IBM InfoSphere Streams Version 4.1.0

Setting up client authentication for the web management service

If you configure client authentication, only trusted clients can connect to the web management service. All of the tools and interfaces that access the web management service must identify themselves by using a certificate that matches information in the web management service (SWS) truststore. By default, client authentication is not enabled for this service.

The InfoSphere® Streams tools and interfaces that access the web management service are the Streams Console, the REST API, and Streams for Excel.

Before you begin

In the following procedure, the openssl command is used to work with certificates. This command is included in the openssl package. To download this package, go to the OpenSSL website.

About this task

If you are authorized to use an InfoSphere Streams domain, you can connect to the web management service with a valid user ID and password.

If client authentication is enabled and configured, the web management service uses the certificate information in the web management service truststore to identify the clients that are authorized to connect to the service. In addition, this service uses the distinguished name (DN) information in the client certificate to identify users who are authorized to connect to the service without having to enter their user ID and password.

Procedure

Enable client authentication by setting the sws.clientAuthenticationEnabled domain property to true. You can use the Domain Manager or the streamtool setdomainproperty command to set this property.
Request client and PKCS#12 certificates from a Certificate Authority (CA), or create self-signed certificates.
- If you are requesting the certificates from a CA, use the following procedure:
  1. Request the client certificate and associated CA certificate. Use the procedure in Setting up client certificate authentication for InfoSphere Streams users.
  2. Request a PKCS#12 certificate.
- If you are creating self-signed certificates, use the following procedure. Specify a name of your choice for the following values:
  - streamsuser-client-key: RSA private key name
  - streamsuser-client-cert: Client certificate name
  1. Generate an RSA private key by using the openssl genpkey command, for example:
```
openssl genpkey -algorithm RSA -out streamsuser-client-key.pem
```
  2. Generate a client certificate from the private key by using the openssl req command.
    Note: The user name that you specify on the CN parameter must be authorized to access the InfoSphere Streams domain.
    Example:
    openssl req -x509 -new -key streamsuser-client-key.pem -out streamsuser-client-cert.pem -subj '/C=CA/ST=ON/L=Toronto/O=IBM/OU=SWG/CN=streamsuser/'
  3. Generate a PKCS#12 certificate from the client certificate by using the openssl pkcs12 command, for example:
```
 openssl pkcs12 -export -in streamsuser-client-cert.pem -inkey streamsuser-client-key.pem -out streamsuser-client-cert.p12 -passout pass:''
```
  4. Add the client certificate to the web management service truststore by using the streamtool addcertificate command, for example:
```
streamtool addcertificate -f  streamsuser-client-cert.pem --clientid streamsuser
```
For the changes to take effect, use the streamtool restartdomainservice sws command to restart the service, or restart the domain.
Configure InfoSphere Streams tools and interfaces that use the web management service to authenticate using the client certificate.
- For the Streams Console, import the PKCS#12 certificate into your browser. For additional information, see the help for your browser.
- For the REST API, see Configuring security for the InfoSphere Streams REST API.
- For Streams for Excel, see Setting up certificate authentication for IBM® InfoSphere Streams for Microsoft Excel.