IBM Streams 4.2.1
Setting up the PAM authentication service for IBM Streams users
The Pluggable Authentication Module
(PAM) authentication service is the default mechanism for user authentication
on Linux systems. You can create
an IBM®
Streams enterprise domain that uses the default Linux authentication option, which is PAM with
a UNIX backend, or you can use
other PAM options such as PAM with the LDAP backend. The preferred
PAM option for a high availability environment is PAM with the LDAP
backend.
Before you begin
If you configure security to use PAM with a UNIX backend, only the domain owner can log in to an IBM Streams domain by using a user ID and password. This restriction does not apply to domains that use other PAM options such as PAM with the LDAP backend.
You can use the following options to work around this restriction:
- Use the security.runAsRoot domain property
to enable both the domain owner and non-domain-owner clients to log
in with a user ID and password. You can update this
property by using the Domain Manager or
the streamtool setdomainproperty command. The
following example shows how to update the property by using the command:
streamtool -d domain1 setdomainproperty security.runAsRoot=true
Note: This property pertains only to resources where the domain controller service is registered as a Linux system service. You can register the domain controller service as a system service by running the streamtool registerdomainhost command. - The security.runAsRoot property works for
all IBM
Streams clients,
including the Streams Console, Streams Studio,
the streamtool command-line interface, and the
REST and JMX domain management API clients.Note: The security.runAsRoot property must be used to enable Streams Studio, and the REST and JMX domain management API clients to use the domain and its instances.
- The Streams Console can be configured to use certificate based client authentication as an alternative to the security.runAsRoot property.
- Public and private keys can be used by the streamtool command-line interface as an alternative to the security.runAsRoot property.
Procedure
The system administrator configures PAM by using the instructions
in the PAM documentation.
Important: The IBM
Streams resource that is running the authentication and authorization service must be able to access the PAM
backend to verify and authenticate IBM
Streams users.
- For PAM with a UNIX backend, the IBM Streams users must be defined on this system.
- For PAM with the LDAP backend, the LDAP server must be accessible from the resource that is running the authentication and authorization service.