qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adel Boutros <adelbout...@live.com>
Subject RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
Date Thu, 23 Jun 2016 09:37:18 GMT
Ok, So I added the client certificate but it doesn't seem to work. I am getting an exception
in the handshake phase:

Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication

Dispatcher config
ssl-profile {
    name: ssl-profile-name
    certFile: cert_ssl_encryption.pem
    keyFile:key_ssl_encryption.pem
}

listener {
    host: 0.0.0.0
    port: 10398
    saslMechanisms: EXTERNAL
    sslProfile: ssl-profile-name
    authenticatePeer: yes
    requireSsl: yes
    trustedCerts: cert_sasl.pem
}

JMS Client
System.setProperty("javax.net.ssl.trustStore", resourcePath("trustStore.jks"));
System.setProperty("javax.net.ssl.keyStore", resourcePath("clientKeyStore.jks"));
System.setProperty("javax.net.ssl.keyStorePassword", "password");
JmsConnectionFactory jmsConnectionFactory = new JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
Connection connection = jmsConnectionFactory.createConnection();

PS: trustStore.jks contains the cert_ssl_encryption.pem and clientKeyStore.jks contains the
sasl certificate (cert_sasl.pem) which is aliased by "client"

Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the ssl-profile?

Regards,
Adel

> Date: Wed, 22 Jun 2016 11:23:16 -0400
> From: gmurthy@redhat.com
> To: users@qpid.apache.org
> Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> 
> "Of course I want to use a certificate for SSL encryption (provided in the ssl-profile)
and a different one for SASL authentication but on the same listener."
> 
> Are you saying that you have two pairs of server/client certs and you want to use one
pair for initial SSL encryption (to encrypt the entire exchange) and another pair for SASL
EXTERNAL ? If this is the case, you can have only one server side cert per listener which
you can specify in certFile. 
> 
> ----- Original Message -----
> > From: "Ted Ross" <tross@redhat.com>
> > To: users@qpid.apache.org
> > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > 
> > 
> > 
> > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > Hello,
> > >
> > > I want to use SASL authentication mechanism using a client certificate. I
> > > looked at the examples and tests but I didn't quite get everything.
> > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL" and
> > > "require-peer-auth: yes" but then how do I tell the dispatcher which
> > > certificates are accepted and which aren't?
> > > Of course I want to use a certificate for SSL encryption (provided in the
> > > ssl-profile) and a different one for SASL authentication but on the same
> > > listener.
> > > ssl-profile {
> > >     name: ssl-profile-name
> > >     certFile: cert_ssl_encryption.pem
> > >     keyFile: key_ssl_encryption.pem
> > > }
> > >
> > > listener {
> > >     host: 0.0.0.0
> > >     port: 10399
> > >     sasl-mechanisms: EXTERNAL
> > >     ssl-profile: ssl-profile-name
> > >     authenticatePeer: yes
> > >     requireSsl: yes
> > > }
> > > In the above configuration, where should I add the "cert_sasl.pem"?
> > >
> > > Regards,
> > > Adel
> > >  		 	   		
> > >
> > 
> >  From the qdrouterd.conf man page:
> > 
> > Under "listener":
> > 
> > trustedCerts (path)
> >      This optional setting can be used to reduce the set of available
> >      CAs for client authentication. If used, this setting must provide a
> >      path to a PEM file that contains the trusted certificates.
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
> 
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message