SSL/TLS Configuration

Some stages allow you use SSL/TLS to connect to the external system.

When you enable TLS, you can generally configure properties on the TLS tab of the stage. The properties that are available can depend on the stage that you are configuring. The TLS tab can include the following properties:

  • Keystore properties
  • Truststore properties
  • TLS protocols
  • Cipher suites
You can enable SSL/TLS type properties in the following stages and locations:
  • Cassandra destination
  • HTTP Client origin, processor, and destination
  • HTTP Server origin
  • HTTP to Kafka origin
  • Kafka Consumer origin, Kafka Multitopic Consumer origin, and Kafka Producer destination - These stages require configuring additional Kafka properties. For more information, see "Enabling Security" in the stage documentation.
  • MongoDB origin and destination, and the MongoDB Oplog origin - These stages require configuring the SDC_JAVA_OPTS environment variable. For more information, see "Enabling SSL/TLS" in the stage documentation.
  • MQTT Subscriber origin and MQTT Publisher destination
  • OPC UA Client origin
  • Salesforce origin, lookup, and destination, and the Einstein Analytics destination
  • SDC RPC origin and destination
  • SDC RPC to Kafka origin
  • Spark executor
  • Splunk destination
  • TCP Server origin
  • UDP to Kafka origin
  • WebSocket Client origin and destination
  • WebSocket Server origin
  • Pipeline error handling, when writing error records to another pipeline

Keystore and Truststore Configuration

When SSL/TLS is enabled in a stage, you can also enable the use of a keystore and a truststore.

Though similar in many ways, a keystore contains a private key and public certificates that are used to verify the identity of the client upon a request from an SSL/TLS server. In contrast, a truststore generally contains certificates from trusted certificate authorities that an SSL/TLS client uses to verify the identity of an SSL/TLS server.

Important: Before enabling SSL/TLS in a stage, store the keystore or truststore file in the Data Collector resources directory, $SDC_RESOURCES.
When you configure a keystore or truststore, you can configure the following properties:
keystore/truststore type
You can use the following types of keystores and truststores:
  • Java Keystore File (JKS)
  • PKCS-12 (p12 file)
file and location
When specifying the file and location of the keystore or truststore file, you can either use an absolute path to the file or a path relative to the Data Collector resources directory.
A password is optional for keystore and truststore files, but highly recommended.
Data Collector uses the SunX509 key exchange algorithm by default. You can use any algorithm compatible with your keystore/truststore file that is supported by your JVM.

Transport Protocols

When SSL/TLS is enabled in a stage, you can configure the transport protocol to use.

Data Collector uses TLSv1.2 by default. You can specify one or more other protocols, but versions prior to TLSv1.2 are not as secure.

Cipher Suites

When SSL/TLS is enabled in a stage, you can configure the cipher suites to use to perform the SSL/TLS handshake.

By default, Data Collector can use any of the following cipher suites:
Supported Cipher Suite Java Secure Socket Extension (JSSE) Name