You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Authentication and authorization access can be enabled in STageR to restrict use of the REST APIs through HTTPS connections using valid client certificates.

To enable secure access, the application requires a valid server certificate/private key for the server that is hosting STageR (registered to the name of the server) and the certificate authority (CA) certificate. Clients' applications will require a valid client certificate issued by the certificate authority. Authorized client certificates need to be registered through the security API.

On this page:

Configuration

Specify the certificate configuration and the client certificate name of the default administration user under the secure configuration property.

{
  ...,
  secure: {
    adminUser: 'TestUser',
    keyLocation: 'config/sslcerts/server/server.key',
    certLocation: 'config/sslcerts/server/server.crt',
    caLocation: 'config/sslcerts/ca/ca.crt',
    passphrase: '123456',
    requestCert: true,
    rejectUnauthorized: false
  },
  ...
}

The adminUser has all permission rights over the administration and security APIs; and can therefore add new administration users and assign user permissions (read/write) to different Storage Units through the Security API.  


Generating Self-Signed Certificates

There is a utility script bin/generate-ssl-certs, available for Windows (.bat) and Linux (.sh), that generates the self-signed CA, server, and client certificate to load StageR in secure mode and to authenticate to StageR from client applications.

The command receives a destination folder, the client certificate name, and the certificate password.

Run the command from within the bin folder:

generate-ssl-certs.bat --generate ..\config\sslcerts TestUser 123456

Connecting from a Java Application

Before generating the keystore, install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8.

  1. Download jce8_policy from here
  2. Extract and copy the files to $JAVA_HOME/jre/lib/security


To connect to StageR from a Java application, generate a keystore for the client certificate and a truststore for the CA certificate:

  • Keystore:
keytool -v -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -destkeystore client.jks -deststoretype JKS
  • Truststore:
keytool -import -file ca.crt -keystore truststore.jks


When loading the java application, pass the following parameters:

-Djavax.net.ssl.keyStore=config/client.jks -Djavax.net.ssl.keyStorePassword=YOUR_PASSWORD -Djavax.net.ssl.trustStore=config/truststore.jks -Djavax.net.ssl.trustStorePassword=YOUR_PASSWORD



  • No labels