Configuring security for the Streams REST management API
When you are developing an application that uses the Streams REST management API, you must configure the access control lists, choose a method for authenticating users, and handle server and client certificates.
Procedure
- Configure the access control lists for IBM
Streams resources.
To use the REST management API successfully, a user must be authorized to access Streams objects. You can configure the access control lists for domain and instance objects by using the Streams Console, REST management API, or JMX management API.
- Configure the method by which the application user is authenticated
for access to Streams.
- The Streams REST management API supports HTTP basic
authentication. To use HTTP basic authentication, you must supply a user name and password in the
HTTP Authorization request header. The user ID and password must be UTF-8 bytes that are encoded by
using the MIME variant of Base64. Note: Some browsers only support 8859-1 characters in HTTP headers. If you use a browser to access the Streams REST management API and the user or password contain characters outside the 8859-1 character set, the browser that you use must support UTF-8 characters in HTTP headers.
If you are using the REST management API from a web browser, the browser prompts you for this information. The message includes a realm name, which is the URL-encoded name of IBM Streams. If you want to decode this realm name, use a URL decoder.
For a code sample that uses HTTP basic authentication, see the example in Processing REST management API requests.
- The Streams REST management API supports HTTP basic
authentication. To use HTTP basic authentication, you must supply a user name and password in the
HTTP Authorization request header. The user ID and password must be UTF-8 bytes that are encoded by
using the MIME variant of Base64.
- Validate the Streams certificate
to determine whether the Streams server
is trusted.
By default, Streams identifies itself to clients by using a self-signed certificate. You must store this certificate in a truststore on the client system. You can use the Streams Console, REST management API or JMX management API to export the keystore from the server and import into a client truststore to store the certificate. Your application must validate the certificate that it receives when it establishes the HTTPS connection to the Streams server. You can validate the certificate that you receive from the server by comparing it to the certificate in the truststore. In addition, since the Streams certificate is not specific to a single server, you must also provide a host name verifier to trust the certificate. For a code sample that provides a host name verifier, see the example in Processing REST management API requests.
- If client authentication is enabled for the domain, the Streams server accepts HTTPS connections from trusted clients only. You must create a client certificate and add it to the Streams client truststore. Your application must also make the client certificate available when it establishes the HTTPS connection.