Hi Paolo, In that case I think the issue is that my certificates were self-signed so there was no CA. I think this works on the Java Broker thanks to the KeyStore and TrustStore features.
I will re-organize my certificates to have a CA which will generate the client and server certificates and test again. Thanks for the helpful explanation! Regards, Adel > From: [email protected] > To: [email protected] > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener > Date: Thu, 23 Jun 2016 13:31:56 +0000 > > Hi Adel, > > I'm a bit confused of what you are trying to achieve. > > A listener (so acting as a server) can have only one certificate specified > through certFile parameter (and related keyFile for the private key). > This certificate is issued by the server (listener) to the client during > SSL/TLS handshake in order to provide the server authentication feature. Of > course the server certificate is signed with a CA certificate. > > In order to have client authentication, the client sends its own certificate > to the server during the handshake. This certificate is signed by the same CA > certificate used to sign server certificate or another CA certificate > specified through the trustCerts. > > When the SSL handshake ends and mutual authentication is achieved, the SASL > handshake starts and using EXTERNAL you are saying that the client was > authenticated in a way external to SASL itself and using the previous > authentication at SSL level. > > It means that the SASL EXTERNAL authentication mechanism is strictly related > with what's happened in the previous SSL handshake so it's related to the > certificates used for that. > > Paolo. > > Paolo PatiernoSenior Software Engineer (IoT) @ Red Hat > Microsoft MVP on Windows Embedded & IoTMicrosoft Azure Advisor > Twitter : @ppatierno > Linkedin : paolopatierno > Blog : DevExperience > > > From: [email protected] > > To: [email protected] > > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener > > Date: Thu, 23 Jun 2016 15:16:22 +0200 > > > > It feels like a big puzzle to get SSL with client mutual authentication > > working. It would help me a lot if someone can provide a fully working > > configuration and how to use it with a JMS client for example. > > I think it could also benefit others i the future > > > > Ganesh had provided me on a different thread, steps to generate server > > certificate and use it in the dispatcher. I think something similar here is > > the easiest solution. > > > > Regards, > > Adel > > > > > From: [email protected] > > > Date: Thu, 23 Jun 2016 14:27:11 +0200 > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > To: [email protected] > > > > > > I think you have to add the file with client public keys to the certDb > > > option. The trustedCerts parameter is used only to control which public > > > keys will be listed as supported CAs to the clients. > > > > > > Jakub > > > > > > On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <[email protected]> > > > wrote: > > > > > > > Ok, So I added the client certificate but it doesn't seem to work. I am > > > > getting an exception in the handshake phase: > > > > > > > > Dispatcher error: ERROR (error) Run Time: Cannot set peer authentication > > > > > > > > Dispatcher config > > > > ssl-profile { > > > > name: ssl-profile-name > > > > certFile: cert_ssl_encryption.pem > > > > keyFile:key_ssl_encryption.pem > > > > } > > > > > > > > listener { > > > > host: 0.0.0.0 > > > > port: 10398 > > > > saslMechanisms: EXTERNAL > > > > sslProfile: ssl-profile-name > > > > authenticatePeer: yes > > > > requireSsl: yes > > > > trustedCerts: cert_sasl.pem > > > > } > > > > > > > > JMS Client > > > > System.setProperty("javax.net.ssl.trustStore", > > > > resourcePath("trustStore.jks")); > > > > System.setProperty("javax.net.ssl.keyStore", > > > > resourcePath("clientKeyStore.jks")); > > > > System.setProperty("javax.net.ssl.keyStorePassword", "password"); > > > > JmsConnectionFactory jmsConnectionFactory = new > > > > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client"); > > > > Connection connection = jmsConnectionFactory.createConnection(); > > > > > > > > PS: trustStore.jks contains the cert_ssl_encryption.pem and > > > > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) which > > > > is > > > > aliased by "client" > > > > > > > > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the > > > > ssl-profile? > > > > > > > > Regards, > > > > Adel > > > > > > > > > Date: Wed, 22 Jun 2016 11:23:16 -0400 > > > > > From: [email protected] > > > > > To: [email protected] > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > > > > > > > "Of course I want to use a certificate for SSL encryption (provided in > > > > the ssl-profile) and a different one for SASL authentication but on the > > > > same listener." > > > > > > > > > > Are you saying that you have two pairs of server/client certs and you > > > > want to use one pair for initial SSL encryption (to encrypt the entire > > > > exchange) and another pair for SASL EXTERNAL ? If this is the case, you > > > > can > > > > have only one server side cert per listener which you can specify in > > > > certFile. > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Ted Ross" <[email protected]> > > > > > > To: [email protected] > > > > > > Sent: Wednesday, June 22, 2016 10:55:47 AM > > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > > > > > > > > > > > > > > > > > > > > > On 06/22/2016 10:47 AM, Adel Boutros wrote: > > > > > > > Hello, > > > > > > > > > > > > > > I want to use SASL authentication mechanism using a client > > > > certificate. I > > > > > > > looked at the examples and tests but I didn't quite get > > > > > > > everything. > > > > > > > I know I have to setup a listener with "sasl-mechanisms: EXTERNAL" > > > > and > > > > > > > "require-peer-auth: yes" but then how do I tell the dispatcher > > > > > > > which > > > > > > > certificates are accepted and which aren't? > > > > > > > Of course I want to use a certificate for SSL encryption (provided > > > > in the > > > > > > > ssl-profile) and a different one for SASL authentication but on > > > > > > > the > > > > same > > > > > > > listener. > > > > > > > ssl-profile { > > > > > > > name: ssl-profile-name > > > > > > > certFile: cert_ssl_encryption.pem > > > > > > > keyFile: key_ssl_encryption.pem > > > > > > > } > > > > > > > > > > > > > > listener { > > > > > > > host: 0.0.0.0 > > > > > > > port: 10399 > > > > > > > sasl-mechanisms: EXTERNAL > > > > > > > ssl-profile: ssl-profile-name > > > > > > > authenticatePeer: yes > > > > > > > requireSsl: yes > > > > > > > } > > > > > > > In the above configuration, where should I add the > > > > > > > "cert_sasl.pem"? > > > > > > > > > > > > > > Regards, > > > > > > > Adel > > > > > > > > > > > > > > > > > > > > > > > > > > From the qdrouterd.conf man page: > > > > > > > > > > > > Under "listener": > > > > > > > > > > > > trustedCerts (path) > > > > > > This optional setting can be used to reduce the set of > > > > > > available > > > > > > CAs for client authentication. If used, this setting must > > > > > > provide > > > > a > > > > > > path to a PEM file that contains the trusted certificates. > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [email protected] > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > >
