Ok, So I added the client certificate but it doesn't seem to work. I am getting
an exception in the handshake phase:
Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication
Dispatcher config
ssl-profile {
name: ssl-profile-name
certFile: cert_ssl_encryption.pem
keyFile:key_ssl_encryption.pem
}
listener {
host: 0.0.0.0
port: 10398
saslMechanisms: EXTERNAL
sslProfile: ssl-profile-name
authenticatePeer: yes
requireSsl: yes
trustedCerts: cert_sasl.pem
}
JMS Client
System.setProperty("javax.net.ssl.trustStore", resourcePath("trustStore.jks"));
System.setProperty("javax.net.ssl.keyStore",
resourcePath("clientKeyStore.jks"));
System.setProperty("javax.net.ssl.keyStorePassword", "password");
JmsConnectionFactory jmsConnectionFactory = new
JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
Connection connection = jmsConnectionFactory.createConnection();
PS: trustStore.jks contains the cert_ssl_encryption.pem and clientKeyStore.jks
contains the sasl certificate (cert_sasl.pem) which is aliased by "client"
Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the ssl-profile?
Regards,
Adel
> Date: Wed, 22 Jun 2016 11:23:16 -0400
> From: [email protected]
> To: [email protected]
> Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
>
> "Of course I want to use a certificate for SSL encryption (provided in the
> ssl-profile) and a different one for SASL authentication but on the same
> listener."
>
> Are you saying that you have two pairs of server/client certs and you want to
> use one pair for initial SSL encryption (to encrypt the entire exchange) and
> another pair for SASL EXTERNAL ? If this is the case, you can have only one
> server side cert per listener which you can specify in certFile.
>
> ----- Original Message -----
> > From: "Ted Ross" <[email protected]>
> > To: [email protected]
> > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> >
> >
> >
> > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > Hello,
> > >
> > > I want to use SASL authentication mechanism using a client certificate. I
> > > looked at the examples and tests but I didn't quite get everything.
> > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL" and
> > > "require-peer-auth: yes" but then how do I tell the dispatcher which
> > > certificates are accepted and which aren't?
> > > Of course I want to use a certificate for SSL encryption (provided in the
> > > ssl-profile) and a different one for SASL authentication but on the same
> > > listener.
> > > ssl-profile {
> > > name: ssl-profile-name
> > > certFile: cert_ssl_encryption.pem
> > > keyFile: key_ssl_encryption.pem
> > > }
> > >
> > > listener {
> > > host: 0.0.0.0
> > > port: 10399
> > > sasl-mechanisms: EXTERNAL
> > > ssl-profile: ssl-profile-name
> > > authenticatePeer: yes
> > > requireSsl: yes
> > > }
> > > In the above configuration, where should I add the "cert_sasl.pem"?
> > >
> > > Regards,
> > > Adel
> > >
> > >
> >
> > From the qdrouterd.conf man page:
> >
> > Under "listener":
> >
> > trustedCerts (path)
> > This optional setting can be used to reduce the set of available
> > CAs for client authentication. If used, this setting must provide a
> > path to a PEM file that contains the trusted certificates.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
