User Account Management - WormBase/db-prototypes GitHub Wiki
This stuff may change considerably depending on decisions made about how to run HTTP servers, etc. Therefore don't recommend doing too much work to automate it until you're happy with server architecture.
@(d/transact con [{:db/id #db/id[:db.part/user]
:user/name "fredbloggs"
:user/email "[email protected]" ; Used for logon.
:user/wbperson [:person/id "WBPerson12345"]}]) ; If absent, can't edit database
Normal Datomic transaction stuff should work!
Assumes 'certs' is our working directory of certificate files, and certs/server.jks is the keystore/truststore used by the server.
keytool -genkey -alias fredbloggs -keyalg RSA -keystore certs/fredbloggs.jks
# When prompted, enter details. In particular, the "What is your name?" question refers to
# the CN of the certificate, and is used to link the user back to the database, so remember this!
keytool -export -file certs/server.cert -keystore certs/server.jks -storepass <passwd> -alias wormnames
keytool -import -file certs/server.cert -keystore certs/fredbloggs.jks -storepass <client-passwd> -alias wormnames
keytool -export -file certs/fredbloggs.cert -keystore certs/fredbloggs.jks -storepass client -alias fredbloggs
keytool -import -file certs/fredbloggs.cert -keystore certs/server.jks -storepass <passwd> -alias fredbloggs
# Transact with Datomic to associate the key with an existing user account.
@(d/transact con [{:db/id #db/id[:db.part/user]
:user/name "fredbloggs"
:user/x500-cn "Fred Bloggs"}]) ; Or whatever is in the CN field of the certificate
At this point you've got keystore (.jks file) that Java clients can use, and is registered with the server. You may need to restart the server for it to be recognised.
For clients which can't use .jks files, you need a few more steps to convert the certificate into PEM format:
keytool -importkeystore -srckeystore certs/fredbloggs.jks -destkeystore certs/fredbloggs.p12 -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in fredbloggs.p12 -out fredbloggs-key.pem -nocerts
openssl pkcs12 -in fredbloggs.p12 -out fredbloggs-cert.pem -clcerts -nokeys