Initial Configuration

Generating a Tink keyset

To protect its secrets, Stream relies on Tink. A Tink keyset can be issued as:

A plaintext keyset (not protected);
A GCP keyset (protected by a master key in a GCP KMS);
An AWS keyset (protected by a master key in an AWS KMS).

Stream comes with 'tinkey' client to manage the generation of a tink keyset.

Here is how to generate a tink keyset:

Generating a plaintext keyset

$ /opt/stream/sbin/tinkey generate-keyset --out=/opt/stream/etc/stream.keyset

Generating a GCP protected keyset

$ /opt/stream/sbin/tinkey generate-keyset --out=/opt/stream/etc/stream.keyset --master-key-uri=gcp-kms://<GCP master key path>

Generating an AWS protected keyset

$ /opt/stream/sbin/tinkey generate-keyset --out=/opt/stream/etc/stream.keyset --master-key-uri=aws-kms://<AWS master key path>

Once the keyset is generated, the following commands need to be run:

$ chown stream:stream /opt/stream/etc/stream.keyset

Generating a Play secret

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

$ /opt/stream/sbin/stream-config

In the main menu, select 'Akka_Play':

In the Akka_Play menu, select 'SECRET':

Validate the new Stream Application Secret:

The Stream configuration is updated:

For the changes to take effect, you must restart the Stream service by running:

$ systemctl restart stream

JVM Configuration

Stream allows you to configure the Xms (minimum memory allocation pool) and Xmx (maximum memory allocation pool) parameters of the JVM running Stream using the configuration tool.

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

$ /opt/stream/sbin/stream-config

In the configuration menu, select Stream:

In the Stream configuration menu, Select JVM:

Specify the 2048 for xms and 3072 for xmx parameters and select 'OK':

The new JVM parameters are configured.

For the changes to take effect, you must restart the Stream service by running:

$ systemctl restart stream

MongoDB URI Configuration

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

$ /opt/stream/sbin/stream-config

In the main menu, select Stream:

In the Stream configuration menu, Select MONGODB_URI:

Specify the MongoDB URI to target your MongoDB instance:

Stream is installed to target a local MongoDB instance by default.

If you use an external MongoDB (such as MongoDB Atlas Database or dedicated On-premises database) instance:

Create a user with "read/write" permissions on your MongoDB instance;
Create a replicaSet if using a MongoDB cluster;
Specify a MongoDB URI that does match your context.

External MongoDB database URI syntax

mongodb+srv://<user>:<password>@<hostname>:<port>/stream

External MongoDB cluster of databases URI syntax

mongodb+srv://<user>:<password>@<hostname1>:<port1>,<hostname-2>:<port2>/stream?replicatSet=<replicaset>&authSource=admin

The MongoURI is configured.

For the changes to take effect, you must restart the Stream service by running:

$ systemctl restart stream

Stream Hostname Configuration

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

$ /opt/stream/sbin/stream-config

In the main menu, select Stream:

In the Stream configuration menu, Select STREAM_HOSTNAME:

Specify the DNS FQDN by which Stream will be accessed:

The Stream Hostname is configured:

For the changes to take effect, you must restart the Stream service by running:

$ systemctl restart stream

Generating an event seal secret

Stream will generate functional events when using the software.

These events are typically signed and chained to ensure their integrity. Therefore, you must specify a sealing secret for this feature to work properly.

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running: