[
https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Gemmell updated QPID-1511:
---------------------------------
Attachment: QPID-1511_29jan2009.patch
create_example_ssl_certstores.sh
I attach QPID-1511_29jan2009.patch to address this JIRA, and a script to
produce an example keystore and truststore for users who dont have their own
SSL certificate handy. I wasnt sure where to put that in the repository so its
not in the patch.
The JMXMP connector capabilities are left intact for now, but grouped for easy
future removal (I think its a good idea to keep it all in for at least 1
revision before removing).
2 new files are added by the patch:
qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticator.java
qpid/java/broker/src/test/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticatorTest.java
=======
Notes:
=======
Adds authentication and SSL encryption to the JMX RMIConnectorServer, and
updates the console and JMXConnectionFactory accordingly.
Makes the RMI ConnectorServer use the custom MBeanServerForwarder invoker like
the JMXMP connector has, thus enforcing the authorisation system.
SSL is on by default in the config file but can be turned off in the config if
desired, though the brokers config request defaults it to true so that need not
be exposed if it isnt desired. The config.xml file is configured to use the
test ssl certificate store in the java/test_resources/ssl directory created for
the cpp.ssl test profile. The config file can be overidden by specifying the
standard javax.net.ssl.* system properties normally available for this task. If
the keystore or password are not set by one of these means, a configuration
exception will be thrown and abort the broker startup.
As a result of the above, to connect using the console/cli you will need to
supply the relevant ssl trust store location and password if the certificates
being used cant be verified by the default java trust stores. This can be done
using the system properties javax.net.ssl.trustStore and
javax.net.ssl.trustStorePassword, either at the command line when launching
qpidmc(.exe), or by altering the qpidmc.ini file using the examples now
provided within it.
The broker will use the defined management port (default 8999) for the RMI
registry as before, but now uses the <OFFSET>'th next port (+100 just now, thus
9099 normally) to export the actual JMX RMIConnectorServer, whereas previously
this port was chosen at random by the JMX Factory methods, making it rather
firewall unfriendly.
A custom RMIServerSocketFactory is included to address the security issues
surrounding RMI registries (namely that anyone on that machine is free to
modify the registry and thus can intercept the JMX connections by replacing the
JMX Connector Server stub in the registry with their own), by crippling the
hostname detection and making it impossible to bind objects to the registry
using RMI locally or remotely, instead requiring you to hold the object
reference to it.
The authenticator has a local MD5 hashing function to convert the password for
comparison, but ideally this will be removed through modification of the
Base64MD5 PD to do its own hashing, and the authenticator will then make use of
the PD's verifyPassword method instead.
Finally, the patch makes the JMXManagedObjectRegistry use the specific
principal database listed in the configuration as the jmx management PD, as
happens to AMQUserManagementMBean. The PD selection method used previously in
JMXManagedObjectRegistry made it possible for the 2 areas to (unwittingly or
otherwise) use different databases, which the AMQUMMBean implementation does
not appear to be able to support properly if thats what was originally intended
(see
http://mail-archives.apache.org/mod_mbox/qpid-dev/200812.mbox/%[email protected]%3e
for way more info than you could ever want :P)
> JMX Interface does not require authentication
> ---------------------------------------------
>
> Key: QPID-1511
> URL: https://issues.apache.org/jira/browse/QPID-1511
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker, Java Management : JMX Console
> Reporter: Martin Ritchie
> Fix For: Eclipse MC M5
>
> Attachments: create_example_ssl_certstores.sh,
> QPID-1511_29jan2009.patch
>
>
> Summary:
> JMX Interface uses the default RMI connector which has no authentication
> mechanism. We should not be shipping a JMX interface that doesn't have
> authentication. The interface has been disabled by default for M4 but this
> should be modified based on the outcome of the discussion on qpid-dev to
> authenticate all connections.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
