qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adel Boutros <adelbout...@live.com>
Subject RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
Date Thu, 23 Jun 2016 13:16:22 GMT
It feels like a big puzzle to get SSL with client mutual authentication working. It would help
me a lot if someone can provide a fully working configuration and how to use it with a JMS
client for example.
I think it could also benefit others i the future

Ganesh had provided me on a different thread, steps to generate server certificate and use
it in the dispatcher. I think something similar here is the easiest solution.

Regards,
Adel

> From: jakub@scholz.cz
> Date: Thu, 23 Jun 2016 14:27:11 +0200
> Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> To: users@qpid.apache.org
> 
> I think you have to add the file with client public keys to the certDb
> option. The trustedCerts parameter is used only to control which public
> keys will be listed as supported CAs to the clients.
> 
> Jakub
> 
> On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <adelboutros@live.com> wrote:
> 
> > Ok, So I added the client certificate but it doesn't seem to work. I am
> > getting an exception in the handshake phase:
> >
> > Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication
> >
> > Dispatcher config
> > ssl-profile {
> >     name: ssl-profile-name
> >     certFile: cert_ssl_encryption.pem
> >     keyFile:key_ssl_encryption.pem
> > }
> >
> > listener {
> >     host: 0.0.0.0
> >     port: 10398
> >     saslMechanisms: EXTERNAL
> >     sslProfile: ssl-profile-name
> >     authenticatePeer: yes
> >     requireSsl: yes
> >     trustedCerts: cert_sasl.pem
> > }
> >
> > JMS Client
> > System.setProperty("javax.net.ssl.trustStore",
> > resourcePath("trustStore.jks"));
> > System.setProperty("javax.net.ssl.keyStore",
> > resourcePath("clientKeyStore.jks"));
> > System.setProperty("javax.net.ssl.keyStorePassword", "password");
> > JmsConnectionFactory jmsConnectionFactory = new
> > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
> > Connection connection = jmsConnectionFactory.createConnection();
> >
> > PS: trustStore.jks contains the cert_ssl_encryption.pem and
> > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) which is
> > aliased by "client"
> >
> > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the
> > ssl-profile?
> >
> > Regards,
> > Adel
> >
> > > Date: Wed, 22 Jun 2016 11:23:16 -0400
> > > From: gmurthy@redhat.com
> > > To: users@qpid.apache.org
> > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > >
> > > "Of course I want to use a certificate for SSL encryption (provided in
> > the ssl-profile) and a different one for SASL authentication but on the
> > same listener."
> > >
> > > Are you saying that you have two pairs of server/client certs and you
> > want to use one pair for initial SSL encryption (to encrypt the entire
> > exchange) and another pair for SASL EXTERNAL ? If this is the case, you can
> > have only one server side cert per listener which you can specify in
> > certFile.
> > >
> > > ----- Original Message -----
> > > > From: "Ted Ross" <tross@redhat.com>
> > > > To: users@qpid.apache.org
> > > > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > >
> > > >
> > > >
> > > > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > > > Hello,
> > > > >
> > > > > I want to use SASL authentication mechanism using a client
> > certificate. I
> > > > > looked at the examples and tests but I didn't quite get everything.
> > > > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL"
> > and
> > > > > "require-peer-auth: yes" but then how do I tell the dispatcher which
> > > > > certificates are accepted and which aren't?
> > > > > Of course I want to use a certificate for SSL encryption (provided
> > in the
> > > > > ssl-profile) and a different one for SASL authentication but on the
> > same
> > > > > listener.
> > > > > ssl-profile {
> > > > >     name: ssl-profile-name
> > > > >     certFile: cert_ssl_encryption.pem
> > > > >     keyFile: key_ssl_encryption.pem
> > > > > }
> > > > >
> > > > > listener {
> > > > >     host: 0.0.0.0
> > > > >     port: 10399
> > > > >     sasl-mechanisms: EXTERNAL
> > > > >     ssl-profile: ssl-profile-name
> > > > >     authenticatePeer: yes
> > > > >     requireSsl: yes
> > > > > }
> > > > > In the above configuration, where should I add the "cert_sasl.pem"?
> > > > >
> > > > > Regards,
> > > > > Adel
> > > > >
> > > > >
> > > >
> > > >  From the qdrouterd.conf man page:
> > > >
> > > > Under "listener":
> > > >
> > > > trustedCerts (path)
> > > >      This optional setting can be used to reduce the set of available
> > > >      CAs for client authentication. If used, this setting must provide
> > a
> > > >      path to a PEM file that contains the trusted certificates.
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > > For additional commands, e-mail: users-help@qpid.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > For additional commands, e-mail: users-help@qpid.apache.org
> > >
> >
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message