Native JWT Token Validation in Talend 8.0.1 R2024-07: A Long-Awaited Feature

In Patch Release 8.0.1 R2024-07 Talend introduced native product support for JWT (JSON Web Token) validation, fulfilling a long-standing feature request. This new functionality significantly enhances security by enabling OIDC (OpenID Connect) / OAuth2 integration with REST services developed in Talend Studio. Prior to this update, Talend only supported outdated or non-interoperable authentication mechanisms:

• Basic Authentication: Known for its weak security, as credentials are sent in an easily decodable format.
• Proprietary SAML Token Authentication: While secure, it lacked interoperability with common standards and external identity providers.
• Misleading "Open ID Connect" Support: Despite the name, Talend's OIDC support was actually a custom OAuth2 implementation using the outdated "Resource Owner Password Credentials" (ROPC) grant type. ROPC is no longer recommended due to inherent security vulnerabilities, as it requires direct handling of user credentials.

With the introduction of JWT token validation, Talend now supports modern, robust security integrations. This allows for seamless authentication using external identity providers like Azure Entra ID or Keycloak, empowering users to authenticate against these providers and retrieve a signed JWT token tied to a specific service.

How-to enable Certificate revocation List (CRL) validation with Talend ESB Runtime

When certificates are issued they usually have a lifetime of a few years. In some cases it is necessary to terminate the validity of a certificate before the planned end of life. For example if a private key was compromised a certificate should not be valid, as soon as possible.

X.509 certificates (the most common certificate type, used for most internet services) support two different types of certificate revocation:

1. Online Certificate Status Protocol (OCSP) RFC-6960
   The application that wants to validate a certificate sends a certificate identifier to the OCSP Server for revocation checking. The response tells the client if the certificate was revoked or is still OK to use.
2. Certificate Revocation List (CRL) RFC-5280
   The application downloads a file that contains a list of revoked certificates and checks if the current certificate is listed in that file.

As you can see already from the RFC number CRL is the older standard which is usually less performant and less up-to-date compared with OCSP. However in this bog post, I will only focus on the CRL approach.

By default most Java applications will not check for certificate revocations as not every certificate contains a revocation URI and it also has a negative performance impact. The same applies to the Talend runtime. However if you need to check for revocations it is easy to activate. All you need to do is to set two system properties:

com.sun.net.ssl.checkRevocation=true
com.sun.security.enableCRLDP=true

You can add these two lines at the end of the runtime/etc/system.properties configuration file.

If you are interested in the complete logging output you can add some debug system properties in the same file as well:

javax.net.debug=all
java.security.debug=all

In the rest of this article I will show you how to create your own certificates that contain a CRL URL to test and validate this setup.

Only Once Ansible Task Execution

Ansible is a great tool to setup multiple servers in a consistent reproducible way. It is easy to setup a complete cluster or a complex software architecture running on multiple machines. But some tasks only need to be executed once. For example you can setup a complete cluster of DB servers, but the table definitions/content only needs to be done once, after the cluster is running. Since the goal of Ansible is to always end with a consistent state it should be OK to run the same task multiple times, without breaking your setup (idempotent), but if you setup a bigger cluster with Hundertes of nodes, you would definitely want to avoid running the same task over and over again, if this can be avoided.

There a basically two options that you can use to ensure a task is executed only once.

Custom Claim Handler in Fediz Plugin

Apache Fediz plugin provides now a support for custom claim processing since version 1.4.5. This allows fine grained claim control on application side, which is very useful if you are not in control of the IDP/STS claim creation itself. Or if you want to do some local claim value mapping that is very application specific.

In this blog post, I will show you how to leverage this new Fediz feature.

Using camel json schema validation in Talend Studio

Schema validation is well known for XML content. Since JSON has become very popular in combination with REST services the need for JSON schema validation has also increased.

JSON schema validation is available since Camel 2.20.0 matching Talend Studio version 7.0.1.

This article describes how JSON schema validation can be used for Talend Studio route development.

Username/Password Authentication with Talend ESB WebService

In this Blog post I'll show you how to use Username/Password authentication with a Talend ESB WebService (based on CXF) running inside a Karaf runtime. First with a UsernameToken inside the SOAP Header and second by using BasicAuthentication.

Kerberos Debugging in Java

Working with Kerberos can easily cause a lot of trouble. Troubleshooting can take several hours.
In this blog I'll show you what will help you best when using Kerberos with Java for example to secure a Hadoop cluster.

When Kerberos is not working as expected it is important to understand why. Enabling Kerberos debug logging is a very valuable resource to understand what is happening.
To enable Kerberos debugging you need to set the following JVM property:

-Dsun.security.krb5.debug=true

Now read your log file very carefully. This will help you to understand what is missing.

Usually you will define your Kerberos configuration within your C:\Windows\krb5.ini or /etc/krb5.conf file. Make sure that your hostname mapping to your Kerberos realm is correct in here.
There are also a few other JVM properties that are usually not required, but can be useful to override/define your configuration at application startup:

-Djava.security.krb5.kdc=hostname.of-your.kerberos.server
-Djava.security.krb5.realm=YOUR.KERBEROS.REALM
-Djava.security.auth.login.config=file:/C:/Programme/Tomcat-IDP/conf/kerberos.jaas

Kerberos is very sensitive to DNS configuration.

Here are some more shell commands that are very helpful to test if Kerberos is working in general (outside of your Java application):

# Login with a specific keytab file
kinit -k -t /path/to/your/keytab

# List all local available tokens. After kinit there should be at least your tgt token.
klist

# Request a ticket for a specific service. Check if the service is registered correctly at your Kerberos server.
kvno service/hostname@domain

https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_commands/kvno.html

How to enable Fediz Plugin Logging

If you are using the Apache Fediz plugin to enable WS-Federation Support for your Tomcat container, you will not see any log statements from the Fediz Plugin by default. Especially when testing or analyzing issues with the plugin you will be interested in actually seeing some log statements from the plugin.

In this blog post I'll explain to you what need to be done to get all DEBUG log level statements from the Apache Fediz Tomcat Plugin using Log4J.

Syncope User Synchronisation with a Database

In a previous post I explained how to setup a datasource for an embedded H2 database and how to use it with the Karaf DB JAAS plugin.

In this post, I'll explain to you how to setup Syncope to synchronize users from that database into syncope. Of course you can also use any other database with a matching JDBC driver.

Custom JSSE Truststore to enable XKMS Certificate Validation

Recently I was involved in a project which uses a central XKMS Server for certificate and trust management. This was all working fine within the Talend runtime with a custom wss4j crypto provider. However the need raised to perform client certificate validations (mutal SSL) with Apache Fediz running inside an Apache Tomcat server.


Usually I would use a JKS truststore for Tomcat to add trusted certificates (CAs). However this was not possible for this project, because all certificates will be managed inside an LDAP accessible via a XKMS service. Searching for a solution to extend Tomcat to support XKMS based certificate validation I came across the JSSE Standard.

Reading throw the documentation was not so straightforward and clear. But searching through the internet finally helped me to achieve my goal. In this blog post, I'll show you what I had to do, to enabled XKMS based SSL certificate validation in Tomcat.

Apache Fediz with Client Certificate Authentication (X.509)

In this blog post I will explain how to generate your own SSL key-pair to perform certificate based authentication for SSO purposes with Apache Fediz IDP.

Karaf JDBC JAAS Module

Karaf relys on JAAS for user authentication. JAAS makes it possible to plugin multiple modules for this purpose. By default Karaf will use the karaf realm with a JAAS module getting its user and role information from a property file: runtime/etc/users.properties

In this blog post I will show you how to use the Karaf JAAS console commands and how to setup a JDBC module to authenticate against a database.