RE: [Qpid-Dispatch] SSL/SASL configuration on a listener

Ok, So I added the client certificate but it doesn't seem to work. I am getting an exception in the handshake phase: Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication Dispatcher config ssl-profile { name: ssl-profile-name certFile: cert_ssl_encryption.pem

RE: [Qpid-Dispatch] SSL/SASL configuration on a listener

It feels like a big puzzle to get SSL with client mutual authentication working. It would help me a lot if someone can provide a fully working configuration and how to use it with a JMS client for example. I think it could also benefit others i the future Ganesh had provided me on a different

Re: [Qpid-Dispatch] SSL/SASL configuration on a listener

I think you have to add the file with client public keys to the certDb option. The trustedCerts parameter is used only to control which public keys will be listed as supported CAs to the clients. Jakub On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros wrote: > Ok, So I added

RE: [Qpid-Dispatch] SSL/SASL configuration on a listener

Hi Adel, I'm a bit confused of what you are trying to achieve. A listener (so acting as a server) can have only one certificate specified through certFile parameter (and related keyFile for the private key). This certificate is issued by the server (listener) to the client during

RE: [Qpid-Dispatch] SSL/SASL configuration on a listener

Hi Paolo, In that case I think the issue is that my certificates were self-signed so there was no CA. I think this works on the Java Broker thanks to the KeyStore and TrustStore features. I will re-organize my certificates to have a CA which will generate the client and server certificates

Re: [Qpid-Dispatch] SSL/SASL configuration on a listener

I also want to add that there is a file called qpid-dispatch/tests/ssl_certs/gencerts.sh (thanks Chuck Rolke). This file has commands that create a root CA and self signed certs. There are several tests (system_tests_qdstat.py, system_tests_two_routers.py, system_tests_sasl_plain.py) that use

Re: [Qpid-Dispatch] SSL/SASL configuration on a listener

Hi Adel, When creating self signed certificates, it is always a good idea to create a root CA and use it to sign the server and client certificates. If you are creating self signed certs in a production environment, I would suggest that you create a root CA and use the root CA to create an

Re: [Qpid-Dispatch] SSL/SASL configuration on a listener

Hi Adel, I added a new script that uses openssl to create server and client certificates signed by a root CA. https://github.com/apache/qpid-dispatch/blob/master/tests/ssl_certs/gencerts_openssl.sh I tested this using the following router config - ssl-profile { certFile: