qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adel Boutros <adelbout...@live.com>
Subject RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
Date Thu, 23 Jun 2016 13:56:02 GMT
Hi Paolo,

In that case I think the issue is that my certificates were self-signed so there was no CA.
I think this works on the Java Broker thanks to the KeyStore and TrustStore features.

I will re-organize my certificates to have a CA which will generate the client and server
certificates and test again.

Thanks for the helpful explanation!

Regards,
Adel

> From: ppatierno@live.com
> To: users@qpid.apache.org
> Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
> Date: Thu, 23 Jun 2016 13:31:56 +0000
> 
> Hi Adel,
> 
> I'm a bit confused of what you are trying to achieve.
> 
> A listener (so acting as a server) can have only one certificate specified through  
  certFile parameter (and related     keyFile for the private key). This certificate is issued
by the server (listener) to the client during SSL/TLS handshake in order to provide the server
authentication feature. Of course the server certificate is signed with a CA certificate.
> 
> In order to have client authentication, the client sends its own certificate to the server
during the handshake. This certificate is signed by the same CA certificate used to sign server
certificate or another CA certificate specified through the trustCerts.
> 
> When the SSL handshake ends and mutual authentication is achieved, the SASL handshake
starts and using EXTERNAL you are saying that the client was authenticated in a way external
to SASL itself and using the previous authentication at SSL level.
> 
> It means that the SASL EXTERNAL authentication mechanism is strictly related with what's
happened in the previous SSL handshake so it's related to the certificates used for that.
> 
> Paolo.
> 
> Paolo PatiernoSenior Software Engineer (IoT) @ Red Hat
> Microsoft MVP on Windows Embedded & IoTMicrosoft Azure Advisor 
> Twitter : @ppatierno
> Linkedin : paolopatierno
> Blog : DevExperience
> 
> > From: adelboutros@live.com
> > To: users@qpid.apache.org
> > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > Date: Thu, 23 Jun 2016 15:16:22 +0200
> > 
> > It feels like a big puzzle to get SSL with client mutual authentication working.
It would help me a lot if someone can provide a fully working configuration and how to use
it with a JMS client for example.
> > I think it could also benefit others i the future
> > 
> > Ganesh had provided me on a different thread, steps to generate server certificate
and use it in the dispatcher. I think something similar here is the easiest solution.
> > 
> > Regards,
> > Adel
> > 
> > > From: jakub@scholz.cz
> > > Date: Thu, 23 Jun 2016 14:27:11 +0200
> > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > To: users@qpid.apache.org
> > > 
> > > I think you have to add the file with client public keys to the certDb
> > > option. The trustedCerts parameter is used only to control which public
> > > keys will be listed as supported CAs to the clients.
> > > 
> > > Jakub
> > > 
> > > On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <adelboutros@live.com>
wrote:
> > > 
> > > > Ok, So I added the client certificate but it doesn't seem to work. I am
> > > > getting an exception in the handshake phase:
> > > >
> > > > Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication
> > > >
> > > > Dispatcher config
> > > > ssl-profile {
> > > >     name: ssl-profile-name
> > > >     certFile: cert_ssl_encryption.pem
> > > >     keyFile:key_ssl_encryption.pem
> > > > }
> > > >
> > > > listener {
> > > >     host: 0.0.0.0
> > > >     port: 10398
> > > >     saslMechanisms: EXTERNAL
> > > >     sslProfile: ssl-profile-name
> > > >     authenticatePeer: yes
> > > >     requireSsl: yes
> > > >     trustedCerts: cert_sasl.pem
> > > > }
> > > >
> > > > JMS Client
> > > > System.setProperty("javax.net.ssl.trustStore",
> > > > resourcePath("trustStore.jks"));
> > > > System.setProperty("javax.net.ssl.keyStore",
> > > > resourcePath("clientKeyStore.jks"));
> > > > System.setProperty("javax.net.ssl.keyStorePassword", "password");
> > > > JmsConnectionFactory jmsConnectionFactory = new
> > > > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
> > > > Connection connection = jmsConnectionFactory.createConnection();
> > > >
> > > > PS: trustStore.jks contains the cert_ssl_encryption.pem and
> > > > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) which
is
> > > > aliased by "client"
> > > >
> > > > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the
> > > > ssl-profile?
> > > >
> > > > Regards,
> > > > Adel
> > > >
> > > > > Date: Wed, 22 Jun 2016 11:23:16 -0400
> > > > > From: gmurthy@redhat.com
> > > > > To: users@qpid.apache.org
> > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > > >
> > > > > "Of course I want to use a certificate for SSL encryption (provided
in
> > > > the ssl-profile) and a different one for SASL authentication but on the
> > > > same listener."
> > > > >
> > > > > Are you saying that you have two pairs of server/client certs and
you
> > > > want to use one pair for initial SSL encryption (to encrypt the entire
> > > > exchange) and another pair for SASL EXTERNAL ? If this is the case, you
can
> > > > have only one server side cert per listener which you can specify in
> > > > certFile.
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Ted Ross" <tross@redhat.com>
> > > > > > To: users@qpid.apache.org
> > > > > > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > > > > > Hello,
> > > > > > >
> > > > > > > I want to use SASL authentication mechanism using a client
> > > > certificate. I
> > > > > > > looked at the examples and tests but I didn't quite get
everything.
> > > > > > > I know I have to setup a listener with "sasl-mechanisms:
EXTERNAL"
> > > > and
> > > > > > > "require-peer-auth: yes" but then how do I tell the dispatcher
which
> > > > > > > certificates are accepted and which aren't?
> > > > > > > Of course I want to use a certificate for SSL encryption
(provided
> > > > in the
> > > > > > > ssl-profile) and a different one for SASL authentication
but on the
> > > > same
> > > > > > > listener.
> > > > > > > ssl-profile {
> > > > > > >     name: ssl-profile-name
> > > > > > >     certFile: cert_ssl_encryption.pem
> > > > > > >     keyFile: key_ssl_encryption.pem
> > > > > > > }
> > > > > > >
> > > > > > > listener {
> > > > > > >     host: 0.0.0.0
> > > > > > >     port: 10399
> > > > > > >     sasl-mechanisms: EXTERNAL
> > > > > > >     ssl-profile: ssl-profile-name
> > > > > > >     authenticatePeer: yes
> > > > > > >     requireSsl: yes
> > > > > > > }
> > > > > > > In the above configuration, where should I add the "cert_sasl.pem"?
> > > > > > >
> > > > > > > Regards,
> > > > > > > Adel
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >  From the qdrouterd.conf man page:
> > > > > >
> > > > > > Under "listener":
> > > > > >
> > > > > > trustedCerts (path)
> > > > > >      This optional setting can be used to reduce the set of
available
> > > > > >      CAs for client authentication. If used, this setting must
provide
> > > > a
> > > > > >      path to a PEM file that contains the trusted certificates.
> > > > > >
> > > > > > ---------------------------------------------------------------------
> > > > > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > > > > For additional commands, e-mail: users-help@qpid.apache.org
> > > > > >
> > > > > >
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > > > For additional commands, e-mail: users-help@qpid.apache.org
> > > > >
> > > >
> > > >
> >  		 	   		  
>  		 	   		  
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message