activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Piotr Klimczak (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (AMQ-4693) Add kerberos [SASL] authentication for TCP connectors
Date Sun, 07 Dec 2014 00:23:14 GMT

    [ https://issues.apache.org/jira/browse/AMQ-4693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14237003#comment-14237003
] 

Piotr Klimczak edited comment on AMQ-4693 at 12/7/14 12:22 AM:
---------------------------------------------------------------

For those who would like to participate in testing: https://github.com/PiotrKlimczak/activemq/tree/trunk-kerberos
Commit https://github.com/PiotrKlimczak/activemq/commit/779d36069792f9f196c09c5289e52a7034b92be0

Implementation is basing on RFC2712

_*Work still in progress!*_

For now it is using keytabs only.
There is no way to authenticate users with username/password unless user will authenticate
himself before initializing AMQConnectionFactory and will execute connection code with Subject.doAs.
In that case it is up to user how to authenticate client. Otherwise it is expecting kerberos
login module configuration name with all required variables set (including pointing to keytab).

Tested with unit test suite: Krb5TransportBrokerTest.
For now unit test have to be pointed to login modules configuration, which have to be reimplemented-
need ApacheDS to start.

*Requirements to start testing*
*1. login modules configuration*
{code}
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="file:/home/pklimczak/pklimczak.keytab"
    principal="pklimczak";
};

Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="file:/home/pklimczak/host.keytab"
    principal="host/pklimczak.com";
};
{code}

*2. Login config*
{code}
-Djava.security.auth.login.config=myLoginModules.config
{code}

*3. /etc/krb5.conf have to point to your REALM.*
*4. Configure url*
For both, client and broker:
{code}
krb5://localhost:61616?krb5ConfigName=${YOUR_LOGIN_CONFIG_NAME}
{code}
_krb5ConfigName_ is only required, if there is no security context (subject) established yet,
then ActiveMQ will try to establish one. 


was (Author: nannou9):
For those who would like to participate in testing: https://github.com/PiotrKlimczak/activemq/tree/trunk-kerberos
Commit https://github.com/PiotrKlimczak/activemq/commit/779d36069792f9f196c09c5289e52a7034b92be0

Implementation is basing on RFC2712

_*Work still in progress!*_

For now it is using keytabs everywhere.
There is no way to authenticate users with username/password unless user will authenticate
himself before initializing AMQConnectionFactory and will execute connection code with Subject.doAs.
In that case it is up to user how to authenticate client. Otherwise it is expecting kerberos
login module configuration name with all required variables set (including pointing to keytab).

Tested with unit test suite: Krb5TransportBrokerTest.
For now unit test have to be pointed to login modules configuration, which have to be reimplemented-
need ApacheDS to start.

*Requirements to start testing*
*1. login modules configuration*
{code}
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    useTicketCache=false
    keyTab="file:/home/pklimczak/pklimczak.keytab"
    principal="pklimczak";
};

Server {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    storeKey=true
    useTicketCache=false
    keyTab="file:/home/pklimczak/host.keytab"
    principal="host/pklimczak.com";
};
{code}

*2. Login config*
{code}
-Djava.security.auth.login.config=myLoginModules.config
{code}

*3. /etc/krb5.conf have to point to your REALM.*
*4. Configure url*
For both, client and broker:
{code}
krb5://localhost:61616?krb5ConfigName=${YOUR_LOGIN_CONFIG_NAME}
{code}
_krb5ConfigName_ is only required, if there is no security context (subject) established yet,
then ActiveMQ will try to establish one. 

> Add kerberos [SASL] authentication for TCP connectors
> -----------------------------------------------------
>
>                 Key: AMQ-4693
>                 URL: https://issues.apache.org/jira/browse/AMQ-4693
>             Project: ActiveMQ
>          Issue Type: New Feature
>          Components: Broker
>    Affects Versions: 5.8.0
>         Environment: linux, solaris
>            Reporter: Bhanu
>            Priority: Minor
>             Fix For: Unscheduled
>
>
> Hi,
> Can kerberos based authentication be added to ActiveMQ's TCP connectors.
> Thanks,
> Bhanu



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message