Skip to content
Open in Gitpod


After enabling TLS, clients can verify connecting servers and keep messages encrypted, but servers can not verify clients, so authentication is designed to provide a mechanism that servers can authenticate trusted clients.

Authentication provides another feature that gives a client a role name, then hstream will be based on the role to implement authorization.

hstream only support TLS authentication, which is an extension of default TLS, to enable TLS authentication, you need to create the corresponding key and certificate for a role, then give them to trusted clients, clients use the key and certificate(binding to a role) to connect to servers.

Create a trusted role

Generate a key:

openssl genrsa -out role01.key.pem 2048

Convert it to PKCS 8 format(Java client require that):

openssl pkcs8 -topk8 -inform PEM -outform PEM \
      -in role01.key.pem -out role01.key-pk8.pem -nocrypt

Generate the certificate request(Common Name is the role name):

openssl req -config openssl.cnf \
      -key role01.key.pem -new -sha256 -out role01.csr.pem

Generate the signed certificate:

openssl ca -config openssl.cnf -extensions usr_cert \
      -days 1000 -notext -md sha256 \
      -in role01.csr.pem -out signed.role01.cert.pem


For hstream server, you can set tls-ca-path to enable TLS authentication, e.g.:

# TLS options
# enable tls, which requires tls-key-path and tls-cert-path options
enable-tls: true
# key file path for tls, can be generated by openssl
tls-key-path: /path/to/the/server.key.pem
# the signed certificate by CA for the key(tls-key-path)
tls-cert-path: /path/to/the/signed.server.cert.pem
# optional for tls, if tls-ca-path is not empty, then enable TLS authentication,
# in the handshake phase,
# the server will request and verify the client's certificate.
tls-ca-path: /path/to/the/ca.cert.pem

For Java client:

  // enable tls

  // for authentication