Home
Configuring
Create a basic or an enterprise domain which is a single point for configuring and managing common resources, security, and instances.
Configuring security
Each Teracloud® Streams domain and instance maintains its own security configuration.
User authentication
The default user authentication method for Teracloud® Streams domains is PAM or LDAP. For a basic domain, Teracloud Streams uses PAM. For an enterprise domain, you can specify either LDAP or PAM as the default method when you create the domain, and then customize user authentication after the domain is created.
Customizing user authentication
When you create an enterprise domain, you must specify either LDAP or PAM as the default user authentication method for Teracloud® Streams. After creating the domain, you can use login modules and client certificates to customize user authentication.
Setting up client certificate authentication
Use this procedure to set up client certificate authentication for a Teracloud® Streams domain by using X.509 certificates. Using client certificate authentication is optional.
Creating a PKCS #12 file
Use this procedure to create a password protected PKCS #12 file that contains one or more certificates.

Welcome
Learn about the core capabilities of Teracloud® Streams, its architecture, and key concepts.
Installing
Use this information to install, upgrade, and uninstall the Teracloud® Streams product.
Configuring
Create a basic or an enterprise domain which is a single point for configuring and managing common resources, security, and instances.
- Setting up a basic domain on a single resource
  A basic domain has a single Teracloud® Streams resource and user. This type of domain is typically used for test or development environments.
- Setting up an enterprise domain on multiple resources
  An enterprise domain can have multiple resources and users. This type of domain is typically used for production environments. You can configure high availability to ensure that Teracloud® Streams can continue to run even if resources fail or are not available.
- Configuring security
  Each Teracloud® Streams domain and instance maintains its own security configuration.
  - User authorization
    Teracloud® Streams uses access control lists (ACLs) to manage user authorization for domains and instances. An ACL contains the type of domain and instance objects to secure and the actions that a user or group is authorized to perform against the object. The ACLs are initialized when you create a domain or instance.
  - User authentication
    The default user authentication method for Teracloud® Streams domains is PAM or LDAP. For a basic domain, Teracloud Streams uses PAM. For an enterprise domain, you can specify either LDAP or PAM as the default method when you create the domain, and then customize user authentication after the domain is created.
    - Order of user authentication checks
      Your user authentication configuration determines how Teracloud® Streams authenticates users.
    - Customizing user authentication
      When you create an enterprise domain, you must specify either LDAP or PAM as the default user authentication method for Teracloud® Streams. After creating the domain, you can use login modules and client certificates to customize user authentication.
      - Setting up login module authentication
        Teracloud® Streams authenticates users by using a Java™ Authentication and Authorization Service (JAAS). You can use the login modules that are included in the product, or you can create your own to customize the security settings of your domain. Using login modules is optional.
      - Setting up client certificate authentication
        Use this procedure to set up client certificate authentication for a Teracloud® Streams domain by using X.509 certificates. Using client certificate authentication is optional.
        Verifying certificates
        Use this procedure to verify that the X.509 certificates that you obtained from a certificate authority (CA) can be used to authenticate Teracloud® Streams users.
        Creating a PKCS #12 file
        Use this procedure to create a password protected PKCS #12 file that contains one or more certificates.
        Setting up client certificate revocation checking
        A certificate authority (CA) that issues an X.509 client certificate can also revoke that certificate. If the CA revokes a certificate, user authentication fails. The security.revocationMethod domain property specifies the method that a Teracloud® Streams domain uses to check whether a certificate is revoked. If you are not using client certificate authentication, this property is ignored.
        Setting the user ID pattern for certificate authentication
        Certificate authentication uses client authentication to authenticate the client connection, and then extracts information from the distinguished name (DN) of the client certificate to authenticate users. By default, Teracloud® Streams checks for a user ID in the DN common name (cn) field.
    - Generating authentication keys
      Use this procedure to generate public and private keys for Teracloud® Streams. Generating public and private keys eliminates the need for Teracloud Streams users to enter a password when they run streamtool commands.
    - Security session timeout property
      The security session timeout is the number of seconds before a Teracloud® Streams user session expires. This property setting is independent of the PAM or LDAP authentication service.
  - Linux users and Teracloud® Streams jobs
    To determine which Linux user has the authority to run the jobs for a Teracloud® Streams instance, you must first determine which user is running the domain controller services for your domain. The security implications of the instance.runAsUser and instance.canSetPeOSCapabilities property settings also need to be considered.
  - Changing the cryptographic protocol
    Many domain and instance services support connections that use Transport Layer Security (TLS) cryptographic protocols. You can specify which cryptographic protocols the services use for secure communication by setting domain and instance properties. Starting with Teracloud® Streams Version 7.2.0, the default protocol setting is TLSv1.3, which indicates that TLS 1.3 or later protocols are used.
  - Securing a Teracloud® Streams cluster
    While applications are deployed into production environments with specific recommendations that apply to individual customers, enterprise organizations generally have security policies and procedures that must be met and followed. To meet enterprise requirements, a combination of product and environment configuration is needed. The following are some key features using the standard information security CIA triad.
- Configuring audit logging
  Teracloud® Streams supports comprehensive, multiple-level auditing of product and user operations. By default, audit logging is not enabled.
- Configuring transport mechanisms
  Teracloud® Streams supports several high-performance and configurable transport mechanisms for communicating across processing elements (PEs). You can configure the transport mechanism by updating Teracloud Streams properties.
- Configuring a checkpoint data store
  Use this procedure to configure a checkpoint data store for Teracloud® Streams domains and instances.
Administering
Administer the product by using the Teracloud® Streams graphical user interface, APIs, or the streamtool command-line interface.
Developing
Develop stream applications with the Streams Processing Language (SPL), Java, and Python.
Troubleshooting
Resolve problems with Teracloud® Streams using the troubleshooting tools provided with the product as well as the resources offered by Teracloud Support.
Reference
Find details on the SPL language, toolkits, APIs, commands, and more.
Glossary
Use this glossary to find terms and definitions for Teracloud® Streams.

Creating a password protected PKCS #12 file for certificates

Use this procedure to create a password protected PKCS #12 file that contains one or more certificates.

Before you begin

In the following procedure, the openssl command is used to work with certificates. This command is included in the openssl package. To download this package, go to the OpenSSL website.

About this task

The following files are used in the procedure examples:

root-ca.pem: Certificate of the CA that issued the sub-ca.pem file.
sub-ca.pem: Certificate of the CA that issued the user.pem file.
user.pem: Certificate of the user that was issued by the subordinate CA.
user.key: Private key of the user certificate.

Procedure

The following examples show how to create a password protected PKCS #12 file that contains one or more certificates. For more information about the openssl pkcs12 command, enter man pkcs12.

PKCS #12 file that contains one user certificate.

openssl pkcs12 -export -in user.pem -caname user alias -nokeys -out user.p12 -passout pass:pkcs12 password

PKCS #12 file that contains one user certificate and its private key.

openssl pkcs12 -export -in user.pem -name user alias -inkey user.key -passin pass:key password -out user.p12 -passout pass:pkcs12 password

PKCS #12 file that contains one CA certificate.

openssl pkcs12 -export -in sub-ca.pem -caname sub-ca alias -nokeys -out sub-ca.p12 -passout pass:pkcs12 password

PKCS #12 file that contains a trusted CA chain of certificates.

cat sub-ca.pem root-ca.pem > ca-chain.pem
openssl pkcs12 -export -in ca-chain.pem -caname sub-ca alias -caname root-ca alias -nokeys -out ca-chain.p12 -passout pass:pkcs12 password

PKCS #12 file that contains a user certificate, user private key, and the associated CA certificate.

openssl pkcs12 -export -in user.pem -name user alias -inkey user.key -passin pass:key password -certfile sub-ca.pem -caname sub-ca alias -out user_and_sub-ca.p12 -passout pass:pkcs12 password