IBM InfoSphere Streams Version 4.1.1
Verifying certificates for InfoSphere Streams users
Use this procedure to verify that
the X.509 certificates that you obtained from a certificate authority
(CA) can be used to authenticate InfoSphere®
Streams users.
About this task
- root-ca.pem: Certificate of the CA that issued the sub-ca.pem file.
- sub-ca.pem: Certificate of the CA that issued the user.pem file.
- user.pem: Certificate of the user that was issued by the subordinate CA.
- crl.pem: Certificate revocation list that was generated by the subordinate CA.
Procedure
- Display the text data in the client certificate, for example:
openssl x509 -noout -text -in user.pem
Output example:Certificate: Data: Version: 3 (0x2) Serial Number: 4111 (0x100f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=MN, O=IBM, OU=Streams, CN=subCA/emailAddress=admin@example.com Validity Not Before: Oct 14 15:49:27 2015 GMT Not After : Oct 13 15:49:27 2016 GMT Subject: C=US, ST=MN, O=IBM, OU=Streams, CN=streamsuser/emailAddress=streamsuser@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a3:69:09:6a:d4:ce:5d:61:03:fa:a6:e4:4b:39: ec:0c:27:c8:cd:67:1d:18:f6:b9:31:55:31:82:aa: 3c:ea:eb:29:1e:7d:83:2b:7b:bb:7c:3c:86:68:41: f9:b1:9f:0b:c0:0c:6d:06:57:95:11:8a:55:c5:85: 3a:a6:65:d2:85:16:78:29:b8:59:e8:20:5e:88:ee: 36:09:20:da:35:82:0a:3e:3a:19:bc:d7:d9:3b:61: 50:04:4a:fd:f8:92:bc:a3:fb:57:fc:eb:28:f4:d1: 6f:10:be:32:d9:11:d6:e3:66:73:20:5f:23:86:1d: 6c:f5:ac:0b:7e:d3:7e:fa:5f Exponent: 65537 (0x10001) X509v3 extensions: Netscape Comment: OpenSSL Client Certificate Authority Information Access: OCSP - URI:http://example.com:9080 X509v3 Authority Key Identifier: keyid:14:3C:36:B2:49:F5:D7:55:5B:86:7F:2E:F0:DB:B5:4B:EC:0B:9D:54 DirName:/C=US/ST=MN/L=Rochester/O=IBM/CN=IBM/emailAddress=admin@example.com serial:58 X509v3 Basic Constraints: CA:FALSE X509v3 CRL Distribution Points: URI:http://example.com/crl.pem X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Key Identifier: 26:A1:46:FC:07:24:90:AA:01:4F:C9:11:87:20:C2:30:DC:E6:43:D8 Signature Algorithm: sha1WithRSAEncryption b6:a1:48:1d:e1:da:91:dd:50:02:5c:58:46:12:9e:7e:a4:20: 09:b5:32:af:90:3b:a7:75:ee:e9:90:65:a5:3c:91:67:5f:0a: 98:81:13:77:15:1b:87:3c:0d:86:6c:62:8c:99:06:c8:1b:b4: e7:96:12:94:2c:f8:5f:ec:0d:69:20:bc:94:3a:ce:e6:0d:5e: 55:6d:17:ed:54:55:25:ee:c8:85:42:87:05:ef:03:5f:04:89: 8f:7c:21:d9:c6:45:cd:50:18:cf:20:e1:06:8e:ae:ad:78:97: f5:71:22:f7:8b:5c:df:f5:01:bf:04:47:18:ff:cc:b6:64:49: 46:95 - Display the subordinate CA certificate subject and issuer
data, for example:
openssl x509 -noout -subject -issuer -in sub-ca.pem
Output example:subject= /C=US/ST=MN/O=IBM/OU=Streams/CN=subCA/emailAddress=admin@example.com issuer= /C=US/ST=MN/L=Rochester/O=IBM/CN=rootCA/emailAddress=admin@exmaple.com
- Display the root CA certificate subject and issuer data,
for example:
openssl x509 -noout -subject -issuer -in root-ca.pem
Output example:subject= /C=US/ST=MN/L=Rochester/O=IBM/CN=rootCA/emailAddress=admin@example.com issuer= /C=US/ST=MN/L=Rochester/O=IBM/CN=rootCA/emailAddress=admin@example.com
- Verify the client
certificate with the trusted certificates.
- Create a CA chain file, for example:
cat sub-ca.pem root-ca.pem > ca-chain.pem
- Verify the client certificate with the trusted certificates,
for example:
openssl verify -CAfile ca-chain.pem user.pem
- Create a CA chain file, for example:
- Verify the client revocation
status with the trusted certificates, for example:
openssl verify -crl_check -CAfile ca-chain.pem -CRLfile crl.pem user.pem