IBM Streams 4.2.1

Setting up the PAM authentication service for IBM Streams users

The Pluggable Authentication Module (PAM) authentication service is the default mechanism for user authentication on Linux systems. You can create an IBM® Streams enterprise domain that uses the default Linux authentication option, which is PAM with a UNIX backend, or you can use other PAM options such as PAM with the LDAP backend. The preferred PAM option for a high availability environment is PAM with the LDAP backend.

Before you begin

If you configure security to use PAM with a UNIX backend, only the domain owner can log in to an IBM Streams domain by using a user ID and password. This restriction does not apply to domains that use other PAM options such as PAM with the LDAP backend.

You can use the following options to work around this restriction:

Use the security.runAsRoot domain property to enable both the domain owner and non-domain-owner clients to log in with a user ID and password. You can update this property by using the Domain Manager or the streamtool setdomainproperty command. The following example shows how to update the property by using the command:
```
streamtool -d domain1 setdomainproperty security.runAsRoot=true
```
Note: This property pertains only to resources where the domain controller service is registered as a Linux system service. You can register the domain controller service as a system service by running the streamtool registerdomainhost command.
The security.runAsRoot property works for all IBM Streams clients, including the Streams Console, Streams Studio, the streamtool command-line interface, and the REST and JMX domain management API clients.
Note: The security.runAsRoot property must be used to enable Streams Studio, and the REST and JMX domain management API clients to use the domain and its instances.
The Streams Console can be configured to use certificate based client authentication as an alternative to the security.runAsRoot property.
Public and private keys can be used by the streamtool command-line interface as an alternative to the security.runAsRoot property.

Procedure

The system administrator configures PAM by using the instructions in the PAM documentation.

Important: The IBM Streams resource that is running the authentication and authorization service must be able to access the PAM backend to verify and authenticate IBM Streams users.

For PAM with a UNIX backend, the IBM Streams users must be defined on this system.
For PAM with the LDAP backend, the LDAP server must be accessible from the resource that is running the authentication and authorization service.