Enforce Certificate Authentication

It is possible to enable x509_enforcing parameter in order to authorize only certificate authentication.

This means local accounts will no longer be able to connect on Stream.
When logging in using an X509 certificate, there is no logout option, meaning that the only way to log out is to change the presented certificate in your browser, or to switch to private browsing.

Using Stream configuration utility

Access the server with an account with administrative privileges;

Start the Stream configuration utility by running:

# /opt/stream/sbin/stream-config

In the main menu, select 'Stream':

Main Config Menu

In the Stream menu, select 'STREAM_ENFORCE_X509':

Stream Config Menu

In the X509 Authentication Enforcing menu, select 'ENABLE':

X509 Enforcing Config Menu

For the changes to take effect, you must restart the Stream service by running:

# systemctl restart stream

X509 Authentication is now enforced.

Re-enable local authentication

This should be done in a confined and secure environment, during the execution of the Recover access steps of the installation guide.

If you lose all available authentication certificates to Stream and want to re-gain access to the administration console, please follow these steps:

Access the server with an account with administrative privileges;

Start the Stream configuration utility by running:

# /opt/stream/sbin/stream-config
Main Config Menu

In the Stream menu, select 'STREAM_ENFORCE_X509':

Stream Config Menu

In the X509 Authentication Enforcing menu, select 'DISABLE':

X509 Enforcing Config Menu

For the changes to take effect, you must restart the Stream service by running:

# systemctl restart stream

Now that the X509 enforcing is disabled, you can log in with Stream local accounts.