I think you have to add the file with client public keys to the certDb
option. The trustedCerts parameter is used only to control which public
keys will be listed as supported CAs to the clients.
Jakub
On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <adelbout...@live.com> wrote:
> Ok, So I added the client certificate but it doesn't seem to work. I am
> getting an exception in the handshake phase:
>
> Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication
>
> Dispatcher config
> ssl-profile {
> name: ssl-profile-name
> certFile: cert_ssl_encryption.pem
> keyFile:key_ssl_encryption.pem
> }
>
> listener {
> host: 0.0.0.0
> port: 10398
> saslMechanisms: EXTERNAL
> sslProfile: ssl-profile-name
> authenticatePeer: yes
> requireSsl: yes
> trustedCerts: cert_sasl.pem
> }
>
> JMS Client
> System.setProperty("javax.net.ssl.trustStore",
> resourcePath("trustStore.jks"));
> System.setProperty("javax.net.ssl.keyStore",
> resourcePath("clientKeyStore.jks"));
> System.setProperty("javax.net.ssl.keyStorePassword", "password");
> JmsConnectionFactory jmsConnectionFactory = new
> JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
> Connection connection = jmsConnectionFactory.createConnection();
>
> PS: trustStore.jks contains the cert_ssl_encryption.pem and
> clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) which is
> aliased by "client"
>
> Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the
> ssl-profile?
>
> Regards,
> Adel
>
> > Date: Wed, 22 Jun 2016 11:23:16 -0400
> > From: gmur...@redhat.com
> > To: users@qpid.apache.org
> > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> >
> > "Of course I want to use a certificate for SSL encryption (provided in
> the ssl-profile) and a different one for SASL authentication but on the
> same listener."
> >
> > Are you saying that you have two pairs of server/client certs and you
> want to use one pair for initial SSL encryption (to encrypt the entire
> exchange) and another pair for SASL EXTERNAL ? If this is the case, you can
> have only one server side cert per listener which you can specify in
> certFile.
> >
> > ----- Original Message -----
> > > From: "Ted Ross" <tr...@redhat.com>
> > > To: users@qpid.apache.org
> > > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > >
> > >
> > >
> > > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > > Hello,
> > > >
> > > > I want to use SASL authentication mechanism using a client
> certificate. I
> > > > looked at the examples and tests but I didn't quite get everything.
> > > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL"
> and
> > > > "require-peer-auth: yes" but then how do I tell the dispatcher which
> > > > certificates are accepted and which aren't?
> > > > Of course I want to use a certificate for SSL encryption (provided
> in the
> > > > ssl-profile) and a different one for SASL authentication but on the
> same
> > > > listener.
> > > > ssl-profile {
> > > > name: ssl-profile-name
> > > > certFile: cert_ssl_encryption.pem
> > > > keyFile: key_ssl_encryption.pem
> > > > }
> > > >
> > > > listener {
> > > > host: 0.0.0.0
> > > > port: 10399
> > > > sasl-mechanisms: EXTERNAL
> > > > ssl-profile: ssl-profile-name
> > > > authenticatePeer: yes
> > > > requireSsl: yes
> > > > }
> > > > In the above configuration, where should I add the "cert_sasl.pem"?
> > > >
> > > > Regards,
> > > > Adel
> > > >
> > > >
> > >
> > > From the qdrouterd.conf man page:
> > >
> > > Under "listener":
> > >
> > > trustedCerts (path)
> > > This optional setting can be used to reduce the set of available
> > > CAs for client authentication. If used, this setting must provide
> a
> > > path to a PEM file that contains the trusted certificates.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > For additional commands, e-mail: users-h...@qpid.apache.org
> > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > For additional commands, e-mail: users-h...@qpid.apache.org
> >
>
>
