qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <David...@ubs.com>
Subject RE: How to encrypt user password in connection url
Date Tue, 11 Dec 2012 18:13:03 GMT
Hi, Robbie, 

Thanks for the info. 

About authenticator, I have noticed that there are the following
configurations in our qpid config.xml. 

    <security>
        <principal-databases>
            <principal-database>
                <name>carbon-user-store</name>
 
<class>org.wso2.carbon.qpid.authentication.qpid.CarbonBasedPrincipalData
base</class>
            </principal-database>
        </principal-databases>

        <msg-auth>false</msg-auth>

        <jmx>
            <access>${conf}/qpid-jmxremote.access</access>
            <principal-database>carbon-user-store</principal-database>
        </jmx>
    </security>

Well, the truth is that we use wso2, which is based on Synapse. Based on
the configuration, it seems that the qpid authentication is based on
wso2 user data base? 

Thanks, 
David 

-----Original Message-----
From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com] 
Sent: Tuesday, December 11, 2012 7:07 AM
To: users@qpid.apache.org
Subject: Re: How to encrypt user password in connection url

Hi David,

I beleive what Phil and Rajith were commenting on was the use of the SSL
certificates as opposed to the password in the connection URL, that is
to use Client Certificate Authentication such that the broker only
allows the connection if it trusts the clients certificate. This could
be instead of any password verification from the client being required,
or in addition to it, depending on the particular authentication
provider that was configured.

I would note that in order to do that with the Java broker you would
need to use the 0.20 release, which is currently at RC2 (available at
http://people.apache.org/~jross/qpid-0.20-rc2/) and expected to proceed
to initial release vote based on RC3 next week.

You can find a pre-release (but not currently expected to change) copy
of the 0.20 documentation for the Java broker on the subjects of SSL
[client auth] and AuthenticationProviders at:
http://qpid.apache.org/books/0.20/AMQP-Messaging-Broker-Java-Book/html/J
ava-Broker-Security-SSL.html
http://qpid.apache.org/books/0.20/AMQP-Messaging-Broker-Java-Book/html/J
ava-Broker-Security-Authentication-Providers.html

I'm not familiar with Synapse so I dont know if this is an option with
it as it stands, but its worth noting that you dont strictly have to
supply usernames and passwords in the actual URL. It is possible to
specify credentials at runtime when using a JMS ConnectionFactory (as
per
http://docs.oracle.com/javaee/6/api/javax/jms/ConnectionFactory.html#cre
ateConnection(java.lang.String,%20java.lang.String),
such that those are used instead of any that were/were not specified in
the base JNDI config. In that case, the URL you put in the file could
just have placholders or empty strings for the user and password, with
the real credentials to be supplied at runtime, sourced via whatever
mechanism you like. Again however, I'm not sure of the options available
for specifying the credentials when using Synapse.

As mentioned on the other thread, a completely different suggestion
might be to investigate encryption at the file/filesystem level.

Robbie


On 10 December 2012 22:09, <David.Hu@ubs.com> wrote:

> Hi, Rajith,
>
> I know qpid supports ssl but in terms of the password in connection 
> url below, how? This is tied up with Synapse, which read the url, 
> parse out user name and password and tries to sign up with Synapse 
> server. Maybe you are talking about checking if Synapse supports SSL 
> authentication & Kerberos?
>
> connectionfactory.QueueConnectionFactory = 
> amqp://user:password@clientID/test?brokerlist=..&ssl="true"&.
>
> David
>
> -----Original Message-----
> From: Rajith Attapattu [mailto:rajith77@gmail.com]
> Sent: Monday, December 10, 2012 4:25 PM
> To: users@qpid.apache.org
> Subject: Re: How to encrypt user password in connection url
>
> David,
>
> If you have security concerns, I think rather than trying to write a 
> custom JMS listener, it would probably be worthwhile looking at using 
> a more secure mechanism like SSL certificates or Kerberos.
>
> Rajith
>
> On Mon, Dec 10, 2012 at 3:25 PM,  <David.Hu@ubs.com> wrote:
> > Hi, Phil,
> >
> > Got it. It seems that we need to write our own JMS listener, 
> > extending
>
> > from the default one, org.apache.axis2.transport.jms.JMSListener .
> >
> > Thanks for the help.
> > David
> >
> > -----Original Message-----
> > From: philharveyonline@googlemail.com 
> > [mailto:philharveyonline@googlemail.com] On Behalf Of Phil Harvey
> > Sent: Sunday, December 09, 2012 12:57 AM
> > To: users@qpid.apache.org
> > Subject: RE: How to encrypt user password in connection url
> >
> > Hi David,
> >
> > I was actually thinking containers such as WebSphere which allow 
> > JNDI objects to be securely stored by an administrator. Sounds like 
> > that might not be useful in your case though.
> >
> > I don't know the best way of securely storing the connection URL in 
> > Synapse. Writing a custom JMSListener may be an option. You could 
> > try asking for advice on the Synapse mailing list.
> >
> > Finally, note that Qpid does support client SSL authentication. This

> > may provide the level of security that you need. If you think this 
> > might be useful we can help you set it up.
> >
> > Incidentally, which version of the Qpid client and broker are you
> using?
> >
> > Phil
> > On Dec 8, 2012 4:47 PM, <David.Hu@ubs.com> wrote:
> >
> >> Hi, Phil,
> >>
> >> Thanks for the info.
> >>
> >> We are trying to embed qpid in Synapse where qpid connection 
> >> information is stored in a property file in the format like -
> >>
> >> connectionfactory.QueueConnectionFactory = 
> >> amqp://user:password@clientID/test?brokerlist=...
> >>
> >> So what you mean is that we need to create customized listener to 
> >> read
> >
> >> the property file and decrypt the password where the password can 
> >> be encrypted?
> >>
> >> It seems out of the box in Synapse, it uses 
> >> org.apache.axis2.transport.jms.JMSListener and there is no such an 
> >> option.
> >>
> >> Thanks,
> >> David
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: philharveyonline@googlemail.com 
> >> [mailto:philharveyonline@googlemail.com] On Behalf Of Phil Harvey
> >> Sent: Saturday, December 08, 2012 2:11 AM
> >> To: users@qpid.apache.org
> >> Subject: Re: How to encrypt user password in connection url
> >>
> >> Hi David,
> >>
> >> I assume you're talking about encrypting the stored URL string, and

> >> not about encrypting the details sent over the wire to the broker.

> >> I
>
> >> think the only way to do this is to store it in a secure JNDI 
> >> context,
> > e.g.
> >> one provided by a Java application server.  This is in line with 
> >> the approach commonly taken for making JDBC connections from JEE
apps.
> >>
> >> Phil
> >>
> >>
> >> On 8 December 2012 00:27, <David.Hu@ubs.com> wrote:
> >>
> >> > **
> >> > Hi, Guys,
> >> >
> >> > Is there a way to encrypt password in the connection URL below?
> >> >
> >> > amqp://[<user>:<pass>@][<clientid>]<virtualhost>[..]
> >> >
> >> > David
> >> >
> >> > Visit our website at http://www.ubs.com
> >> >
> >> > This message contains confidential information and is intended 
> >> > only
>
> >> > for the individual named.  If you are not the named addressee you

> >> > should not disseminate, distribute or copy this e-mail.  Please 
> >> > notify
> >>
> >> > the sender immediately by e-mail if you have received this e-mail

> >> > by
> >
> >> > mistake and delete this e-mail from your system.
> >> >
> >> > E-mails are not encrypted and cannot be guaranteed to be secure 
> >> > or error-free as information could be intercepted, corrupted, 
> >> > lost, destroyed, arrive late or incomplete, or contain viruses.  
> >> > The sender therefore does not accept liability for any errors or 
> >> > omissions in the
> >>
> >> > contents of this message which arise as a result of e-mail
> >> transmission.
> >> > If verification is required please request a hard-copy version.
> >> > This message is provided for informational purposes and should 
> >> > not be construed as a solicitation or offer to buy or sell any 
> >> > securities or related financial instruments.
> >> >
> >> >
> >> > UBS reserves the right to retain all messages. Messages are 
> >> > protected and accessed only in legally justified cases.
> >> >
> >> >
> >> > -----------------------------------------------------------------
> >> > --
> >> > -
> >> > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For 
> >> > additional commands, e-mail: users-help@qpid.apache.org
> >> >
> >> Visit our website at http://www.ubs.com
> >>
> >> This message contains confidential information and is intended only

> >> for the individual named.  If you are not the named addressee you 
> >> should not disseminate, distribute or copy this e-mail.  Please 
> >> notify
> >
> >> the sender immediately by e-mail if you have received this e-mail 
> >> by mistake and delete this e-mail from your system.
> >>
> >> E-mails are not encrypted and cannot be guaranteed to be secure or 
> >> error-free as information could be intercepted, corrupted, lost, 
> >> destroyed, arrive late or incomplete, or contain viruses.  The 
> >> sender
>
> >> therefore does not accept liability for any errors or omissions in 
> >> the
> >
> >> contents of this message which arise as a result of e-mail
> > transmission.
> >> If verification is required please request a hard-copy version.  
> >> This
>
> >> message is provided for informational purposes and should not be 
> >> construed as a solicitation or offer to buy or sell any securities 
> >> or
>
> >> related financial instruments.
> >>
> >>
> >> UBS reserves the right to retain all messages. Messages are 
> >> protected
>
> >> and accessed only in legally justified cases.
> >>
> >> -------------------------------------------------------------------
> >> -- To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For 
> >> additional commands, e-mail: users-help@qpid.apache.org
> >>
> >>
> > Visit our website at http://www.ubs.com
> >
> > This message contains confidential information and is intended only 
> > for the individual named.  If you are not the named addressee you 
> > should not disseminate, distribute or copy this e-mail.  Please 
> > notify
>
> > the sender immediately by e-mail if you have received this e-mail by

> > mistake and delete this e-mail from your system.
> >
> > E-mails are not encrypted and cannot be guaranteed to be secure or 
> > error-free as information could be intercepted, corrupted, lost, 
> > destroyed, arrive late or incomplete, or contain viruses.  The 
> > sender therefore does not accept liability for any errors or 
> > omissions in the
>
> > contents of this message which arise as a result of e-mail
> transmission.
> > If verification is required please request a hard-copy version.  
> > This message is provided for informational purposes and should not 
> > be construed as a solicitation or offer to buy or sell any 
> > securities or related financial instruments.
> >
> >
> > UBS reserves the right to retain all messages. Messages are 
> > protected and accessed only in legally justified cases.
> >
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For 
> > additional commands, e-mail: users-help@qpid.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For 
> additional commands, e-mail: users-help@qpid.apache.org
>
> Visit our website at http://www.ubs.com
>
> This message contains confidential information and is intended only 
> for the individual named.  If you are not the named addressee you 
> should not disseminate, distribute or copy this e-mail.  Please notify

> the sender immediately by e-mail if you have received this e-mail by 
> mistake and delete this e-mail from your system.
>
> E-mails are not encrypted and cannot be guaranteed to be secure or 
> error-free as information could be intercepted, corrupted, lost, 
> destroyed, arrive late or incomplete, or contain viruses.  The sender 
> therefore does not accept liability for any errors or omissions in the

> contents of this message which arise as a result of e-mail
transmission.
> If verification is required please request a hard-copy version.  This 
> message is provided for informational purposes and should not be 
> construed as a solicitation or offer to buy or sell any securities or 
> related financial instruments.
>
>
> UBS reserves the right to retain all messages. Messages are protected 
> and accessed only in legally justified cases.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For 
> additional commands, e-mail: users-help@qpid.apache.org
>
>
Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.
	
E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses.  The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments.

 
UBS reserves the right to retain all messages. Messages are protected
and accessed only in legally justified cases.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message