Ok, So I added the client certificate but it doesn't seem to work. I am getting
an exception in the handshake phase:
Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication
Dispatcher config
ssl-profile {
name: ssl-profile-name
certFile: cert_ssl_encryption.pem
It feels like a big puzzle to get SSL with client mutual authentication
working. It would help me a lot if someone can provide a fully working
configuration and how to use it with a JMS client for example.
I think it could also benefit others i the future
Ganesh had provided me on a different
I think you have to add the file with client public keys to the certDb
option. The trustedCerts parameter is used only to control which public
keys will be listed as supported CAs to the clients.
Jakub
On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros wrote:
> Ok, So I added
Hi Adel,
I'm a bit confused of what you are trying to achieve.
A listener (so acting as a server) can have only one certificate specified
through certFile parameter (and related keyFile for the private key).
This certificate is issued by the server (listener) to the client during
Hi Paolo,
In that case I think the issue is that my certificates were self-signed so
there was no CA. I think this works on the Java Broker thanks to the KeyStore
and TrustStore features.
I will re-organize my certificates to have a CA which will generate the client
and server certificates
I also want to add that there is a file called
qpid-dispatch/tests/ssl_certs/gencerts.sh (thanks Chuck Rolke). This file has
commands that create a root CA and self signed certs. There are several tests
(system_tests_qdstat.py, system_tests_two_routers.py,
system_tests_sasl_plain.py) that use
Hi Adel,
When creating self signed certificates, it is always a good idea to create a
root CA and use it to sign the server and client certificates.
If you are creating self signed certs in a production environment, I would
suggest that you create a root CA and use the root CA to create an
Hi Adel,
I added a new script that uses openssl to create server and client
certificates signed by a root CA.
https://github.com/apache/qpid-dispatch/blob/master/tests/ssl_certs/gencerts_openssl.sh
I tested this using the following router config -
ssl-profile {
certFile: