[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17425447#comment-17425447 ] ASF subversion and git services commented on ARTEMIS-1264: -- Commit a5b5a504e0426daa1f2598582ea3252f8bca4cf8 in activemq-artemis's branch refs/heads/main from Robbie Gemmell [ https://gitbox.apache.org/repos/asf?p=activemq-artemis.git;h=a5b5a50 ] ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264 Follows earlier test removal in a3de3d4c75ba1482706e8c42a5c9b0f9811901eb > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully >Priority: Major > Fix For: 2.2.0 > > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. > next steps: > - -ensure mapping from kerberos principal to broker identity is locked down- > -- https://github.com/apache/activemq-artemis/pull/1388 > - -ensure jms client config is trivial- > -- the connector properties can be configured in the same way as for core. > - -validate broker side ticket expiry and renewal- > - work with qpid-jms to validate amqp client (on hold) > - validate with non java - proton-c client ({color:red}problem{color}) > Interop with non java clients is a problem. OpenSSL [has removed > support|http://openssl.6102.n7.nabble.com/openssl-users-Kerberos-tp57906p58095.html] > for [rfc2712|https://www.ietf.org/rfc/rfc2712.txt]. > While reusing the TLS handshake was a good idea at the time; it has issues > (non compatible impl between openssl and sun) and the world has moved on to > layering authentication over TLS rather than with. > This makes sense b/c kerberos does two things, authentication over an > insecure connection and session encryption over that connection. With rfc2712 > the available session encryption options are known to be insecure, best to > leave encryption entirely to TLS. > In a java only scenario (sun jdk on both ends), using this feature for > kerberos *authentication only* is viable. > For example, if clients use username/password for authentication and TLS to > encrypt the connection to secure the password, but don't care about > encrypting the rest of the data, there is some value here. > They can swap the username/password for a kerberos token and achieve > authentication. They will essentially drop encryption because the cypher in > use is insecure. Note a kerberos ticket is designed to be validated across an > insecure channel. > The modern approach is to layer kerberos authentication over TLS using > something like the GSSAPI and SASL. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16292603#comment-16292603 ] ASF subversion and git services commented on ARTEMIS-1264: -- Commit 7b3b22d1840ab124e7aefcd4a98f54cb8831e62f in activemq-artemis's branch refs/heads/master from [~gtully] [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=7b3b22d ] [ARTEMIS-1310] [ARTEMIS-1264] - remove some dead code - krb5 login module and jaas callback handler now have the smarts to query netty > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > Fix For: 2.2.0 > > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. > next steps: > - -ensure mapping from kerberos principal to broker identity is locked down- > -- https://github.com/apache/activemq-artemis/pull/1388 > - -ensure jms client config is trivial- > -- the connector properties can be configured in the same way as for core. > - -validate broker side ticket expiry and renewal- > - work with qpid-jms to validate amqp client (on hold) > - validate with non java - proton-c client ({color:red}problem{color}) > Interop with non java clients is a problem. OpenSSL [has removed > support|http://openssl.6102.n7.nabble.com/openssl-users-Kerberos-tp57906p58095.html] > for [rfc2712|https://www.ietf.org/rfc/rfc2712.txt]. > While reusing the TLS handshake was a good idea at the time; it has issues > (non compatible impl between openssl and sun) and the world has moved on to > layering authentication over TLS rather than with. > This makes sense b/c kerberos does two things, authentication over an > insecure connection and session encryption over that connection. With rfc2712 > the available session encryption options are known to be insecure, best to > leave encryption entirely to TLS. > In a java only scenario (sun jdk on both ends), using this feature for > kerberos *authentication only* is viable. > For example, if clients use username/password for authentication and TLS to > encrypt the connection to secure the password, but don't care about > encrypting the rest of the data, there is some value here. > They can swap the username/password for a kerberos token and achieve > authentication. They will essentially drop encryption because the cypher in > use is insecure. Note a kerberos ticket is designed to be validated across an > insecure channel. > The modern approach is to layer kerberos authentication over TLS using > something like the GSSAPI and SASL. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16118701#comment-16118701 ] ASF subversion and git services commented on ARTEMIS-1264: -- Commit 9fedb47c400b9a00dec08b8f3bc280fe674ad915 in activemq-artemis's branch refs/heads/master from [~gtully] [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=9fedb47 ] [ARTEMIS-1310] [ARTEMIS-1264] consolidate configuration to require login configuration scope > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > Fix For: 2.2.0 > > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. > next steps: > - -ensure mapping from kerberos principal to broker identity is locked down- > -- https://github.com/apache/activemq-artemis/pull/1388 > - -ensure jms client config is trivial- > -- the connector properties can be configured in the same way as for core. > - -validate broker side ticket expiry and renewal- > - work with qpid-jms to validate amqp client (on hold) > - validate with non java - proton-c client ({color:red}problem{color}) > Interop with non java clients is a problem. OpenSSL [has removed > support|http://openssl.6102.n7.nabble.com/openssl-users-Kerberos-tp57906p58095.html] > for [rfc2712|https://www.ietf.org/rfc/rfc2712.txt]. > While reusing the TLS handshake was a good idea at the time; it has issues > (non compatible impl between openssl and sun) and the world has moved on to > layering authentication over TLS rather than with. > This makes sense b/c kerberos does two things, authentication over an > insecure connection and session encryption over that connection. With rfc2712 > the available session encryption options are known to be insecure, best to > leave encryption entirely to TLS. > In a java only scenario (sun jdk on both ends), using this feature for > kerberos *authentication only* is viable. > For example, if clients use username/password for authentication and TLS to > encrypt the connection to secure the password, but don't care about > encrypting the rest of the data, there is some value here. > They can swap the username/password for a kerberos token and achieve > authentication. They will essentially drop encryption because the cypher in > use is insecure. Note a kerberos ticket is designed to be validated across an > insecure channel. > The modern approach is to layer kerberos authentication over TLS using > something like the GSSAPI and SASL. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077896#comment-16077896 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user gtully commented on the issue: https://github.com/apache/activemq-artemis/pull/1388 there is a regression in: org.apache.activemq.artemis.tests.integration.amqp.AmqpSecurityTest.testSendAndRejected org.apache.activemq.artemis.core.security.SecurityAuth#getRemotingConnection passing back a null remotingConnection - this needs a little revisit. > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077531#comment-16077531 ] ASF subversion and git services commented on ARTEMIS-1264: -- Commit d4150be0d9ce815a4a19a77e8e6ca92eaabd6a90 in activemq-artemis's branch refs/heads/master from [~gtully] [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=d4150be ] ARTEMIS-1264 allow role mapping via chained login modules Add krb5sslloginmodule that will populate userPrincipal that can be mapped to roles independently Generalised callback handlers to take a connection and pull certs or peerprincipal based on callback. This bubbled up into api change in securitystore and security manager > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16077532#comment-16077532 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user asfgit closed the pull request at: https://github.com/apache/activemq-artemis/pull/1388 > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076810#comment-16076810 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user gtully commented on the issue: https://github.com/apache/activemq-artemis/pull/1388 note there are some api changes in the mix here, in place of cert[] the connection is passed in. This allows lower levels to pull certs or peer info from the connection on demand. Which in turn allows chaining of login modules. The unit test now works b/c the krbloginModule provides the authenticated user and the properties login module provides the roll mapping > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076799#comment-16076799 ] ASF GitHub Bot commented on ARTEMIS-1264: - GitHub user gtully opened a pull request: https://github.com/apache/activemq-artemis/pull/1388 ARTEMIS-1264 allow role mapping via chained login modules Add krb5sslloginmodule that will populate userPrincipal that can be mapped to roles independently Generalised callback handlers to take a connection and pull certs or peerprincipal based on callback. This bubbled up into api change in securitystore and security manager You can merge this pull request into a Git repository by running: $ git pull https://github.com/gtully/activemq-artemis ARTEMIS-1264-RoleMapping Alternatively you can review and apply these changes as the patch at: https://github.com/apache/activemq-artemis/pull/1388.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1388 commit 2c83408d0dc1d3bc7897a33f31bd110284c1150b Author: gtullyDate: 2017-07-06T15:54:57Z ARTEMIS-1264 allow role mapping via chained login modules Add krb5sslloginmodule that will populate userPrincipal that can be mapped to roles independently Generalised callback handlers to take a connection and pull certs or peerprincipal based on callback. This bubbled up into api change in securitystore and security manager > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076702#comment-16076702 ] ASF subversion and git services commented on ARTEMIS-1264: -- Commit cda1e018e1bd7ccd85d6ffd2333fc910b67febf5 in activemq-artemis's branch refs/heads/master from [~gtully] [ https://git-wip-us.apache.org/repos/asf?p=activemq-artemis.git;h=cda1e01 ] ARTEMIS-1264 Foundation work for authentication with Kerberos using KRB_ cypher suites. Core client with netty connector and acceptor doing kerberos jaas.doAs around sslengine init such that the SSL handshake can do kerberos ticket generaton and validation. The kerberos authenticated user is then validated with the security manager before being populated into the message userId. The feature is enabled with the kerb5Config property. When lowercase it is the principal. With a leading uppercase char it is the login.config entry to use. > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076433#comment-16076433 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user clebertsuconic commented on the issue: https://github.com/apache/activemq-artemis/pull/1379 @mtaylor I would run the whole testsuite first... I can't have master on an intermediate state now. > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16076356#comment-16076356 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user mtaylor commented on the issue: https://github.com/apache/activemq-artemis/pull/1379 @gtully This looks like a great first step Gary. Merging. We add the additional improvements mentioned in the JIRA iteratively. Thanks. > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074745#comment-16074745 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user clebertsuconic commented on the issue: https://github.com/apache/activemq-artemis/pull/1379 I would rename the first line as ARTEMIS-1264 Adding Kerberos to Core the second line can include the JIRA... It's just that git log won't be very helpful with just the JIRA on the first line... some context to the first line would be great > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074710#comment-16074710 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user gtully commented on the issue: https://github.com/apache/activemq-artemis/pull/1379 Tidied up the commit message > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16074589#comment-16074589 ] Gary Tully commented on ARTEMIS-1264: - next steps: - ensure jms client config is trivial - validate broker side ticket expiry and renewal - work with qpid-jms to validate amqp client - validate with non java - proton-c client > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16070113#comment-16070113 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user gtully commented on the issue: https://github.com/apache/activemq-artemis/pull/1379 also of note is the addition of the SNI support - the SNIHost is used to for the kerberos ticket grant which avoids the need to tie server principal to dns (the default name is host/) but with a SNIHost of foo.bar it is host/foo.bar > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16070100#comment-16070100 ] ASF GitHub Bot commented on ARTEMIS-1264: - Github user gtully commented on the issue: https://github.com/apache/activemq-artemis/pull/1379 The mods to org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnection#getDefaultActiveMQPrincipal may need a revisit - may go against the intent of the existing comment: //never allow this > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (ARTEMIS-1264) Client authentication via Kerberos TLS Cipher Suites (RFC 2712)
[ https://issues.apache.org/jira/browse/ARTEMIS-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16070061#comment-16070061 ] ASF GitHub Bot commented on ARTEMIS-1264: - GitHub user gtully opened a pull request: https://github.com/apache/activemq-artemis/pull/1379 https://issues.apache.org/jira/browse/ARTEMIS-1264 first cut poc for the core client with netty connector and acceptor doing kerberos jaas.doAs around sslengine init such that the SSL handshake can do kerberos ticket generaton and validation. The kerberos authenticate user is then validated with the security manager before being populated into the message userId. The feature is enabled with the kerb5Config property. When lowercase it is the principal. With a leading uppercase char it is the login.config entry to use. You can merge this pull request into a Git repository by running: $ git pull https://github.com/gtully/activemq-artemis ARTEMIS-1264 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/activemq-artemis/pull/1379.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1379 commit c17227e77d5557bba71daa791aab63937e256891 Author: gtullyDate: 2017-06-30T12:56:24Z https://issues.apache.org/jira/browse/ARTEMIS-1264 first cut poc for the core client with netty connector and acceptor doing kerberos jaas.doAs around sslengine init such that the SSL handshake can do kerberos ticket generaton and validation. The kerberos authenticate user is then validated with the security manager before being populated into the message userId. The feature is enabled with the kerb5Config property. When lowercase it is the principal. With a leading uppercase char it is the login.config entry to use. > Client authentication via Kerberos TLS Cipher Suites (RFC 2712) > --- > > Key: ARTEMIS-1264 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1264 > Project: ActiveMQ Artemis > Issue Type: New Feature >Affects Versions: 2.1.0 >Reporter: Gary Tully >Assignee: Gary Tully > > Allow a client authenticated with a kerberos credential to authenticate to > the broker using SSL via the Kerberos cipher suites. -- This message was sent by Atlassian JIRA (v6.4.14#64029)