This is an automated email from the ASF dual-hosted git repository.
bhardesty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new f1bf245 NO-JIRA: Update doc for setting password file for private
key. This closes #688.
f1bf245 is described below
commit f1bf245d8af6f8f5d298b74ac902b4f56e825aac
Author: Ben Hardesty <[email protected]>
AuthorDate: Wed Feb 19 10:55:06 2020 -0500
NO-JIRA: Update doc for setting password file for private key. This closes
#688.
---
docs/books/common/fragment-password-description.adoc | 4 ++--
...onnecting-using-mutual-ssl-tls-authentication.adoc | 19 +++++++++++++++----
.../user-guide/enabling-ssl-tls-encryption.adoc | 19 +++++++++++++++----
.../securing-connections-between-routers.adoc | 19 +++++++++++++++----
4 files changed, 47 insertions(+), 14 deletions(-)
diff --git a/docs/books/common/fragment-password-description.adoc
b/docs/books/common/fragment-password-description.adoc
index 8517621..c3d08a4 100644
--- a/docs/books/common/fragment-password-description.adoc
+++ b/docs/books/common/fragment-password-description.adoc
@@ -17,13 +17,13 @@ specific language governing permissions and limitations
under the License
////
-`password`:: The password to unlock the certificate key. You do not need to
specify this if the certificate key does not have a password. By using
different prefixes, you can specify the password several different ways
depending on your security requirements:
+`password`:: The password to unlock the private key. You do not need to
specify this if the private key does not have a password. By using different
prefixes, you can specify the password several different ways depending on your
security requirements:
+
* Specify the absolute path to a file that contains the password. This is the
most secure option, because you can set permissions on the file that contains
the password. For example:
+
[options="nowrap",subs="+quotes"]
----
-password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+password: file:/etc/pki/tls/private/password.txt
----
* Specify an environment variable that stores the password. Use this option
with caution, because the environment of other processes is visible on certain
platforms. For example:
diff --git
a/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
b/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
index 2b843a4..cc44b89 100644
---
a/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
+++
b/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
@@ -45,10 +45,10 @@ This `sslProfile` contains the locations of the private key
and certificates tha
----
sslProfile {
name: broker-tls
- certFile: /etc/qpid-dispatch-certs/tls.crt
- privateKeyFile: /etc/qpid-dispatch-certs/tls.key
- caCertFile: /etc/qpid-dispatch-certs/ca.crt
- password: file:/etc/qpid-dispatch-certs/password.txt
+ certFile: /etc/pki/tls/certs/tls.crt
+ caCertFile: /etc/pki/tls/certs/ca.crt
+ privateKeyFile: /etc/pki/tls/private/tls.key
+ password: file:/etc/pki/tls/private/password.txt
...
}
----
@@ -59,6 +59,17 @@ sslProfile {
`caCertFile`:: The absolute path to the CA certificate that was used to sign
the router's certificate.
`privateKeyFile`:: The absolute path to the file containing the private key
for this router's public certificate.
++
+[NOTE]
+====
+Ensure that the `qdrouterd` or root user can access the private key. For
example:
+
+[options="nowrap",subs="+quotes"]
+----
+chmod 0600 /etc/pki/tls/private/tls.key
+chown qdrouterd /etc/pki/tls/private/tls.key
+----
+====
//`password`
include::{FragmentDir}/fragment-password-description.adoc[]
diff --git a/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
b/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
index 8497089..f6fea1c 100644
--- a/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
+++ b/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
@@ -45,10 +45,10 @@ This `sslProfile` contains the locations of the private key
and certificates tha
----
sslProfile {
name: service-tls
- certFile: /etc/qpid-dispatch-certs/normal/tls.crt
- caCertFile: /etc/qpid-dispatch-certs/client-ca/ca.crt
- privateKeyFile: /etc/qpid-dispatch-certs/normal/tls.key
- password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+ certFile: /etc/pki/tls/certs/tls.crt
+ caCertFile: /etc/pki/tls/certs/ca.crt
+ privateKeyFile: /etc/pki/tls/private/tls.key
+ password: file:/etc/pki/tls/private/password.txt
...
}
----
@@ -59,6 +59,17 @@ sslProfile {
`caCertFile`:: The absolute path to the CA certificate that was used to sign
the router's certificate.
`privateKeyFile`:: The absolute path to the file containing the private key
for this router's public certificate.
++
+[NOTE]
+====
+Ensure that the `qdrouterd` or root user can access the private key. For
example:
+
+[options="nowrap",subs="+quotes"]
+----
+chmod 0600 /etc/pki/tls/private/tls.key
+chown qdrouterd /etc/pki/tls/private/tls.key
+----
+====
//`password`
include::{FragmentDir}/fragment-password-description.adoc[]
diff --git
a/docs/books/modules/user-guide/securing-connections-between-routers.adoc
b/docs/books/modules/user-guide/securing-connections-between-routers.adoc
index e3746d9..5767580 100644
--- a/docs/books/modules/user-guide/securing-connections-between-routers.adoc
+++ b/docs/books/modules/user-guide/securing-connections-between-routers.adoc
@@ -55,10 +55,10 @@ This `sslProfile` contains the locations of the private key
and certificates tha
----
sslProfile {
name: inter-router-tls
- certFile: /etc/qpid-dispatch-certs/inter-router/tls.crt
- caCertFile: /etc/qpid-dispatch-certs/inter-router/ca.crt
- privateKeyFile: /etc/qpid-dispatch-certs/inter-router/tls.key
- password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+ certFile: /etc/pki/tls/certs/tls.crt
+ caCertFile: /etc/pki/tls/certs/ca.crt
+ privateKeyFile: /etc/pki/tls/private/tls.key
+ password: file:/etc/pki/tls/private/password.txt
...
}
----
@@ -69,6 +69,17 @@ sslProfile {
`caCertFile`:: The absolute path to the CA certificate that was used to sign
the router's certificate.
`privateKeyFile`:: The absolute path to the file containing the private key
for this router's public certificate.
++
+[NOTE]
+====
+Ensure that the `qdrouterd` or root user can access the private key. For
example:
+
+[options="nowrap",subs="+quotes"]
+----
+chmod 0600 /etc/pki/tls/private/tls.key
+chown qdrouterd /etc/pki/tls/private/tls.key
+----
+====
//`password`
include::{FragmentDir}/fragment-password-description.adoc[]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]