IBM InfoSphere Streams Version 4.1.0
Setting up client certificate authentication for InfoSphere Streams users
Use this procedure to set up client
certificate authentication for an InfoSphere® Streams domain
by using X.509 certificates. Using client certificate authentication
is optional.
Before you begin
About this task
Procedure
- Obtain and verify the client certificate and the associated
Certificate Authority (CA) certificate.
Certificates can be in Distinguished Encoding Rules (DER) format or Privacy Enhanced Mail (PEM) format.
If you receive a certificate in PEM format, remove any text that is outside of the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. You can manually remove the text with an editor of your choice. This update ensures that only the base64 encoded data remains. The following example shows a client certificate that contains the correct text.
Figure 1. Example: Client certificate text-----BEGIN CERTIFICATE----- MIID+jCCA2OgAwIBAgICEA8wDQYJKoZIhvcNAQEFBQAwcTELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk1OMQwwCgYDVQQKEwNJQk0xEDAOBgNVBAsTB1N0cmVhbXMxEzAR Y29tMB4XDTE1MTAxNDE1NDkyN1oXDTE2MTAxMzE1NDkyN1owdzELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAk1OMQwwCgYDVQQKEwNJQk0xEDAOBgNVBAsTB1N0cmVhbXMx FDASBgNVBAMTC3N0cmVhbXN1c2VyMSUwIwYJKoZIhvcNAQkBFhZzdHJlYW1zdXNl ckB1cy5pYm0uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjaQlq1M5d YQP6puRLOTqmZdKFFngpuFnoIF6I7uwMJ8jNZx0Y9rkxVTGCqvmxnwvADG0GV5UR ilXFhTYJINo1ggo+Ohm819k7YVAESv34kryj+1f86yj00Tzq6ykefYMre7t8PIZo QW8QvjLZEdbjZnMgXyOGHWz1rAt+0376XwIDAQABo4IBmTCCAZUwKQYJYIZIAYb4 QgENBBwWGk9wZW5TU0wgQ2xpZW50IENlcnRpZmljYXRlMEAGCCsGAQUFBwEBBDQw MjAwBggrBgEFBQcwAYYkaHR0cDovL3Nob2UucmNoLnN0Z2xhYnMuaWJtLmNvbTo5 MDgwMIGWBgNVHSMEgY4wgYuAFBQ8NrJJ9ddVW4Z/LvDbtUvsC51UoXCkbjBsMQsw CQYDVQQGEwJVUzELMAkGA1UECBMCTU4xEjAQBgNVBAcTCVJvY2hlc3RlcjEMMAoG A1UEChMDSUJNMQwwCgYDVQQDEwNJQk0xIDAeBgkqhkiG9w0BCQEWEXNtc2hhb0B1 cy5pYm0uY29tggFYMAkGA1UdEwQCMAAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDov L3Nob2UucmNoLnN0Z2xhYnMuaWJtLmNvbS9jZXJ0cy9jcmwucGVtMA4GA1UdDwEB /wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUJqFG/AckkKoB T8kRhyDCMNzmQ9gwDQYJKoZIhvcNAQEFBQADgYEAtqFIHeHakd1QAlxYRhKefqQg VW0X7VRVJe7IhUKHBe8DXwSJmIETdxUbhzwNhmxijJkGyBu055YSlCz4X+wNaSC8 lDrO5g1ej3wh2cZFzVAYzyDhBo6urXiX9XEi94tc3/UBvwRHGP/MtmRJCbUyr5A7 p3Xu6ZBlpTyRZ18KRpU= -----END CERTIFICATE-----To verify the certificates, see Verifying certificates for InfoSphere Streams users.
- Add the CA certificate for the CA that issued the client
certificate to the client truststore. Attention:
- When a CA certificate is added to the truststore, all client certificates that are issued by that CA can authenticate if InfoSphere Streams can access the CRL or OCSP responder information for the CA.
- If a CA does not include URIs to the CRL or OCSP responder information in the client certificate, the domain can only access certificate revocation information if it is specified on the security.revocationFile or security.revocationLdapUrl domain property. In this case, add only one CA certificate to the truststore for the domain because these properties only apply to one CA. For more information about these properties, see Setting up client certificate revocation checking for InfoSphere Streams users.
To add the CA certificate, enter the following InfoSphere Streams streamtool command:
streamtool addcertificate -d domainid --clientid streamsca -f streamsca.pem
A message similar to the following example is displayed:Trusted client certificate for streamsca imported successfully for domain domainid.
Note: You can enter any name for the clientid, but the preferred practice is to use a name that is associated with the CA certificate. In the streamtool command example, the clientid of streamsca is associated with the file name of the CA certificate. Another option is to use the subject CN of the CA certificate, which is also streamsca, as shown in the following example:openssl x509 -noout -subject -in streamsca.pem subject= /C=US/ST=MN/O=IBM/OU=Streams/CN=streamsca/emailAddress=admin@example.com
- Set up InfoSphere Streams authorization
for the certificate user. By default, the certificate user is the subject CN of the client certificate. You can display the client certificate subject information by entering the following openssl command:
openssl x509 -noout -subject -in /streamscertificates/streamsuser.pem subject= /C=US/ST=MN/O=IBM/OU=Streams/CN=streamsuser/emailAddress=streamsuser@example.com
In this example, the subject CN is streamsuser. For more information about the subject CN and other information in a client certificate, see Setting the user ID pattern for certificate authentication.You can configure permissions for a certificate user by using roles or by setting access permissions for the user. Groups do not apply to certificate users. To configure permissions, see Configuring user access to InfoSphere Streams domains and instances.
- Set up client certificate revocation checking. You can use the default checking method or configure another method.
- Enable client certificate authentication for the domain
by setting the STREAMS_X509CERT environment variable to the path of
the client certificate, for example:
export STREAMS_X509CERT=/streamscertificates/streamsuser.pem
InfoSphere Streams will now attempt to use the X.509 certificate for user authentication. If the certificate authentication fails, InfoSphere Streams will use the default authentication method for the domain, which is either LDAP or PAM.
Related tasks:
Related reference:
Related information: