The page that you are currently viewing is for an old version of Stroom (7.1). The documentation for the latest version of Stroom (7.6) can be found using the version drop-down at the top of the screen or by clicking here.
SSL Configuration
This page provides a step by step guide to getting PKI authentication working correctly for Unix hosts so as to be able to sign deliveries from cURL.
First make sure you have a copy of your organisations CA certificate.
Check that the CA certificate works by running the following command:
echo "Test" | curl --cacert CA.crt --data-binary @- "https://<Stroom_HOST>/stroom/datafeed"
If the response starts with the line:
curl: (60) SSL certificate problem, verify that the CA cert is OK.
then you do not have the correct CA certificate.
If the response contains the line
HTTP Status 406 - Stroom Status 100 - Feed must be specified
then one-way SSL authentication using the CA certificate is successful.
The VBScript file to check windows certificates is check-certs.vbs (TODO link).
#Final Testing
Once one-way authentication has been tested, two-way authentication should be configured:
The server certificate and private key should be concatenated to create a PEM file:
cat hostname.cert hostname.key > hostname.pem
Finally, test for 2-way authentication:
echo "Test" | curl --cacert CA.crt --cert hostname.pem --data-binary @- "https://<Stroom_HOST>/stroom/datafeed"
If the response contains the line
HTTP Status 406 - Stroom Status 100 - Feed must be specified
then two-way SSL authentication is successful.
#Final Tidy Up
The files ca.crt and hostname.pem are the only files required for two-way authentication and should be stored permanently on the server; all other remaining files may be deleted or backed up if required.
#Certificate Expiry
PKI certificates expire after 2 years. To check the expiry date of a certificate, run the following command:
openssl x509 -in /path/to/certificate.pem -noout -enddate
This will give a response looking similar to:
notAfter=Aug 15 10:01:42 2013 GMT