Configuring security for the IBM Streams REST API

When you are developing an application that uses the IBM® Streams REST API, you must configure the access control lists, choose a method for authenticating users, and handle server and client certificates.

1. Configure the access control lists for IBM Streams resources.

   To use the REST API successfully, a user or application must be authorized to access IBM Streams objects. You can configure the access control lists for instance objects by using the Streams Console or the streamtool setacl command. To configure the access control lists for domain objects, use the Domain Manager or the streamtool setdomainacl command.

2. Configure the method by which the application user is authenticated for access to IBM Streams.
   • If the domain is configured to use client authentication and the client certificate contains an IBM Streams user name, no further configuration is required. The user is authenticated when the certificate is verified.
   • If the preceding option is not applicable, you can use HTTP basic authentication. To use HTTP basic authentication, you must supply a user name and password in the HTTP Authorization request header. The user ID and password must be UTF-8 bytes that are encoded by using the MIME variant of Base64.
     Note: Some browsers only support 8859-1 characters in HTTP headers. If you use a browser to access the IBM Streams REST API and the user or password contain characters outside the 8859-1 character set, the browser that you use must support UTF-8 characters in HTTP headers.

     If you are using the REST API from a web browser, the browser prompts you for this information. The message includes a realm name, which is the URL-encoded name of the IBM Streams domain. If you want to decode this realm name, use a URL decoder.

     For a code sample that uses HTTP basic authentication, see the example in Processing REST API requests.

3. Validate the IBM Streams certificate to determine whether the IBM Streams server is trusted.

   By default, IBM Streams identifies itself to clients by using a self-signed certificate. You must store this certificate in a truststore on the client system. You can use the streamtool exportkeystore command to store the certificate. Your application must validate the certificate that it receives when it establishes the HTTPS connection to the IBM Streams server. You can validate the certificate that you receive from the server by comparing it to the certificate in the truststore. In addition, since the IBM Streams certificate is not specific to a single server, you must also provide a host name verifier to trust the certificate. For a code sample that provides a host name verifier, see the example in Processing REST API requests.

4. If client authentication is enabled for the domain, the IBM Streams server accepts HTTPS connections from trusted clients only. You must create a client certificate and add it to the IBM Streams client truststore. Your application must also make the client certificate available when it establishes the HTTPS connection.