Configuring security for the InfoSphere Streams REST API

When you are developing an application that uses the InfoSphere® Streams REST API, you must configure the access control lists, choose a method for authenticating users, and handle server and client certificates.

1. Configure the access control lists for InfoSphere Streams resources.

   To use the REST API successfully, a user or application must be authorized to access InfoSphere Streams objects. You can configure the access control lists for instance objects by using the Streams Console or the streamtool setacl command. To configure the access control lists for domain objects, use the Domain Manager or the streamtool setdomainacl command.

2. Configure the method by which the application user is authenticated for access to InfoSphere Streams.
   • If the domain is configured to use client authentication and the client certificate contains an InfoSphere Streams user name, no further configuration is required. The user is authenticated when the certificate is verified.
   • If the preceding option is not applicable, you can use HTTP basic authentication. To use HTTP basic authentication, you must supply a user name and password in the HTTP Authorization request header. The user ID and password must be UTF-8 bytes that are encoded by using the MIME variant of Base64.
     Note: Some browsers only support 8859-1 characters in HTTP headers. If you use a browser to access the InfoSphere Streams REST API and the user or password contain characters outside the 8859-1 character set, the browser that you use must support UTF-8 characters in HTTP headers.

     If you are using the REST API from a web browser, the browser prompts you for this information. The message includes a realm name, which is the URL-encoded name of the InfoSphere Streams domain. If you want to decode this realm name, use a URL decoder.

     For a code sample that uses HTTP basic authentication, see the example in Processing REST API requests.

3. Validate the InfoSphere Streams certificate to determine whether the InfoSphere Streams server is trusted.

   By default, InfoSphere Streams identifies itself to clients by using a self-signed certificate. You must store this certificate in a truststore on the client system. You can use the streamtool exportkeystore command to store the certificate. Your application must validate the certificate that it receives when it establishes the HTTPS connection to the InfoSphere Streams server. You can validate the certificate that you receive from the server by comparing it to the certificate in the truststore. In addition, since the InfoSphere Streams certificate is not specific to a single server, you must also provide a host name verifier to trust the certificate. For a code sample that provides a host name verifier, see the example in Processing REST API requests.

4. If client authentication is enabled for the domain, the InfoSphere Streams server accepts HTTPS connections from trusted clients only. You must create a client certificate and add it to the InfoSphere Streams client truststore. Your application must also make the client certificate available when it establishes the HTTPS connection.