It feels like a big puzzle to get SSL with client mutual authentication
working. It would help me a lot if someone can provide a fully working
configuration and how to use it with a JMS client for example.
I think it could also benefit others i the future
Ganesh had provided me on a different thread, steps to generate server
certificate and use it in the dispatcher. I think something similar here is the
easiest solution.
Regards,
Adel
> From: ja...@scholz.cz
> Date: Thu, 23 Jun 2016 14:27:11 +0200
> Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> To: users@qpid.apache.org
>
> I think you have to add the file with client public keys to the certDb
> option. The trustedCerts parameter is used only to control which public
> keys will be listed as supported CAs to the clients.
>
> Jakub
>
> On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <adelbout...@live.com> wrote:
>
> > Ok, So I added the client certificate but it doesn't seem to work. I am
> > getting an exception in the handshake phase:
> >
> > Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication
> >
> > Dispatcher config
> > ssl-profile {
> > name: ssl-profile-name
> > certFile: cert_ssl_encryption.pem
> > keyFile:key_ssl_encryption.pem
> > }
> >
> > listener {
> > host: 0.0.0.0
> > port: 10398
> > saslMechanisms: EXTERNAL
> > sslProfile: ssl-profile-name
> > authenticatePeer: yes
> > requireSsl: yes
> > trustedCerts: cert_sasl.pem
> > }
> >
> > JMS Client
> > System.setProperty("javax.net.ssl.trustStore",
> > resourcePath("trustStore.jks"));
> > System.setProperty("javax.net.ssl.keyStore",
> > resourcePath("clientKeyStore.jks"));
> > System.setProperty("javax.net.ssl.keyStorePassword", "password");
> > JmsConnectionFactory jmsConnectionFactory = new
> > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
> > Connection connection = jmsConnectionFactory.createConnection();
> >
> > PS: trustStore.jks contains the cert_ssl_encryption.pem and
> > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) which is
> > aliased by "client"
> >
> > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the
> > ssl-profile?
> >
> > Regards,
> > Adel
> >
> > > Date: Wed, 22 Jun 2016 11:23:16 -0400
> > > From: gmur...@redhat.com
> > > To: users@qpid.apache.org
> > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > >
> > > "Of course I want to use a certificate for SSL encryption (provided in
> > the ssl-profile) and a different one for SASL authentication but on the
> > same listener."
> > >
> > > Are you saying that you have two pairs of server/client certs and you
> > want to use one pair for initial SSL encryption (to encrypt the entire
> > exchange) and another pair for SASL EXTERNAL ? If this is the case, you can
> > have only one server side cert per listener which you can specify in
> > certFile.
> > >
> > > ----- Original Message -----
> > > > From: "Ted Ross" <tr...@redhat.com>
> > > > To: users@qpid.apache.org
> > > > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > >
> > > >
> > > >
> > > > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > > > Hello,
> > > > >
> > > > > I want to use SASL authentication mechanism using a client
> > certificate. I
> > > > > looked at the examples and tests but I didn't quite get everything.
> > > > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL"
> > and
> > > > > "require-peer-auth: yes" but then how do I tell the dispatcher which
> > > > > certificates are accepted and which aren't?
> > > > > Of course I want to use a certificate for SSL encryption (provided
> > in the
> > > > > ssl-profile) and a different one for SASL authentication but on the
> > same
> > > > > listener.
> > > > > ssl-profile {
> > > > > name: ssl-profile-name
> > > > > certFile: cert_ssl_encryption.pem
> > > > > keyFile: key_ssl_encryption.pem
> > > > > }
> > > > >
> > > > > listener {
> > > > > host: 0.0.0.0
> > > > > port: 10399
> > > > > sasl-mechanisms: EXTERNAL
> > > > > ssl-profile: ssl-profile-name
> > > > > authenticatePeer: yes
> > > > > requireSsl: yes
> > > > > }
> > > > > In the above configuration, where should I add the "cert_sasl.pem"?
> > > > >
> > > > > Regards,
> > > > > Adel
> > > > >
> > > > >
> > > >
> > > > From the qdrouterd.conf man page:
> > > >
> > > > Under "listener":
> > > >
> > > > trustedCerts (path)
> > > > This optional setting can be used to reduce the set of available
> > > > CAs for client authentication. If used, this setting must provide
> > a
> > > > path to a PEM file that contains the trusted certificates.
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > > For additional commands, e-mail: users-h...@qpid.apache.org
> > > >
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > For additional commands, e-mail: users-h...@qpid.apache.org
> > >
> >
> >
