Hi Kerry, By coincidence, I have gone through the certificate learning curve in the last few days.
The Windows broker currently supports registry based (as opposed to file based) certificates that are in a certificate store that is scoped to the local machine (not the current user). I am not up to speed on mixing OpenSSL data files with Windows registry stores. You can try the following (with Administrator privilege) to create a new self signed cert: makecert -ss qpidstore -n "CN=myserver" -r -sr localmachine myserver.cer Where qpidstore is an arbitrary store name to place your qpid related cert(s) and myserver is the name the clients expect your server's common name to be. This registry entry contains the private and public keys of the certificate. myserver.cer contains the public key. You must import this into the trusted roots on Windows via certmgr for each client that needs to connect to the server. You can examine it from OpenSSL via openssl x509 -in myserver.cer -inform DER -text To run the server, again as Administrator: qpidd --ssl-cert-name myserver --ssl-cert-store qpidstore --other-args I am not aware that anyone is currently working on QPID-1842. If you have time to donate here, it would be greatly appreciated. But note: > [...] I need secure broker (with clustering) on the Windows platform working > in the next few months for my project here. Clustering support has not yet been ported to Windows. I am not aware that it has even been seriously scoped in terms of effort. Steve Huston would be the best source of information on this. Cliff -----Original Message----- From: Kerry Bonin [mailto:[email protected]] Sent: Wednesday, February 03, 2010 12:43 PM To: qpid-dev Subject: Status of Windows SSL / ACL ? Hello! I had a few questions regarding the state of broker security for Windows platforms. On the SSL front, I see QPID-1403 has been resolved, and I can now build w/ BUILD_SSL enabled. What I haven't been able to get working yet is to get my broker to actually load a certificate - ::CertFindCertificateInStore fails. On this issue, do we have a known good set of instructions to generate a working system? The windows error ("Cannot find object or property") is so vague I'm not sure why it isn't loading my cert. I'm generating a self-signed cert w/ openssl, loading as trusted root cert, generating a client cert w/ the CN of my node, converting to pkcs12 along w/ password free private key and importing to the personal store w/ friendly name of node, not sure what else I need to do... On the ACL front, QPID-1842 is still keeping Windows link from working. Any idea when this will be fixed? On a related note, I have time to help fix these, as I need secure broker (with clustering) on the Windows platform working in the next few months for my project here. Appreciate any pointers, and please let me know if there is anything I can do to help... Kerry Bonin Sr. Systems Architect GE Security --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
