Stronger, Simpler, and More Flexible¬†Security
This release supports¬†authentication via PKI certificates and pluggable authentication modules¬†using the Java Authentication and Authorization Service (JAAS). ¬†Users are authenticated using JAAS modules with Streams providing modules for¬†PAM, LDAP and X.509 certificates as well as¬†extensible support through user-defined login modules.¬†In addition LDAP authorization has been improved to remove the need for anonymously binding to an LDAP server.
Client certificate authentication for the domain using X.509 certificates is now available by IBM Streams with¬†the following¬†interfaces supporting certificate authentication: Domain Manager, Streams Console, streamtool¬†command-line interface, JMX API, and REST API.
The IBM Knowledge Center describes the support and its setup here —¬†Setting up client certificate authentication for InfoSphere Streams users.
Pluggable Authentication Modules
IBM Streams is now capable of using standard Java‚ĄĘ Authentication and Authorization Service (JAAS) pluggable authentication modules. You can use the login modules that are included in the product, or you can create your own to customize the security settings of your domain. Please note that using login modules is optional.
Visit the IBM Knowledge Center article¬†Setting up login module authentication¬†for more information on developing a login module and configuring IBM Streams for its use.
Order of User Authentication
Your user authentication configuration determines how IBM¬†Streams authenticates users.
- If configured, IBM¬†Streams attempts to authenticate by using the login module configuration. If the user cannot be authenticated, IBM¬†Streams continues to the next step.
- If configured, IBM¬†Streams attempts to authenticate by using a client certificate. If the user cannot be authenticated,¬†IBM¬†Streams continues to the next step.
- IBM¬†Streams authenticates by using the default user authentication method that was specified when you created the domain (LDAP or PAM).
LDAP Anonymous Bind
When configured, IBM Streams Streams¬†accesses an LDAP server to perform the following functions:
- Authenticate Streams user
- Retrieve authenticated user’s group membership
- Map requested user to actual LDAP user (user secondary lookup)
In Streams release 4.0 retrieving a user’s group membership or mapping an entered user name to an actual LDAP user (user secondary lookup) requires anonymous binding to the LDAP server. Many LDAP servers do not provide this capability by default and many IT administrators do not allow anonymous binding to an LDAP server.
If you use an LDAP server that does not enable anonymous binds, IBM¬†Streams 4.1 uses the credentials that are specified on the security.ldapAdministratorUser and security.ldapAdministratorPassword domain properties when it runs LDAP queries during the authentication process (group membership lookup and LDAP user mapping). You can specify these property values when you create the domain or after the domain is created by using the Domain Manager or the streamtool setldapadminconfig command. For more information about these properties, enter streamtool man domainproperties. For more information about the command, enter streamtool man setldapadminconfig.
Secure LDAP communication
A means of securing (encrypting) IBM Streams LDAP communication is to use LDAP over SSL (LDAPS). This is a sample command string to make a domain that uses secure LDAP communication (ldaps protocol) —
streamtool mkdomain -d sampledomain --zkconnect myzookeeper:2181 --ldap --server-url "ldaps://ldap1.ibm.com:636" --user-dn "cn=*,ou=people,dc=ibm,dc=com"
An LDAP server will need a Certificate Authority (CA) certificate or self-signed certificate installed to allow this support. To enable the support on your LDAP server please refer to your ldap server documentation for more information; eg,¬†Open LDAP reference information