Hi, The Apache Qpid / Red Hat MRG broker supports the EXTERNAL client authentication mechanism, where the SSL certificate should be used for client authentication. The username is in such case taken from the certificate subject. The certificates used for the authentication are stored using Certificate Database tool (certutil). This databased contains the server private key (which seems to be working fine) as well as the certificates / public keys necessary to authenticate the clients.
The certificates used for client authentication can be loaded into the database with different trust flags (valid peer, trusted peer, trusted CA etc.). However, it seems that only the certificates with flag T (trusted CA) can be used for authentication. If the certificates is stored as peer, it seems to be ignored by the broker: 2011-03-27 17:14:16 error Error reading socket: Unable to find the certificate or key necessary for authentication. [-12285] Unfortunately, the flag "T" means that such certificate is trusted Certification Authority and as such, it can sign other certificates with different usernames in subject. These are then successfully authenticated and logged in. Therefore, it does not really secure the access to the broker. How is the EXTERNAL authentication supposed to work? The documentation describes mainly the PLAIN mechanism and eventually the KERBEROS/GSSAPI mechanism. But it mentions the EXTERNAL mechanism only on few occasions ... Thanks & Regards Jakub Scholz --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
