qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: Use of qpid-config with SSL
Date Fri, 05 Aug 2016 07:32:11 GMT
Hi Jeff,

The password it is asking for is to decrypt the private key. However,
looking at your qpidd configuration, I'm not sure you really need the
private key to be specified. It looks like the broker is configured to use
SSL only with Server authentication. Therefore the client should need only
the public key. Have you tried to use the qpid-config without the --ssl-key
parameter?

Should you really need the private key, I don't think you can pass the
password as parameter in qpid-config, but you can use PEM file without
encryption. In such case it would not ask for password, but of course the
private key will not be protected by the password and encryption.

Regards
Jakub

On Fri, Aug 5, 2016 at 1:52 AM, Jeff Donner <jdonner@morphodetection.com>
wrote:

> Hi -
>
>   I get qpid-config connecting to the qpidd broker (on Linux), but it asks
> for a password each time. Since there are a lot of queues and exchanges is
> there a way not to enter it manually? I don't see any way to use a response
> file.
>
> Also, I think I'm  making clients connect via SSL, but not be
> authenticated themselves (as a first step), so why is qpidd or qpid-config
> asking for a password?
>
> $ cat /space/play/ssl.qpidd.conf
> ssl-cert-db=/space/play/ssl_certs
> ssl-cert-name=test_server
> ssl-cert-password-file=/space/play/ssl_certs/tserverpw
> ssl-use-export-policy=yes
> ssl-require-client-authentication=no
> auth=no
>
> $ qpidd --conf /space/play/ssl.qpidd.conf
>
> $
>
> $ qpid-config --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem
> --ssl-key=/space/play/ssl_certs/tserver-private-key.pem -a
> amqps://localhost:5671 add queue queue1.q
> Enter PEM pass phrase: ('tserverpw' works)
>
> The cert and key are from the Proton cpp examples and seem fine, and I
> believe I've turned /space/play/ssl_certs into a proper db with certutil.
>
> Thanks,
> Jeff
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message