qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ganesh Murthy <gmur...@redhat.com>
Subject Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
Date Wed, 22 Jun 2016 15:23:16 GMT
"Of course I want to use a certificate for SSL encryption (provided in the ssl-profile) and
a different one for SASL authentication but on the same listener."

Are you saying that you have two pairs of server/client certs and you want to use one pair
for initial SSL encryption (to encrypt the entire exchange) and another pair for SASL EXTERNAL
? If this is the case, you can have only one server side cert per listener which you can specify
in certFile. 

----- Original Message -----
> From: "Ted Ross" <tross@redhat.com>
> To: users@qpid.apache.org
> Sent: Wednesday, June 22, 2016 10:55:47 AM
> Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> 
> 
> 
> On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > Hello,
> >
> > I want to use SASL authentication mechanism using a client certificate. I
> > looked at the examples and tests but I didn't quite get everything.
> > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL" and
> > "require-peer-auth: yes" but then how do I tell the dispatcher which
> > certificates are accepted and which aren't?
> > Of course I want to use a certificate for SSL encryption (provided in the
> > ssl-profile) and a different one for SASL authentication but on the same
> > listener.
> > ssl-profile {
> >     name: ssl-profile-name
> >     certFile: cert_ssl_encryption.pem
> >     keyFile: key_ssl_encryption.pem
> > }
> >
> > listener {
> >     host: 0.0.0.0
> >     port: 10399
> >     sasl-mechanisms: EXTERNAL
> >     ssl-profile: ssl-profile-name
> >     authenticatePeer: yes
> >     requireSsl: yes
> > }
> > In the above configuration, where should I add the "cert_sasl.pem"?
> >
> > Regards,
> > Adel
> >  		 	   		
> >
> 
>  From the qdrouterd.conf man page:
> 
> Under "listener":
> 
> trustedCerts (path)
>      This optional setting can be used to reduce the set of available
>      CAs for client authentication. If used, this setting must provide a
>      path to a PEM file that contains the trusted certificates.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message