Using RedHat™ OpenSSL™ to generate certificates for IBM InfoSphere Streams™ Console client authentication for use with a FireFox™ Browser

Technote (FAQ)


Question

How can an OpenSSL Rivest-Shamir-Adleman algorithm (RSA) configured RedHat user account, that starts an InfoSphere Streams Instance, access the instance's Streams Administration Console from FireFox ?

Answer

A Streams instance’s Web Service Streams Administration Console started from a RedHat RSA user account (user), cannot be accessed from a FireFox browser (FFB) until the user account has deployed RSA certificates (certificates) to the Streams instance and FFB. Openssl certificates enables user access the Streams Administration Console (SAC). Certificate access to SAC automatically authenticates the user at the SAC's FFB login prompt.

This technical note provides instructions for the generation of certificates for InfoSphere Streams Versions 3.0 or 3.1 instances certificates. The instructions details the generation of client and server instance certificates using openssl Version 1.0.0-fips Dated 29 Mar 2010. The technical note provides instructions for adding certificates to the FFB version 3.6.17.


The InfoSphere Streams' streamtool utility provides addcertificate and lscertificate options for managing an IBM InfoSphere Streams Instance Streams Web Service (IISIWS) client truststore. The IISIWS client truststore (client truststore) contains the instance's certificates. The streamtool addcertificate option is for adding certificates to the client truststore. The lscertificate option is for listing the contents of the instances client truststore. The following streamtool commands provides additional options, which are helpful when managing the client truststore:

    streamtool updatecertificate -- Use to update a certificate in the client truststore.
    streamtool rmcertificate -- Use to remove a certificate from the client truststore.

IISIWS certificate authentication is enabled by setting the InfoSphere Streams property SWS.enableClientAuthentication.

Enabling RSA for IISIWS requires entering the RedHat console commands provided by the following sections and subsections in the order listed. The RedHat version used to provide information for this technical note is RedHat Enterprise Linux Server release Version 6.1 (also know as Santiago).

A. Create the server and client certificates by using the following openssl commands:

    1. Generate DSA Private Key.

        openssl genrsa -des3 -out chubbyserver.key 1024

          Generating RSA private key, 1024 bit long modulus
          ....................++++++
          ............++++++
          e is 65537 (0x10001)
          Enter pass phrase for chubbyserver.key: password
          Verifying - Enter pass phrase for chubbyserver.key: password


    2. Use Certificate Signing Request (CSR) Management to generate a server certificate.

        openssl req -new -key chubbyserver.key -x509 -out chubbyserver.crt -days 1825

          Enter pass phrase for chubbyserver.key: password
          You are about to be asked to enter information that will be incorporated
          into your certificate request.
          What you are about to enter is what is called a Distinguished Name or a DN.
          There are quite a few fields but you can leave some blank
          For some fields there will be a default value,
          If you enter '.', the field will be left blank.
          -----
          Country Name (2 letter code) [XX]: us
          State or Province Name (full name) []: ca
          Locality Name (eg, city) [Default City]: San Francisco
          Organization Name (eg, company) [Default Company Ltd]: IBM
          Organizational Unit Name (eg, section) []: InfoSphere Streams
          Common Name (eg, your name or your server's hostname) []: somebody
          Email Address []: somebody@us.ibm.com

    3. Use CSR Management to generate a client certificate.

        openssl req -new -key chubbyserver.key -out chubbyclient.csr

          Enter pass phrase for chubbyserver.key: password
          You are about to be asked to enter information that will be incorporated
          into your certificate request.
          What you are about to enter is what is called a Distinguished Name or a DN.
          There are quite a few fields but you can leave some blank
          For some fields there will be a default value,
          If you enter '.', the field will be left blank.
          -----
          Country Name (2 letter code) [XX]: us
          State or Province Name (full name) []: ca
          Locality Name (eg, city) [Default City]: San Francisco
          Organization Name (eg, company) [Default Company Ltd]: IBM
          Organizational Unit Name (eg, section) []: InfoSphere Streams
          Common Name (eg, your name or your server's hostname) []: somebody
          Email Address []: somebody@us.ibm.com

          Please enter the following 'extra' attributes
          to be sent with your certificate request
          A challenge password []: password
          An optional company name []: IBM

    4. Use Certificate Authority Manager to generate a client crt file and server key file.

        openssl ca -in chubbyclient.csr -cert chubbyserver.crt -keyfile chubbyserver.key -out chubbyclient.crt -days 1825 -config openssl.cnf

          Using configuration from openssl.cnf
          Enter pass phrase for chubbyserver.key: password
          Check that the request matches the signature
          Signature ok
          The Subject's Distinguished Name is as follows
          countryName :PRINTABLE:'us'
          stateOrProvinceName :ASN.1 12:'ca'
          localityName :ASN.1 12:'San Francisco'
          organizationName :ASN.1 12:'IBM'
          organizationalUnitName:ASN.1 12:'InfoSphere Streams'
          commonName :ASN.1 12:'somebody'
          emailAddress :IA5STRING:'somebody@us.ibm.com'
          Certificate is to be certified until Jul 17 16:16:35 2018 GMT (1825 days)
          Sign the certificate? [y/n]:y

          1 out of 1 certificate requests certified, commit? [y/n] y
          Write out database with 1 new entries
          Data Base Updated


    5. Use Data Management to generate private key.

        openssl pkcs12 -export -in chubbyclient.crt -inkey chubbyserver.key -out chubbyclient.p12

          Enter pass phrase for chubbyserver.key: password
          Enter Export Password: password
          Verifying - Enter Export Password: password


B. Once the above openssl commands are completed successfully you can proceed with the following streamtool commands to configure the Streams instance for SWS client authentication; add your server certificate to the instance's client truststore and list your server certificate in the client truststore .

    1. Update the Streams server to use client authenticating with the following streamtool command.

          streamtool setproperty SWS.enableClientAuthentication

    2. Add your server certificate to the client truststore.

        streamtool addcertificate --client somebody -f chubbyserver.crt


        Trusted client certificate for somebody updated successfully for instance streams@somebody.

    3. List your server certificate in the client truststore.


    streamtool lscertificate --client

        Client certificates for instance streams@somebody:

        alias: somebody
        created: Jul 18, 2013 9:19 AM
        owner: EMAILADDRESS=somebody@us.ibm.com, CN=somebody, OU=InfoSphere Streams, O=IBM, L=San Francisco, ST=ca, C=us
        issuer: EMAILADDRESS=somebody@us.ibm.com, CN=somebody, OU=InfoSphere Streams, O=IBM, L=San Francisco, ST=ca, C=us
        valid from Jul 18, 2013 9:13 AM until Jul 17, 2018 9:13 AM

C. The next set of steps starts the Streams instance and gets the IISIWS URL for the instance.

    1. Start instance

      st startinstance

        CDISC0059I The system is starting the streams@somebody instance.
        CDISC0078I The system is starting the runtime services on 1 hosts.
        CDISC0056I The system is starting the distributed name service on the myhost host. The distributed name service has 1 partitions and 1 replications.
        CDISC0057I The system is setting the NameServiceUrl property of the instance to DN:myhost:55140, which is the URL of the distributed name service that is running.
        CDISC0061I The system is starting in parallel the runtime services of 1 management hosts.
        CDISC0003I The streams@somebody instance was started.

    2. Get the instance's URL to its IISIWS.

D. The next sequence of steps configures the FFB for access to IISIWS, by importing the client certificate; getting the URL for the IISIWS from the streamstool and importing the server certificate to the FPP by accessing the IISIWS login page.


    1. In the FFB go down the breadcrumb path "Edit/Advance/Encryption/Your Certificate". Add the certificate in the chubbyclient.p12 file. Once done your FireFox Certificate Manage view should look similar to the following image:




        2. Open the FFB and go to the URL provided by the "streamtool geturl" command.


        3. The first time the URL is accessed an exception is generated, go down the breadcrumb path "I understand Risk/Add Exception/Get Certificate" to allow the server to add the server certificate to the FFB. Once done you will see an image similar to the following:




        4. Confirm certificate and continue to the Streams Administration Console login page. The login page will appear for about a minute, then login page will be replace by the initial administration console page.


        Note: Each restart of the InfoSphere Streams instance requires a FFB reconfirmation of the server certificate.

      Rate this page:

      (0 users)Average rating

      Document information


      More support for:

      InfoSphere Streams
      Web Admin/Config

      Software version:

      3.0, 3.1

      Operating system(s):

      Linux

      Software edition:

      All Editions

      Reference #:

      1644439

      Modified date:

      2013-08-28

      Translate my page

      Machine Translation

      Content navigation