This is an automated email from the ASF dual-hosted git repository.

bhardesty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git


The following commit(s) were added to refs/heads/master by this push:
     new f1bf245  NO-JIRA: Update doc for setting password file for private 
key. This closes #688.
f1bf245 is described below

commit f1bf245d8af6f8f5d298b74ac902b4f56e825aac
Author: Ben Hardesty <[email protected]>
AuthorDate: Wed Feb 19 10:55:06 2020 -0500

    NO-JIRA: Update doc for setting password file for private key. This closes 
#688.
---
 docs/books/common/fragment-password-description.adoc  |  4 ++--
 ...onnecting-using-mutual-ssl-tls-authentication.adoc | 19 +++++++++++++++----
 .../user-guide/enabling-ssl-tls-encryption.adoc       | 19 +++++++++++++++----
 .../securing-connections-between-routers.adoc         | 19 +++++++++++++++----
 4 files changed, 47 insertions(+), 14 deletions(-)

diff --git a/docs/books/common/fragment-password-description.adoc 
b/docs/books/common/fragment-password-description.adoc
index 8517621..c3d08a4 100644
--- a/docs/books/common/fragment-password-description.adoc
+++ b/docs/books/common/fragment-password-description.adoc
@@ -17,13 +17,13 @@ specific language governing permissions and limitations
 under the License
 ////
 
-`password`:: The password to unlock the certificate key. You do not need to 
specify this if the certificate key does not have a password. By using 
different prefixes, you can specify the password several different ways 
depending on your security requirements:
+`password`:: The password to unlock the private key. You do not need to 
specify this if the private key does not have a password. By using different 
prefixes, you can specify the password several different ways depending on your 
security requirements:
 +
 * Specify the absolute path to a file that contains the password. This is the 
most secure option, because you can set permissions on the file that contains 
the password. For example:
 +
 [options="nowrap",subs="+quotes"]
 ----
-password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+password: file:/etc/pki/tls/private/password.txt
 ----
 
 * Specify an environment variable that stores the password. Use this option 
with caution, because the environment of other processes is visible on certain 
platforms. For example:
diff --git 
a/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
 
b/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
index 2b843a4..cc44b89 100644
--- 
a/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
+++ 
b/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
@@ -45,10 +45,10 @@ This `sslProfile` contains the locations of the private key 
and certificates tha
 ----
 sslProfile {
     name: broker-tls
-    certFile: /etc/qpid-dispatch-certs/tls.crt
-    privateKeyFile: /etc/qpid-dispatch-certs/tls.key
-    caCertFile: /etc/qpid-dispatch-certs/ca.crt
-    password: file:/etc/qpid-dispatch-certs/password.txt
+    certFile: /etc/pki/tls/certs/tls.crt
+    caCertFile: /etc/pki/tls/certs/ca.crt
+    privateKeyFile: /etc/pki/tls/private/tls.key
+    password: file:/etc/pki/tls/private/password.txt
     ...
 }
 ----
@@ -59,6 +59,17 @@ sslProfile {
 `caCertFile`:: The absolute path to the CA certificate that was used to sign 
the router's certificate.
 
 `privateKeyFile`:: The absolute path to the file containing the private key 
for this router's public certificate.
++
+[NOTE]
+====
+Ensure that the `qdrouterd` or root user can access the private key. For 
example:
+
+[options="nowrap",subs="+quotes"]
+----
+chmod 0600 /etc/pki/tls/private/tls.key
+chown qdrouterd /etc/pki/tls/private/tls.key
+----
+====
 
 //`password`
 include::{FragmentDir}/fragment-password-description.adoc[]
diff --git a/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc 
b/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
index 8497089..f6fea1c 100644
--- a/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
+++ b/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
@@ -45,10 +45,10 @@ This `sslProfile` contains the locations of the private key 
and certificates tha
 ----
 sslProfile {
     name: service-tls
-    certFile: /etc/qpid-dispatch-certs/normal/tls.crt
-    caCertFile: /etc/qpid-dispatch-certs/client-ca/ca.crt
-    privateKeyFile: /etc/qpid-dispatch-certs/normal/tls.key
-    password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+    certFile: /etc/pki/tls/certs/tls.crt
+    caCertFile: /etc/pki/tls/certs/ca.crt
+    privateKeyFile: /etc/pki/tls/private/tls.key
+    password: file:/etc/pki/tls/private/password.txt
     ...
 }
 ----
@@ -59,6 +59,17 @@ sslProfile {
 `caCertFile`:: The absolute path to the CA certificate that was used to sign 
the router's certificate.
 
 `privateKeyFile`:: The absolute path to the file containing the private key 
for this router's public certificate.
++
+[NOTE]
+====
+Ensure that the `qdrouterd` or root user can access the private key. For 
example:
+
+[options="nowrap",subs="+quotes"]
+----
+chmod 0600 /etc/pki/tls/private/tls.key
+chown qdrouterd /etc/pki/tls/private/tls.key
+----
+====
 
 //`password`
 include::{FragmentDir}/fragment-password-description.adoc[]
diff --git 
a/docs/books/modules/user-guide/securing-connections-between-routers.adoc 
b/docs/books/modules/user-guide/securing-connections-between-routers.adoc
index e3746d9..5767580 100644
--- a/docs/books/modules/user-guide/securing-connections-between-routers.adoc
+++ b/docs/books/modules/user-guide/securing-connections-between-routers.adoc
@@ -55,10 +55,10 @@ This `sslProfile` contains the locations of the private key 
and certificates tha
 ----
 sslProfile {
     name: inter-router-tls
-    certFile: /etc/qpid-dispatch-certs/inter-router/tls.crt
-    caCertFile: /etc/qpid-dispatch-certs/inter-router/ca.crt
-    privateKeyFile: /etc/qpid-dispatch-certs/inter-router/tls.key
-    password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+    certFile: /etc/pki/tls/certs/tls.crt
+    caCertFile: /etc/pki/tls/certs/ca.crt
+    privateKeyFile: /etc/pki/tls/private/tls.key
+    password: file:/etc/pki/tls/private/password.txt
     ...
 }
 ----
@@ -69,6 +69,17 @@ sslProfile {
 `caCertFile`:: The absolute path to the CA certificate that was used to sign 
the router's certificate.
 
 `privateKeyFile`:: The absolute path to the file containing the private key 
for this router's public certificate.
++
+[NOTE]
+====
+Ensure that the `qdrouterd` or root user can access the private key. For 
example:
+
+[options="nowrap",subs="+quotes"]
+----
+chmod 0600 /etc/pki/tls/private/tls.key
+chown qdrouterd /etc/pki/tls/private/tls.key
+----
+====
 
 //`password`
 include::{FragmentDir}/fragment-password-description.adoc[]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to