Re: [External] Re: Queries on Qpid setup

[Oleksandr Rudyy]

Hi Kirankumar,
The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
transports.

In order to enable TLS on broker HTTP or/and AMQP ports Keystore configured
object(s) needs to be configured.
The keystore object should contain a private key and certificates
(including intermediates if required).

A number of Keystore types is supported on the broker:
* FileKeyStore - in this type of Keystore a java keystore is used
underneath to hold the private key and certificates
* NonJavaKeyStore - used to configure private key and certificates directly
in PEM or DER formats

The Broker allows users to quickly create a self-signed certificate with a
special type of Keystore called "AutoGeneratedSelfSigned" (with Oracle JDK
or OpenJDK).

The TLS protocols and TLS cipher suites can be customised (if required)
using special context variables:
* qpid.security.tls.protocolAllowList
* qpid.security.tls.protocolDenyList
* qpid.security.tls.cipherSuiteAllowList
* qpid.security.tls.cipherSuiteDenyList
or
* qpid.security.tls.protocolWhiteList
* qpid.security.tls.protocolBlackList
* qpid.security.tls.cipherSuiteWhiteList
* qpid.security.tls.cipherSuiteBlackList

Before 7.1.9 only "white/black" list terminology was supported. Starting
from version 7.1.9 the alternative names "allow/deny" lists can be used. In
version 9.0 the "allow/deny" lists completely replace "white/black" list
terminology.

For example, you can allow only TLSv1.3 with JDK11 by setting context
variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can specify
the allowed or denied values using regular expressions represented as JSON
stringified lists.
For example, you can limit allowed cipher suites to only some of them by
setting qpid.security.tls.cipherSuiteAllowList to
"[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
The same applies to deny lists.

The context variable can be set in multiple ways:
* as JVM settings
* as command line arguments (for example, ./bin/qpid-server -prop
qpid.security.tls.protocolAllowList=TLSv1.3 )
* in a properties file system.properties (it needs to be in broker
classpath)
* as configured object context variables (for example, context variable set
on the Broker object using REST API)


The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB JE
does not support TLS transport. The data replication is unencrypted.
Potentially, you can use SSH tunnels, but that requires configuring tunes
between each of HA nodes, as the nodes  communicate with each other. I
believe that it should be possible to configure SSH tunnels, though I
cannot give you any useful advice on how to do that.

You can download Qpid Broker distribution files from Qpid Download page at
http://qpid.apache.org/download.html .

KInd Regards,
Alex


On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
 wrote:

> Hi Alex,
>
> We are using broker-j (for java). As of now, we are exploring on version 7.
> Please do let us know if you want any other information.
>
> Regards,
> Kirankumar Malyala
>
> -Original Message-
> From: Oleksandr Rudyy 
> Sent: Friday, November 6, 2020 5:44 AM
> To: users@qpid.apache.org
> Subject: [External] Re: Queries on Qpid setup
>
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with
> links and attachments.
>
> Hi Kirankumar,
> Could you please clarify what exactly Qpid broker are you trying to use?
> There are two brokers in Qpid project: c++ broker and broker-j (for java).
>
> Are you using Qpid Broker-J?
>
> Kind regards,
> Alex
>
> On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
>  wrote:
>
> > Hi Team,
> >
> > We have been doing some POC on Qpid. While working on the
> > configuration, we came across multiple blockers which we have mentioned
> below.
> >
> >
> >   *   How to use a specific version of TLS encryption for Qpid if we
> > deploy on VM.
> >   *   We understood from the Qpid documentation that we have to deploy
> > broker on multiple VM's to create a group and introduce master/replica
> > nodes. Any SOP on this part ?
> >   *   How to apply SSL/TLS encryption to replicas in the group consists
> of
> > master and replica nodes using SSH tunnel/IPsec.
> >   *   How can we fetch file in Apache
> >
> > Please let us know if some one from your team can guide us on these
> points.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > 
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal 

QPID-CPP "No Protocol Received" on internal connections

[joshru]

Qpid C++ Periodic Connection Issues

Hello,

I am currently working on upgrading a legacy application's QPID
communication to support SSL/TLS encryption via x.509 certificates. I was
provided a virtual machine to test against and I think I've got most of it
ironed out. However, maybe 1 out of 10 times I start up my system my Qpid
C++ code will simply refuse to open any connections to the other virtual
machine nor will it open any connections to connections for services that
are hosted by my application. 

I came across this issue: https://issues.apache.org/jira/browse/QPID-8221
which describes similar behavior to what I was seeing, so I added
"connect-timeout: 5" to my connection options, this did keep the connection
open calls from hanging but didn't fix my issue as it continues to fail to
connect rather than failing once and hanging like it was without that
option.

I'm able to force this issue to present (eventually) by restarting my
application several times. Not only am I unable to communicate with my test
VM when in this error state but I'm also unable to connect to my own
exchanges and see lots of logs like "[System] error Connection
qpid.10.43.1.10:3-10.43.1.11:51564 No protocol received after 10s,
closing" which are both internal IP addresses.

When I enable protocol logging with "log-enable=trace+:Protocol" and browse
them while my application is in the error state I see a ton of SEND and RECV
calls which seems to indicate that there's some level of communication
happening but I'm not exactly sure how to parse what I'm seeing (snippet
from the logs below). This issue does not appear to ever occur when I run my
application without the SSL/TLS x.509 stuff enabled. 

I tried using Wireshark to snoop on the message traffic when this occurs and
I can see that there is no TLS traffic whatsoever when I'm in the error
state, when things are working as intended I can see lots of TLS 1.2 packets
flowing back and forth. 

I've been chasing this issue for a few days with no luck. If anybody has any
ideas that might get me on the right track I'd really appreciate it!

qpid-cpp client, server, and tools are all version 1.39.0-1

An excerpt of the protocol logs, 192.168.56.2 is my VM, 192.168.56.55 is the
Test VM I'd like to talk to:

Oct 27 21:34:01 stbdlcp qpidd[14927]: 2020-10-27 21:34:01 [Protocol] trace
SENT [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[Bbe; channel=1;
{MessageTransferBody: destination=21efd55d-79d4-4ed4-afa0-e259a13ca3a7#;
accept-mode=0; acquire-mode=0; }
Oct 27 21:34:01 stbdlcp qpidd[14927]: 2020-10-27 21:34:01 [Protocol] trace
SENT [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[be; channel=1;
header (178 bytes); properties={{MessageProperties: content-length=1622;
correlation-id=3277; content-type
Oct 27 21:34:01 stbdlcp qpidd[14927]: 2020-10-27 21:34:01 [Protocol] trace
SENT [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[Ebe; channel=1;
content (1622 bytes)
\x00\x00\x06R\x00\x00\x00\x01\xA8\x00\x00\x06I\x00\x00\x00\x06
Oct 27 21:34:01 stbdlcp qpidd[14927]: _create_ts2\x16A\xF6...]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [System] error
Connection qpid.10.43.1.10:3-10.43.1.11:47720 No protocol received after
10s, closing
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
RECV [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{MessageAcceptBody: transfers={ [821,821] }; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
RECV [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{SessionFlushBody: completed=1; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
RECV [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{MessageStopBody: destination=757fc5f1-659b-475b-942c-1a6ce3e763b8#; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
SENT [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{SessionCompletedBody: commands={ [4364,4379] }; timely-reply=1; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
SENT [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{SessionCompletedBody: commands={ [4364,4380] }; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
RECV [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{SessionKnownCompletedBody: commands={ [4359,4379] }; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
RECV [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{MessageReleaseBody: transfers={ }; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Protocol] trace
RECV [qpid.192.168.56.2:3-192.168.56.55:52718]: Frame[BEbe; channel=1;
{MessageCancelBody: destination=757fc5f1-659b-475b-942c-1a6ce3e763b8#; }]
Oct 27 21:34:02 stbdlcp qpidd[14927]: 2020-10-27 21:34:02 [Model] debug
Delete subscription.