"Of course I want to use a certificate for SSL encryption (provided in the ssl-profile) and a different one for SASL authentication but on the same listener."
Are you saying that you have two pairs of server/client certs and you want to use one pair for initial SSL encryption (to encrypt the entire exchange) and another pair for SASL EXTERNAL ? If this is the case, you can have only one server side cert per listener which you can specify in certFile. ----- Original Message ----- > From: "Ted Ross" <tr...@redhat.com> > To: users@qpid.apache.org > Sent: Wednesday, June 22, 2016 10:55:47 AM > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > On 06/22/2016 10:47 AM, Adel Boutros wrote: > > Hello, > > > > I want to use SASL authentication mechanism using a client certificate. I > > looked at the examples and tests but I didn't quite get everything. > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL" and > > "require-peer-auth: yes" but then how do I tell the dispatcher which > > certificates are accepted and which aren't? > > Of course I want to use a certificate for SSL encryption (provided in the > > ssl-profile) and a different one for SASL authentication but on the same > > listener. > > ssl-profile { > > name: ssl-profile-name > > certFile: cert_ssl_encryption.pem > > keyFile: key_ssl_encryption.pem > > } > > > > listener { > > host: 0.0.0.0 > > port: 10399 > > sasl-mechanisms: EXTERNAL > > ssl-profile: ssl-profile-name > > authenticatePeer: yes > > requireSsl: yes > > } > > In the above configuration, where should I add the "cert_sasl.pem"? > > > > Regards, > > Adel > > > > > > From the qdrouterd.conf man page: > > Under "listener": > > trustedCerts (path) > This optional setting can be used to reduce the set of available > CAs for client authentication. If used, this setting must provide a > path to a PEM file that contains the trusted certificates. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org