If you configure client authentication, only
trusted clients can connect to the web management service.
All of the tools and interfaces that access the web management service must
identify themselves by using a certificate that matches information
in the web management service (SWS)
truststore. By default, client authentication is not enabled for this
service.
The InfoSphere® Streams tools
and interfaces that access the web management service are
the Streams
Console,
the REST API, and Streams for Excel.
Before you begin
In the following procedure, the
openssl command
is used to work with certificates. This command is included in the
openssl package.
To download this package, go to the
OpenSSL website.
About this task
If you are authorized to use an InfoSphere Streams domain,
you can connect to the web management service with
a valid user ID and password.
If client authentication is enabled
and configured, the web management service uses
the certificate information in the web management service truststore
to identify the clients that are authorized to connect to the service.
In addition, this service uses the distinguished name (DN) information
in the client certificate to identify users who are authorized to
connect to the service without having to enter their user ID and password.
Procedure
- Enable client authentication by setting the sws.clientAuthenticationEnabled domain
property to true. You can use the Domain Manager or
the streamtool setdomainproperty command to set
this property.
- Request client and PKCS#12 certificates from
a Certificate Authority (CA), or create self-signed certificates.
- If you are requesting the certificates from a CA, use the
following procedure:
- Request the client certificate and associated CA certificate.
Use the procedure in Setting up client certificate authentication for InfoSphere Streams users.
- Request a PKCS#12 certificate.
- If you are creating self-signed certificates, use the following
procedure. Specify a name of your choice for the following values:
- streamsuser-client-key: RSA
private key name
- streamsuser-client-cert: Client
certificate name
- Generate an RSA private key by using the openssl genpkey command,
for example:
openssl genpkey -algorithm RSA -out streamsuser-client-key.pem
- Generate a client certificate from the private key by using the openssl
req command.
Note: The user name that you specify on the CN parameter
must be authorized to access the InfoSphere Streams domain.
Example:
openssl req -x509 -new -key streamsuser-client-key.pem -out streamsuser-client-cert.pem -subj '/C=CA/ST=ON/L=Toronto/O=IBM/OU=SWG/CN=streamsuser/'
- Generate a PKCS#12 certificate from the client certificate by
using the openssl pkcs12 command, for example:
openssl pkcs12 -export -in streamsuser-client-cert.pem -inkey streamsuser-client-key.pem -out streamsuser-client-cert.p12 -passout pass:''
- Add the client certificate to the web management service truststore
by using the streamtool addcertificate command,
for example:
streamtool addcertificate -f streamsuser-client-cert.pem --clientid streamsuser
- For the changes to take effect, use the streamtool
restartdomainservice sws command to restart the service,
or restart the domain.
- Configure InfoSphere Streams tools
and interfaces that use the web management service to
authenticate using the client certificate.