

jdbc:postgresql://localhost:5432/mmm?currentSchema=public&ssl=true&sslmode=require

DPM

dpm/etc/application.properties

spring.datasource.url

jdbc:postgresql://localhost:5432/dpm?ssl=true&sslmode=require

Term Suggestions

term-suggestions-{api|neighbors|recommender|feedback}/etc/application.properties

ataccama.one.apyc.database.connection.*

Set the properties host, port, username, and password.

Keycloak

conf/keycloak.conf

The properties db-url-host, db-username, db-password, https-key-store-file, https-key-store-password.

Example (make sure to update the values accordingly): + [source] ---- db-url-host=keycloak-postgres db-username=keycloak db-password=password https-key-store-file=keystore.jks https-key-store-password=password ---- + For more information, see the Keycloak documentation.

Audit

audit/etc/application.properties

ataccama.audit.spring.datasource.jdbcUrl

jdbc:postgresql://localhost:5432/audit?ssl=true&sslmode=require

If you are using sslmode=verify-full, additional parameters are required, such as sslfactory (default value: org.postgresql.ssl.DefaultJavaSSLFactory), sslcert, sslkey, and others.

For more information about additional SSL settings, refer to the PostgreSQL official guide: Connecting to the Database.

How to configure PostgreSQL

By default, PostgreSQL is configured to use a self-signed certificate and key created by post-installation scripts of the ssl-cert package. To replace these with your own certificate, edit the following values in the /etc/postgresql/<psql_version>/main file and provide your own certificate and key files:

ssl = on
# ssl_ca_file = ''
ssl_cert_file = '/path/to/cert.pem'
# ssl_crl_file = ''
ssl_key_file = '/path/to/cert.key'

Was this page useful?