Hi Adel, When creating self signed certificates, it is always a good idea to create a root CA and use it to sign the server and client certificates.
If you are creating self signed certs in a production environment, I would suggest that you create a root CA and use the root CA to create an intermediate CA and then use the intermediate CA to create your self signed server and client certs. If your client or server certs are compromised, you can use the root CA to invalidate the intermediate CA which in turn would invalidate all certs created using the intermediate CA. This way you can make sure that your root CA is never compromised. Thanks. ----- Original Message ----- > From: "Adel Boutros" <[email protected]> > To: [email protected] > Sent: Thursday, June 23, 2016 9:56:02 AM > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener > > Hi Paolo, > > In that case I think the issue is that my certificates were self-signed so > there was no CA. I think this works on the Java Broker thanks to the > KeyStore and TrustStore features. > > I will re-organize my certificates to have a CA which will generate the > client and server certificates and test again. > > Thanks for the helpful explanation! > > Regards, > Adel > > > From: [email protected] > > To: [email protected] > > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener > > Date: Thu, 23 Jun 2016 13:31:56 +0000 > > > > Hi Adel, > > > > I'm a bit confused of what you are trying to achieve. > > > > A listener (so acting as a server) can have only one certificate specified > > through certFile parameter (and related keyFile for the private > > key). This certificate is issued by the server (listener) to the client > > during SSL/TLS handshake in order to provide the server authentication > > feature. Of course the server certificate is signed with a CA certificate. > > > > In order to have client authentication, the client sends its own > > certificate to the server during the handshake. This certificate is signed > > by the same CA certificate used to sign server certificate or another CA > > certificate specified through the trustCerts. > > > > When the SSL handshake ends and mutual authentication is achieved, the SASL > > handshake starts and using EXTERNAL you are saying that the client was > > authenticated in a way external to SASL itself and using the previous > > authentication at SSL level. > > > > It means that the SASL EXTERNAL authentication mechanism is strictly > > related with what's happened in the previous SSL handshake so it's related > > to the certificates used for that. > > > > Paolo. > > > > Paolo PatiernoSenior Software Engineer (IoT) @ Red Hat > > Microsoft MVP on Windows Embedded & IoTMicrosoft Azure Advisor > > Twitter : @ppatierno > > Linkedin : paolopatierno > > Blog : DevExperience > > > > > From: [email protected] > > > To: [email protected] > > > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > Date: Thu, 23 Jun 2016 15:16:22 +0200 > > > > > > It feels like a big puzzle to get SSL with client mutual authentication > > > working. It would help me a lot if someone can provide a fully working > > > configuration and how to use it with a JMS client for example. > > > I think it could also benefit others i the future > > > > > > Ganesh had provided me on a different thread, steps to generate server > > > certificate and use it in the dispatcher. I think something similar here > > > is the easiest solution. > > > > > > Regards, > > > Adel > > > > > > > From: [email protected] > > > > Date: Thu, 23 Jun 2016 14:27:11 +0200 > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > To: [email protected] > > > > > > > > I think you have to add the file with client public keys to the certDb > > > > option. The trustedCerts parameter is used only to control which public > > > > keys will be listed as supported CAs to the clients. > > > > > > > > Jakub > > > > > > > > On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <[email protected]> > > > > wrote: > > > > > > > > > Ok, So I added the client certificate but it doesn't seem to work. I > > > > > am > > > > > getting an exception in the handshake phase: > > > > > > > > > > Dispatcher error: ERROR (error) Run Time: Cannot set peer > > > > > authentication > > > > > > > > > > Dispatcher config > > > > > ssl-profile { > > > > > name: ssl-profile-name > > > > > certFile: cert_ssl_encryption.pem > > > > > keyFile:key_ssl_encryption.pem > > > > > } > > > > > > > > > > listener { > > > > > host: 0.0.0.0 > > > > > port: 10398 > > > > > saslMechanisms: EXTERNAL > > > > > sslProfile: ssl-profile-name > > > > > authenticatePeer: yes > > > > > requireSsl: yes > > > > > trustedCerts: cert_sasl.pem > > > > > } > > > > > > > > > > JMS Client > > > > > System.setProperty("javax.net.ssl.trustStore", > > > > > resourcePath("trustStore.jks")); > > > > > System.setProperty("javax.net.ssl.keyStore", > > > > > resourcePath("clientKeyStore.jks")); > > > > > System.setProperty("javax.net.ssl.keyStorePassword", "password"); > > > > > JmsConnectionFactory jmsConnectionFactory = new > > > > > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client"); > > > > > Connection connection = jmsConnectionFactory.createConnection(); > > > > > > > > > > PS: trustStore.jks contains the cert_ssl_encryption.pem and > > > > > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem) > > > > > which is > > > > > aliased by "client" > > > > > > > > > > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the > > > > > ssl-profile? > > > > > > > > > > Regards, > > > > > Adel > > > > > > > > > > > Date: Wed, 22 Jun 2016 11:23:16 -0400 > > > > > > From: [email protected] > > > > > > To: [email protected] > > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > > > > > > > > > "Of course I want to use a certificate for SSL encryption (provided > > > > > > in > > > > > the ssl-profile) and a different one for SASL authentication but on > > > > > the > > > > > same listener." > > > > > > > > > > > > Are you saying that you have two pairs of server/client certs and > > > > > > you > > > > > want to use one pair for initial SSL encryption (to encrypt the > > > > > entire > > > > > exchange) and another pair for SASL EXTERNAL ? If this is the case, > > > > > you can > > > > > have only one server side cert per listener which you can specify in > > > > > certFile. > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Ted Ross" <[email protected]> > > > > > > > To: [email protected] > > > > > > > Sent: Wednesday, June 22, 2016 10:55:47 AM > > > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener > > > > > > > > > > > > > > > > > > > > > > > > > > > > On 06/22/2016 10:47 AM, Adel Boutros wrote: > > > > > > > > Hello, > > > > > > > > > > > > > > > > I want to use SASL authentication mechanism using a client > > > > > certificate. I > > > > > > > > looked at the examples and tests but I didn't quite get > > > > > > > > everything. > > > > > > > > I know I have to setup a listener with "sasl-mechanisms: > > > > > > > > EXTERNAL" > > > > > and > > > > > > > > "require-peer-auth: yes" but then how do I tell the dispatcher > > > > > > > > which > > > > > > > > certificates are accepted and which aren't? > > > > > > > > Of course I want to use a certificate for SSL encryption > > > > > > > > (provided > > > > > in the > > > > > > > > ssl-profile) and a different one for SASL authentication but on > > > > > > > > the > > > > > same > > > > > > > > listener. > > > > > > > > ssl-profile { > > > > > > > > name: ssl-profile-name > > > > > > > > certFile: cert_ssl_encryption.pem > > > > > > > > keyFile: key_ssl_encryption.pem > > > > > > > > } > > > > > > > > > > > > > > > > listener { > > > > > > > > host: 0.0.0.0 > > > > > > > > port: 10399 > > > > > > > > sasl-mechanisms: EXTERNAL > > > > > > > > ssl-profile: ssl-profile-name > > > > > > > > authenticatePeer: yes > > > > > > > > requireSsl: yes > > > > > > > > } > > > > > > > > In the above configuration, where should I add the > > > > > > > > "cert_sasl.pem"? > > > > > > > > > > > > > > > > Regards, > > > > > > > > Adel > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From the qdrouterd.conf man page: > > > > > > > > > > > > > > Under "listener": > > > > > > > > > > > > > > trustedCerts (path) > > > > > > > This optional setting can be used to reduce the set of > > > > > > > available > > > > > > > CAs for client authentication. If used, this setting must > > > > > > > provide > > > > > a > > > > > > > path to a PEM file that contains the trusted certificates. > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
