Hi Wielly, Thank you for your patience. Cliff Jansen recently posted the attached steps for setting up SSL on Windows.
-Steve > -----Original Message----- > From: Wielly [mailto:[email protected]] > Sent: Tuesday, May 15, 2012 4:53 AM > To: [email protected] > Subject: Qpid Enquiry > > > > > > Hello, > > > > I have installed qpid package with c++ broker under windows environment. I > already developed qpid application for my project, my customers have been > using my apps for 2 years without problem. > > I am having more potential and bigger customers in near future. They require > that my system need to configure SSL security to transmit/receive data over > secured network. > > Any user is familiar with setting up QPID "SSL" under windows environment > before? Can any user help me to explain in stepwise how to configure? I > heard this is possible to be done under windows. > > Please note that we are not developing this app under linux environment. > > > > Thank you very much in advance. > > > > > > Regards, > > > > Willy > > Software Engineer Asia
--- Begin Message ---Here is a recipe for using the tools you are used to on Linux and interoperating with Windows. Hopefully you can find the info you are looking for buried inside. For general info, see qpid/cpp/SSL and note in particular that the current Qpid implementation is Registry based. Type "qpidd --help" for ssl specific args. I tried to avoid the GUI on Windows but failed, sorry. I was also unable to find any way to create a new certificate store without the hack of creating a sacrificial self signed cert first. notused.example.com is that sacrificial cert. I had to run mmc, makecert, and qpidd as an administrator. I could run qpid-perftest without exalted privilege. I used two separate stores on Linux, but that wasn't necessary. CASE 1: Windows client + Linux broker (linux1.example.com) [ on Linux ] $ pwd /b/amqp/b/q16b9/ssltest/l $ export QPID_SSL_CERT_PASSWORD_FILE=`pwd`/pwf $ export QPID_SSL_CERT_DB=`pwd`/db $ export QPID_SSL_CERT_NAME=linux1.example.com $ echo secret >pwf $ mkdir db $ certutil -N -d ${QPID_SSL_CERT_DB} -f ${QPID_SSL_CERT_PASSWORD_FILE} $ certutil -S -d ${QPID_SSL_CERT_DB} -n ${QPID_SSL_CERT_NAME} -s "CN=${QPID_SSL_CERT_NAME}" -t "CT,," -x -f ${QPID_SSL_CERT_PASSWORD_FILE} -v 36 [ entropy stuff ... ] $ $ /b/amqp/b/q16b9/rt/sbin/qpidd --auth no -p 18641 --ssl-cert-password-file $QPID_SSL_CERT_PASSWORD_FILE --ssl-cert-name $QPID_SSL_CERT_NAME --ssl-port 18642 --ssl-cert-db $QPID_SSL_CERT_DB --module-dir /b/amqp/b/q16b9/rt/lib/qpid/daemon & [1] 20016 $ [export cert] $ certutil -L -d ${QPID_SSL_CERT_DB} -n ${QPID_SSL_CERT_NAME} -f ${QPID_SSL_CERT_PASSWORD_FILE} -a >/tmp/linux1.pub.cer [ on Windows ] mmc [run as administrator] File->snap-in->Certificates->add Computer account [not "User" or "Service"] -> Local computer Certificates-> Trusted Root CAs -> right click -> all tasks -> Import... [in wizard] -> browse to linux1.pub.cer -> open -> finish PS C:\cj\work\amqp\wcf\q1701\bin> .\qpid-perftest.exe -b linux1.example.com -p 5672 -P ssl --count 10000 --summary CASE 2: Windows broker (win1.example.com) + Linux client $ mkdir db $ echo secret >pwf $ export QPID_SSL_CERT_PASSWORD_FILE=`pwd`/pwf $ export QPID_SSL_CERT_DB=`pwd`/db $ pwd /b/amqp/b/q16b9/ssltest/w $ $ certutil -N -d ${QPID_SSL_CERT_DB} -f ${QPID_SSL_CERT_PASSWORD_FILE} $ $ export QPID_SSL_CERT_NAME=win1.example.com $ certutil -S -d ${QPID_SSL_CERT_DB} -n ${QPID_SSL_CERT_NAME} -s "CN=${QPID_SSL_CERT_NAME}" -t "CT,," -x -f ${QPID_SSL_CERT_PASSWORD_FILE} -v 36 [entropy stuff] [ this time need to export private key too, so use pk12util ] $ pk12util -o win1.p12 -n ${QPID_SSL_CERT_NAME} -d ${QPID_SSL_CERT_DB} Enter Password or Pin for "NSS Certificate DB":secret Enter password for PKCS12 file: very_secret Re-enter password: very_secret pk12util: PKCS12 EXPORT SUCCESSFUL $ [ on Windows ] [ hack to create "qpidtest" certificate store ] cd C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin makecert -ss qpidtest -n "CN=notused.example.com" -r -sr localmachine notused.cer [ import the cert for win1.example.com ] same mmc GUI steps except right click from "qpidtest" store you just created browse to win1.p12 and select file type PKCS#12 if it is not listed PS C:\cj\work\amqp\wcf\q1701\bin> .\qpidd.exe --auth no --no-data-dir --ssl-cert-store qpidtest --ssl-cert-name win1.example.com [ back on Linux ] $ export QPID_LOAD_MODULE=/b/amqp/b/q16b9/rt/lib/qpid/client/sslconnector.so $ env | grep QPID QPID_LOAD_MODULE=/b/amqp/b/q16b9/rt/lib/qpid/client/sslconnector.so QPID_SSL_CERT_DB=/b/amqp/b/q16b9/ssltest/w/db QPID_SSL_CERT_NAME=win1.example.com QPID_SSL_CERT_PASSWORD_FILE=/b/amqp/b/q16b9/ssltest/w/pwf $ /b/amqp/b/q16b9/rt/libexec/qpid/tests/qpid-perftest -p 5671 --count 10000 -P ssl --summary -b win1.example.com 464.89 452.492 918.965 0.897427 $ ----- Original Message ----- From: "Andrew Stitcher" <[email protected]> To: "Qpid Dev List" <[email protected]>, "Steve Huston" <[email protected]>, "Clifford Jansen" <[email protected]> Sent: Thursday, May 10, 2012 5:23:26 PM Subject: Setting up SSL certs to run broker on Windows Simple enough question - how do I set up the appropriate certificates and certificate stores to get ssl working on a C++ windows broker? (I hope that answer's simple too, but I have some doubts!) Thanks Andrew
--- End Message ---
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
