Hi there, I have a situation where I need to support authentication and authorisation for endpoints connecting to my broker. I have successfully configured an LDAP server for this purpose and have everything working.
My concern though is that endpoints must provide a username and password to establish their identity. Indeed ActiveMQ also needs to provide its username and password so that it can interrogate the LDAP store. This then requires that passwords are stored in the clear somewhere; generally in some configuration file like activemq.xml. I realise that I can use operating system permissions to lock the configuration files down, but I am looking for a better way. I am presently thinking of writing my own JAAS LoginModule to authorise endpoints that have successfully authenticated using mutual SSL authentication i.e. verifies the client's certificate. On login my module would extract the subject DN from the client's certificate by getting the public certificate from the Subject object. It would then perform an JNDI search for the groups that has the DN as a member. The CNs of member groups would then be established as roles (much like the existing org.apache.activemq.jaas.LDAPLoginModule does). To further aid security I would disallow all but SSL based communication with the broker. Does the strategy make sense? Is there a better way of avoiding storing usernames and passwords in the clear? Thank you for your time. Kind regards, Christopher -- View this message in context: http://www.nabble.com/SSL-authorisation-using-a-client%27s-subject-DN-for-JNDI-tp22470806p22470806.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
