activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dejan Bosanac <de...@nighttale.net>
Subject Re: Different SSL Certificates for transportConnector vs networkConnector
Date Wed, 05 Jan 2011 09:26:56 GMT
You cannot generally divide security between connectors, so
authentication is the same no matter which one is used. What you can
do is to define different authorization groups depending on which
certificate is used. See
http://fusesource.com/docs/broker/5.3/security/Auth-JAAS-CertAuthentPlugin.html
for more details.


Cheers
--
Dejan Bosanac
-----------------
FuseSource - The experts in open source integration and messaging.
Email: dejanb@fusesource.com
Web: http://fusesource.com
Twitter:  http://twitter.com/dejanb
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net



On Wed, Jan 5, 2011 at 5:38 AM, adam <adam.sussman@gmail.com> wrote:
>
> I am trying to do a broker setup as follows:
>
> - All transportConnectors are ssl only and all have needClientAuth set to
> true
> - All networkConnectors are over ssl and the endpoint also requires
> ClientAuth
>
> I need to find a way to have the transportConnectors and the
> networkConnectors use DIFFERENT SSL certificates.
>
> Server and client certificates are done a bit differently and very
> importantly, an activemq client will fail to connect to a broker that uses a
> client certificate for its transportConnector.  So, the transportConnector
> needs to use the SERVER certificate and the networkConnector needs to use
> the CLIENT certificate.
>
> I have tried putting both certificates (and their keys) into the same
> keystore.  When I do that, activemq always uses the client certificate for
> both connectors and and all client connections to the broker fail (but the
> networkConnector does work).  It just won't use the server certificate, no
> matter how I build the keystore (what order the certs are in, etc).
>
> I don't see any way to specify more than one keystore.  Nor do I see any way
> to tell the connectors which certificate (or specific keystore) to use.
>
> So I  can get either ssl transportConnector to work or ssl networkConnector
> to work, but not both at the same time with required certificate auth.
>
> Any help would be very appreciated!
>
> -adam
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Different-SSL-Certificates-for-transportConnector-vs-networkConnector-tp3174842p3174842.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>

Mime
View raw message