qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Donner <jdon...@morphodetection.com>
Subject RE: Use of qpid-config with SSL
Date Fri, 05 Aug 2016 20:30:57 GMT
Hi Jakob, thank you for the answer. 

Actually at this most basic, web-browser level of security where just the communication is
encrypted but without client authentication, I didn't need the certificate either. Just pointing
at the server's SSL port, 5671 was enough:

  qpid-config -a amqps://localhost:5671 add queue queue1.q

  qpid-stat -b amqps://localhost:5671 -q
...
  queue                                     dur  autoDel  excl  msg   msgIn  msgOut  bytes
 bytesIn  bytesOut  cons  bind
  =========================================================================================================================
  b3ef21b5-3b34-4e88-8f61-91375d854a1c:0.0       Y        Y        0     0      0       0
     0        0         1     2
  queue1.q                                                         0     0      0       0
     0        0         0     1

ie both work fine because there's no authentication. 

For searchable posterity, when I just removed the --ssl-key I got: 
  scripts$ qpid-config -a amqps://localhost:5671 --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem
add queue queue1.q
  Failed: ConnectError: [SSL] PEM lib (_ssl.c:2600)

Thanks again;

Jeff
________________________________________
From: Jakub Scholz [jakub@scholz.cz]
Sent: Friday, August 05, 2016 12:32 AM
To: users@qpid.apache.org
Subject: Re: Use of qpid-config with SSL

Hi Jeff,

The password it is asking for is to decrypt the private key. However,
looking at your qpidd configuration, I'm not sure you really need the
private key to be specified. It looks like the broker is configured to use
SSL only with Server authentication. Therefore the client should need only
the public key. Have you tried to use the qpid-config without the --ssl-key
parameter?

Should you really need the private key, I don't think you can pass the
password as parameter in qpid-config, but you can use PEM file without
encryption. In such case it would not ask for password, but of course the
private key will not be protected by the password and encryption.

Regards
Jakub

On Fri, Aug 5, 2016 at 1:52 AM, Jeff Donner <jdonner@morphodetection.com>
wrote:

> Hi -
>
>   I get qpid-config connecting to the qpidd broker (on Linux), but it asks
> for a password each time. Since there are a lot of queues and exchanges is
> there a way not to enter it manually? I don't see any way to use a response
> file.
>
> Also, I think I'm  making clients connect via SSL, but not be
> authenticated themselves (as a first step), so why is qpidd or qpid-config
> asking for a password?
>
> $ cat /space/play/ssl.qpidd.conf
> ssl-cert-db=/space/play/ssl_certs
> ssl-cert-name=test_server
> ssl-cert-password-file=/space/play/ssl_certs/tserverpw
> ssl-use-export-policy=yes
> ssl-require-client-authentication=no
> auth=no
>
> $ qpidd --conf /space/play/ssl.qpidd.conf
>
> $
>
> $ qpid-config --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem
> --ssl-key=/space/play/ssl_certs/tserver-private-key.pem -a
> amqps://localhost:5671 add queue queue1.q
> Enter PEM pass phrase: ('tserverpw' works)
>
> The cert and key are from the Proton cpp examples and seem fine, and I
> believe I've turned /space/play/ssl_certs into a proper db with certutil.
>
> Thanks,
> Jeff
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message