[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2021-10-07 Thread ASF subversion and git services (Jira) 


[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17425447#comment-17425447
 ] 

ASF subversion and git services commented on ARTEMIS-1264:
--

Commit a5b5a504e0426daa1f2598582ea3252f8bca4cf8 in activemq-artemis's branch 
refs/heads/main from Robbie Gemmell
[ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=a5b5a50 ]

ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264

Follows earlier test removal in a3de3d4c75ba1482706e8c42a5c9b0f9811901eb


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>Priority: Major
> Fix For: 2.2.0
>
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.
> next steps:
>  - -ensure mapping from kerberos principal to broker identity is locked down-
>  -- https://github.com/apache/activemq-artemis/pull/1388
>  - -ensure jms client config is trivial-
>  -- the connector properties can be configured in the same way as for core.
>  - -validate broker side ticket expiry and renewal-
>  - work with qpid-jms to validate amqp client (on hold)
>  - validate with non java - proton-c client ({color:red}problem{color})
> Interop with non java clients is a problem. OpenSSL [has removed 
> support|http://openssl.6102.n7.nabble.com/openssl-users-Kerberos-tp57906p58095.html]
>  for [rfc2712|https://www.ietf.org/rfc/rfc2712.txt]. 
> While reusing the TLS handshake was a good idea at the time; it has issues 
> (non compatible impl between openssl and sun) and the world has moved on to 
> layering authentication over TLS rather than with.
> This makes sense b/c kerberos does two things, authentication over an 
> insecure connection and session encryption over that connection. With rfc2712 
> the available session encryption options are known to be insecure, best to 
> leave encryption entirely to TLS. 
> In a java only scenario (sun jdk on both ends), using this feature for 
> kerberos *authentication only* is viable.
> For example, if clients use username/password for authentication and TLS to 
> encrypt the connection to secure the password, but don't care about 
> encrypting the rest of the data, there is some value here.
> They can swap the username/password for a kerberos token and achieve 
> authentication. They will essentially drop encryption because the cypher in 
> use is insecure. Note a kerberos ticket is designed to be validated across an 
> insecure channel.
> The modern approach is to layer kerberos authentication over TLS using 
> something like the GSSAPI and SASL.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-12-15 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16292603#comment-16292603
 ] 

ASF subversion and git services commented on ARTEMIS-1264:
--

Commit 7b3b22d1840ab124e7aefcd4a98f54cb8831e62f in activemq-artemis's branch 
refs/heads/master from [~gtully]
[ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=7b3b22d ]

[ARTEMIS-1310] [ARTEMIS-1264] - remove some dead code - krb5 login module and 
jaas callback handler now have the smarts to query netty


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
> Fix For: 2.2.0
>
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.
> next steps:
>  - -ensure mapping from kerberos principal to broker identity is locked down-
>  -- https://github.com/apache/activemq-artemis/pull/1388
>  - -ensure jms client config is trivial-
>  -- the connector properties can be configured in the same way as for core.
>  - -validate broker side ticket expiry and renewal-
>  - work with qpid-jms to validate amqp client (on hold)
>  - validate with non java - proton-c client ({color:red}problem{color})
> Interop with non java clients is a problem. OpenSSL [has removed 
> support|http://openssl.6102.n7.nabble.com/openssl-users-Kerberos-tp57906p58095.html]
>  for [rfc2712|https://www.ietf.org/rfc/rfc2712.txt]. 
> While reusing the TLS handshake was a good idea at the time; it has issues 
> (non compatible impl between openssl and sun) and the world has moved on to 
> layering authentication over TLS rather than with.
> This makes sense b/c kerberos does two things, authentication over an 
> insecure connection and session encryption over that connection. With rfc2712 
> the available session encryption options are known to be insecure, best to 
> leave encryption entirely to TLS. 
> In a java only scenario (sun jdk on both ends), using this feature for 
> kerberos *authentication only* is viable.
> For example, if clients use username/password for authentication and TLS to 
> encrypt the connection to secure the password, but don't care about 
> encrypting the rest of the data, there is some value here.
> They can swap the username/password for a kerberos token and achieve 
> authentication. They will essentially drop encryption because the cypher in 
> use is insecure. Note a kerberos ticket is designed to be validated across an 
> insecure channel.
> The modern approach is to layer kerberos authentication over TLS using 
> something like the GSSAPI and SASL.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-08-08 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118701#comment-16118701
 ] 

ASF subversion and git services commented on ARTEMIS-1264:
--

Commit 9fedb47c400b9a00dec08b8f3bc280fe674ad915 in activemq-artemis's branch 
refs/heads/master from [~gtully]
[ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=9fedb47 ]

[ARTEMIS-1310] [ARTEMIS-1264] consolidate configuration to require login 
configuration scope


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
> Fix For: 2.2.0
>
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.
> next steps:
>  - -ensure mapping from kerberos principal to broker identity is locked down-
>  -- https://github.com/apache/activemq-artemis/pull/1388
>  - -ensure jms client config is trivial-
>  -- the connector properties can be configured in the same way as for core.
>  - -validate broker side ticket expiry and renewal-
>  - work with qpid-jms to validate amqp client (on hold)
>  - validate with non java - proton-c client ({color:red}problem{color})
> Interop with non java clients is a problem. OpenSSL [has removed 
> support|http://openssl.6102.n7.nabble.com/openssl-users-Kerberos-tp57906p58095.html]
>  for [rfc2712|https://www.ietf.org/rfc/rfc2712.txt]. 
> While reusing the TLS handshake was a good idea at the time; it has issues 
> (non compatible impl between openssl and sun) and the world has moved on to 
> layering authentication over TLS rather than with.
> This makes sense b/c kerberos does two things, authentication over an 
> insecure connection and session encryption over that connection. With rfc2712 
> the available session encryption options are known to be insecure, best to 
> leave encryption entirely to TLS. 
> In a java only scenario (sun jdk on both ends), using this feature for 
> kerberos *authentication only* is viable.
> For example, if clients use username/password for authentication and TLS to 
> encrypt the connection to secure the password, but don't care about 
> encrypting the rest of the data, there is some value here.
> They can swap the username/password for a kerberos token and achieve 
> authentication. They will essentially drop encryption because the cypher in 
> use is insecure. Note a kerberos ticket is designed to be validated across an 
> insecure channel.
> The modern approach is to layer kerberos authentication over TLS using 
> something like the GSSAPI and SASL.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-07 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077896#comment-16077896
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user gtully commented on the issue:

https://github.com/apache/activemq-artemis/pull/1388
  
there is a regression in: 
org.apache.activemq.artemis.tests.integration.amqp.AmqpSecurityTest.testSendAndRejected

org.apache.activemq.artemis.core.security.SecurityAuth#getRemotingConnection 
passing back a null remotingConnection - this needs a little revisit.


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077531#comment-16077531
 ] 

ASF subversion and git services commented on ARTEMIS-1264:
--

Commit d4150be0d9ce815a4a19a77e8e6ca92eaabd6a90 in activemq-artemis's branch 
refs/heads/master from [~gtully]
[ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=d4150be ]

ARTEMIS-1264 allow role mapping via chained login modules

Add krb5sslloginmodule that will populate userPrincipal that can be mapped to 
roles independently
Generalised callback handlers to take a connection and pull certs or 
peerprincipal based on
callback. This bubbled up into api change in securitystore and security manager


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077532#comment-16077532
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user asfgit closed the pull request at:

https://github.com/apache/activemq-artemis/pull/1388


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076810#comment-16076810
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user gtully commented on the issue:

https://github.com/apache/activemq-artemis/pull/1388
  
note there are some api changes in the mix here, in place of cert[] the 
connection is passed in. This allows lower levels to pull certs or peer info 
from the connection on demand. Which in turn allows chaining of login modules. 
The unit test now works b/c the krbloginModule provides the authenticated user 
and the properties login module provides the roll mapping


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076799#comment-16076799
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

GitHub user gtully opened a pull request:

https://github.com/apache/activemq-artemis/pull/1388

ARTEMIS-1264 allow role mapping via chained login modules

Add krb5sslloginmodule that will populate userPrincipal that can be mapped 
to roles independently
Generalised callback handlers to take a connection and pull certs or 
peerprincipal based on
callback. This bubbled up into api change in securitystore and security 
manager

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/gtully/activemq-artemis 
ARTEMIS-1264-RoleMapping

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/activemq-artemis/pull/1388.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1388


commit 2c83408d0dc1d3bc7897a33f31bd110284c1150b
Author: gtully 
Date:   2017-07-06T15:54:57Z

ARTEMIS-1264 allow role mapping via chained login modules

Add krb5sslloginmodule that will populate userPrincipal that can be mapped 
to roles independently
Generalised callback handlers to take a connection and pull certs or 
peerprincipal based on
callback. This bubbled up into api change in securitystore and security 
manager




> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF subversion and git services (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076702#comment-16076702
 ] 

ASF subversion and git services commented on ARTEMIS-1264:
--

Commit cda1e018e1bd7ccd85d6ffd2333fc910b67febf5 in activemq-artemis's branch 
refs/heads/master from [~gtully]
[ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=cda1e01 ]

ARTEMIS-1264 Foundation work for authentication with Kerberos using KRB_ cypher 
suites.

Core client with netty connector and acceptor doing kerberos
jaas.doAs around sslengine init such that the SSL handshake can do kerberos 
ticket
generaton and validation.
The kerberos authenticated user is then validated with the security manager 
before
being populated into the message userId.
The feature is enabled with the kerb5Config property. When lowercase it is the
principal. With a leading uppercase char it is the login.config entry to use.


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076433#comment-16076433
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user clebertsuconic commented on the issue:

https://github.com/apache/activemq-artemis/pull/1379
  
@mtaylor I would run the whole testsuite first...
I can't have master on an intermediate state now.


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-06 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076356#comment-16076356
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user mtaylor commented on the issue:

https://github.com/apache/activemq-artemis/pull/1379
  
@gtully This looks like a great first step Gary. Merging. We add the 
additional improvements mentioned in the JIRA iteratively.  Thanks.


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-05 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074745#comment-16074745
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user clebertsuconic commented on the issue:

https://github.com/apache/activemq-artemis/pull/1379
  
I would rename the first line as ARTEMIS-1264 Adding Kerberos to Core

the second line can include the JIRA...



It's just that git log won't be very helpful with just the JIRA on the 
first line... some context to the first line would be great


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-05 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074710#comment-16074710
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user gtully commented on the issue:

https://github.com/apache/activemq-artemis/pull/1379
  
Tidied up the commit message


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-07-05 Thread Gary Tully (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074589#comment-16074589
 ] 

Gary Tully commented on ARTEMIS-1264:
-

next steps:
 - ensure jms client config is trivial
 - validate broker side ticket expiry and renewal
 - work with qpid-jms to validate amqp client
 - validate with non java - proton-c client

> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-06-30 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16070113#comment-16070113
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user gtully commented on the issue:

https://github.com/apache/activemq-artemis/pull/1379
  
also of note is the addition of the SNI support - the SNIHost is used to 
for the kerberos ticket grant which avoids the need to tie server principal to 
dns (the default name is host/) but with a SNIHost of foo.bar it is 
host/foo.bar


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-06-30 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16070100#comment-16070100
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

Github user gtully commented on the issue:

https://github.com/apache/activemq-artemis/pull/1379
  
The mods to 
org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection#getDefaultActiveMQPrincipal
 may need a revisit - may go against the intent of the existing comment: 
//never allow this 


> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)

2017-06-30 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16070061#comment-16070061
 ] 

ASF GitHub Bot commented on ARTEMIS-1264:
-

GitHub user gtully opened a pull request:

https://github.com/apache/activemq-artemis/pull/1379

https://issues.apache.org/jira/browse/ARTEMIS-1264

first cut poc for the core client with netty connector and acceptor doing 
kerberos
jaas.doAs around sslengine init such that the SSL handshake can do kerberos 
ticket
generaton and validation.
The kerberos authenticate user is then validated with the security manager 
before
being populated into the message userId.
The feature is enabled with the kerb5Config property. When lowercase it is 
the
principal. With a leading uppercase char it is the login.config entry to 
use.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/gtully/activemq-artemis ARTEMIS-1264

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/activemq-artemis/pull/1379.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #1379


commit c17227e77d5557bba71daa791aab63937e256891
Author: gtully 
Date:   2017-06-30T12:56:24Z

https://issues.apache.org/jira/browse/ARTEMIS-1264

first cut poc for the core client with netty connector and acceptor doing 
kerberos
jaas.doAs around sslengine init such that the SSL handshake can do kerberos 
ticket
generaton and validation.
The kerberos authenticate user is then validated with the security manager 
before
being populated into the message userId.
The feature is enabled with the kerb5Config property. When lowercase it is 
the
principal. With a leading uppercase char it is the login.config entry to 
use.




> Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
> ---
>
> Key: ARTEMIS-1264
> URL: https://issues.apache.org/jira/browse/ARTEMIS-1264
> Project: ActiveMQ Artemis
>  Issue Type: New Feature
>Affects Versions: 2.1.0
>Reporter: Gary Tully
>Assignee: Gary Tully
>
> Allow a client authenticated with a kerberos credential to authenticate to 
> the broker using SSL via the Kerberos cipher suites.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)