Re: [Freeipa-users] verified certificates both sides of a TLS channel
On Fri, Mar 06, 2015 at 10:32:16AM +0100, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. These are the best documentation sources I could find: Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html Service certificates issued as per above are usable for TLS client certificate authentication. If communications are between two host/service principals, then TLS client authentication is possible as long as the server and client software support it. It would appear that RabbitMQ supports TLS client certificate authentication: http://www.rabbitmq.com/ssl.html TLS is the best way to ensure privacy for these connections, and it also achieves authentication. Whether it is the *best* way to authenticate clients depends on what other options there are, how easy client and server are to configure the methods for, and whether it also accomplishes authorization (certificate authentication does not, at least not directly). With these certificates, you would need to manually configure SSL-based authentication with mod_ssl/mod_nss. Partially related user howto is http://www.freeipa.org/page/Apache_SNI_With_Kerberos I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure with FreeIPA than SSL certs. There seems to be some unofficial Kerberos (not GSSAPI) support: http://comments.gmane.org/gmane.comp.networking.rabbitmq.general/23249 Maybe there is good support for GSSAPI but I did not see it in my quick search. Btw FreeIPA 4.2 plans to have much better support for different cert profiles or sub-CAs that you may later use for purposes like this one. This is highly desirable, and it is coming. FreeIPA currently issues all certificates directly from a single CA, and any certificate issued by the CA will be considered valid (as long as it is not expired, revoked, etc). At this time, application- or TLS termination-layer logic is needed to make authorisation decisions. Ticket: https://fedorahosted.org/freeipa/ticket/57 CCing Fraser from Dogtag team for reference. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] verified certificates both sides of a TLS channel
On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. These are the best documentation sources I could find: Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html With these certificates, you would need to manually configure SSL-based authentication with mod_ssl/mod_nss. Partially related user howto is http://www.freeipa.org/page/Apache_SNI_With_Kerberos I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure with FreeIPA than SSL certs. Btw FreeIPA 4.2 plans to have much better support for different cert profiles or sub-CAs that you may later use for purposes like this one. Ticket: https://fedorahosted.org/freeipa/ticket/57 CCing Fraser from Dogtag team for reference. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] verified certificates both sides of a TLS channel
On 03/06/2015 08:05 AM, Martin Kosek wrote: On 03/06/2015 01:16 PM, Dmitri Pal wrote: On 03/06/2015 04:32 AM, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. These are the best documentation sources I could find: Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html With these certificates, you would need to manually configure SSL-based authentication with mod_ssl/mod_nss. Partially related user howto is http://www.freeipa.org/page/Apache_SNI_With_Kerberos I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure with FreeIPA than SSL certs. Btw FreeIPA 4.2 plans to have much better support for different cert profiles or sub-CAs that you may later use for purposes like this one. Ticket: https://fedorahosted.org/freeipa/ticket/57 CCing Fraser from Dogtag team for reference. Martin What we still missing is the client side certs. So AFAIU we would be able to provide certs for one way authentication not two way yet. It is in works. Couldn't the authentication be provided with service certs and current default certificate profile? I do not think so. I added Rob to the thread. I think he explained one time what is missing but I do not recall the details. This is the ticket for the client certificate work, it was missing: https://fedorahosted.org/freeipa/ticket/4938 Martin -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] verified certificates both sides of a TLS channel
On 03/06/2015 01:16 PM, Dmitri Pal wrote: On 03/06/2015 04:32 AM, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. These are the best documentation sources I could find: Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html With these certificates, you would need to manually configure SSL-based authentication with mod_ssl/mod_nss. Partially related user howto is http://www.freeipa.org/page/Apache_SNI_With_Kerberos I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure with FreeIPA than SSL certs. Btw FreeIPA 4.2 plans to have much better support for different cert profiles or sub-CAs that you may later use for purposes like this one. Ticket: https://fedorahosted.org/freeipa/ticket/57 CCing Fraser from Dogtag team for reference. Martin What we still missing is the client side certs. So AFAIU we would be able to provide certs for one way authentication not two way yet. It is in works. Couldn't the authentication be provided with service certs and current default certificate profile? This is the ticket for the client certificate work, it was missing: https://fedorahosted.org/freeipa/ticket/4938 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] verified certificates both sides of a TLS channel
On 03/06/2015 04:32 AM, Martin Kosek wrote: On 03/06/2015 09:34 AM, Andrew Holway wrote: Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. These are the best documentation sources I could find: Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html Creating certs for FreeIPA hosts: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html With these certificates, you would need to manually configure SSL-based authentication with mod_ssl/mod_nss. Partially related user howto is http://www.freeipa.org/page/Apache_SNI_With_Kerberos I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure with FreeIPA than SSL certs. Btw FreeIPA 4.2 plans to have much better support for different cert profiles or sub-CAs that you may later use for purposes like this one. Ticket: https://fedorahosted.org/freeipa/ticket/57 CCing Fraser from Dogtag team for reference. Martin What we still missing is the client side certs. So AFAIU we would be able to provide certs for one way authentication not two way yet. It is in works. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] verified certificates both sides of a TLS channel
Hi, Were using rabbitmq to shunt bits of data around various systems to provide better security we would like all of our acmq connections to be authenticated and encrypted. I'm looking for appropriate documentation or some friendly guidance of how server to server SSL authentication is done with freeipa and if indeed this is the best way to ensure privacy in such scenarios. Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project