Hi Adel, I'm a bit confused of what you are trying to achieve.
A listener (so acting as a server) can have only one certificate specified through certFile parameter (and related keyFile for the private key). This certificate is issued by the server (listener) to the client during SSL/TLS handshake in order to provide the server authentication feature. Of course the server certificate is signed with a CA certificate. In order to have client authentication, the client sends its own certificate to the server during the handshake. This certificate is signed by the same CA certificate used to sign server certificate or another CA certificate specified through the trustCerts. When the SSL handshake ends and mutual authentication is achieved, the SASL handshake starts and using EXTERNAL you are saying that the client was authenticated in a way external to SASL itself and using the previous authentication at SSL level. It means that the SASL EXTERNAL authentication mechanism is strictly related with what's happened in the previous SSL handshake so it's related to the certificates used for that. Paolo. Paolo PatiernoSenior Software Engineer (IoT) @ Red Hat Microsoft MVP on Windows Embedded & IoTMicrosoft Azure Advisor Twitter : @ppatierno Linkedin : paolopatierno Blog : DevExperience > From: [email protected] > To: [email protected] > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener > Date: Thu, 23 Jun 2016 15:16:22 +0200 > > It feels like a big puzzle to get SSL with client mutual authentication > working. It would help me a lot if someone can provide a fully working > configuration and how to use it with a JMS client for example. > I think it could also benefit others i the future > > Ganesh had provided me on a different thread, steps to generate server > certificate and use it in the dispatcher. I think something similar here is > the easiest solution. > > Regards, > Adel > > > From: [email protected] > > Date: Thu, 23 Jun 2016 14:27:11 +0200 > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > To: [email protected] > > > > I think you have to add the file with client public keys to the certDb > > option. The trustedCerts parameter is used only to control which public > > keys will be listed as supported CAs to the clients. > > > > Jakub > > > > On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <[email protected]> wrote: > > > > > Ok, So I added the client certificate but it doesn't seem to work. I am > > > getting an exception in the handshake phase: > > > > > > Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication > > > > > > Dispatcher config > > > ssl-profile { > > > name: ssl-profile-name > > > certFile: cert_ssl_encryption.pem > > > keyFile:key_ssl_encryption.pem > > > } > > > > > > listener { > > > host: 0.0.0.0 > > > port: 10398 > > > saslMechanisms: EXTERNAL > > > sslProfile: ssl-profile-name > > > authenticatePeer: yes > > > requireSsl: yes > > > trustedCerts: cert_sasl.pem > > > } > > > > > > JMS Client > > > System.setProperty("javax.net.ssl.trustStore", > > > resourcePath("trustStore.jks")); > > > System.setProperty("javax.net.ssl.keyStore", > > > resourcePath("clientKeyStore.jks")); > > > System.setProperty("javax.net.ssl.keyStorePassword", "password"); > > > JmsConnectionFactory jmsConnectionFactory = new > > > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client"); > > > Connection connection = jmsConnectionFactory.createConnection(); > > > > > > PS: trustStore.jks contains the cert_ssl_encryption.pem and > > > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) which is > > > aliased by "client" > > > > > > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the > > > ssl-profile? > > > > > > Regards, > > > Adel > > > > > > > Date: Wed, 22 Jun 2016 11:23:16 -0400 > > > > From: [email protected] > > > > To: [email protected] > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > > > > > "Of course I want to use a certificate for SSL encryption (provided in > > > the ssl-profile) and a different one for SASL authentication but on the > > > same listener." > > > > > > > > Are you saying that you have two pairs of server/client certs and you > > > want to use one pair for initial SSL encryption (to encrypt the entire > > > exchange) and another pair for SASL EXTERNAL ? If this is the case, you > > > can > > > have only one server side cert per listener which you can specify in > > > certFile. > > > > > > > > ----- Original Message ----- > > > > > From: "Ted Ross" <[email protected]> > > > > > To: [email protected] > > > > > Sent: Wednesday, June 22, 2016 10:55:47 AM > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > > > > > > > > > > > > > > > > > On 06/22/2016 10:47 AM, Adel Boutros wrote: > > > > > > Hello, > > > > > > > > > > > > I want to use SASL authentication mechanism using a client > > > certificate. I > > > > > > looked at the examples and tests but I didn't quite get everything. > > > > > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL" > > > and > > > > > > "require-peer-auth: yes" but then how do I tell the dispatcher which > > > > > > certificates are accepted and which aren't? > > > > > > Of course I want to use a certificate for SSL encryption (provided > > > in the > > > > > > ssl-profile) and a different one for SASL authentication but on the > > > same > > > > > > listener. > > > > > > ssl-profile { > > > > > > name: ssl-profile-name > > > > > > certFile: cert_ssl_encryption.pem > > > > > > keyFile: key_ssl_encryption.pem > > > > > > } > > > > > > > > > > > > listener { > > > > > > host: 0.0.0.0 > > > > > > port: 10399 > > > > > > sasl-mechanisms: EXTERNAL > > > > > > ssl-profile: ssl-profile-name > > > > > > authenticatePeer: yes > > > > > > requireSsl: yes > > > > > > } > > > > > > In the above configuration, where should I add the "cert_sasl.pem"? > > > > > > > > > > > > Regards, > > > > > > Adel > > > > > > > > > > > > > > > > > > > > > > From the qdrouterd.conf man page: > > > > > > > > > > Under "listener": > > > > > > > > > > trustedCerts (path) > > > > > This optional setting can be used to reduce the set of available > > > > > CAs for client authentication. If used, this setting must provide > > > a > > > > > path to a PEM file that contains the trusted certificates. > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [email protected] > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > >
