I also want to add that there is a file called
qpid-dispatch/tests/ssl_certs/gencerts.sh (thanks Chuck Rolke). This file has
commands that create a root CA and self signed certs. There are several tests
(system_tests_qdstat.py, system_tests_two_routers.py,
system_tests_sasl_plain.py) that use these self signed certs and also cover
various SASL scenarios.
Thanks.
----- Original Message -----
> From: "Ganesh Murthy" <gmur...@redhat.com>
> To: users@qpid.apache.org
> Sent: Thursday, June 23, 2016 10:05:08 AM
> Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
>
> Hi Adel,
> When creating self signed certificates, it is always a good idea to create
> a root CA and use it to sign the server and client certificates.
>
> If you are creating self signed certs in a production environment, I would
> suggest that you create a root CA and use the root CA to create an
> intermediate CA and then use the intermediate CA to create your self signed
> server and client certs. If your client or server certs are compromised, you
> can use the root CA to invalidate the intermediate CA which in turn would
> invalidate all certs created using the intermediate CA. This way you can
> make sure that your root CA is never compromised.
>
> Thanks.
>
> ----- Original Message -----
> > From: "Adel Boutros" <adelbout...@live.com>
> > To: users@qpid.apache.org
> > Sent: Thursday, June 23, 2016 9:56:02 AM
> > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
> >
> > Hi Paolo,
> >
> > In that case I think the issue is that my certificates were self-signed so
> > there was no CA. I think this works on the Java Broker thanks to the
> > KeyStore and TrustStore features.
> >
> > I will re-organize my certificates to have a CA which will generate the
> > client and server certificates and test again.
> >
> > Thanks for the helpful explanation!
> >
> > Regards,
> > Adel
> >
> > > From: ppatie...@live.com
> > > To: users@qpid.apache.org
> > > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > Date: Thu, 23 Jun 2016 13:31:56 +0000
> > >
> > > Hi Adel,
> > >
> > > I'm a bit confused of what you are trying to achieve.
> > >
> > > A listener (so acting as a server) can have only one certificate
> > > specified
> > > through certFile parameter (and related keyFile for the private
> > > key). This certificate is issued by the server (listener) to the client
> > > during SSL/TLS handshake in order to provide the server authentication
> > > feature. Of course the server certificate is signed with a CA
> > > certificate.
> > >
> > > In order to have client authentication, the client sends its own
> > > certificate to the server during the handshake. This certificate is
> > > signed
> > > by the same CA certificate used to sign server certificate or another CA
> > > certificate specified through the trustCerts.
> > >
> > > When the SSL handshake ends and mutual authentication is achieved, the
> > > SASL
> > > handshake starts and using EXTERNAL you are saying that the client was
> > > authenticated in a way external to SASL itself and using the previous
> > > authentication at SSL level.
> > >
> > > It means that the SASL EXTERNAL authentication mechanism is strictly
> > > related with what's happened in the previous SSL handshake so it's
> > > related
> > > to the certificates used for that.
> > >
> > > Paolo.
> > >
> > > Paolo PatiernoSenior Software Engineer (IoT) @ Red Hat
> > > Microsoft MVP on Windows Embedded & IoTMicrosoft Azure Advisor
> > > Twitter : @ppatierno
> > > Linkedin : paolopatierno
> > > Blog : DevExperience
> > >
> > > > From: adelbout...@live.com
> > > > To: users@qpid.apache.org
> > > > Subject: RE: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > > Date: Thu, 23 Jun 2016 15:16:22 +0200
> > > >
> > > > It feels like a big puzzle to get SSL with client mutual authentication
> > > > working. It would help me a lot if someone can provide a fully working
> > > > configuration and how to use it with a JMS client for example.
> > > > I think it could also benefit others i the future
> > > >
> > > > Ganesh had provided me on a different thread, steps to generate server
> > > > certificate and use it in the dispatcher. I think something similar
> > > > here
> > > > is the easiest solution.
> > > >
> > > > Regards,
> > > > Adel
> > > >
> > > > > From: ja...@scholz.cz
> > > > > Date: Thu, 23 Jun 2016 14:27:11 +0200
> > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > > > To: users@qpid.apache.org
> > > > >
> > > > > I think you have to add the file with client public keys to the
> > > > > certDb
> > > > > option. The trustedCerts parameter is used only to control which
> > > > > public
> > > > > keys will be listed as supported CAs to the clients.
> > > > >
> > > > > Jakub
> > > > >
> > > > > On Thu, Jun 23, 2016 at 11:37 AM, Adel Boutros <adelbout...@live.com>
> > > > > wrote:
> > > > >
> > > > > > Ok, So I added the client certificate but it doesn't seem to work.
> > > > > > I
> > > > > > am
> > > > > > getting an exception in the handshake phase:
> > > > > >
> > > > > > Dispatcher error: ERROR (error) Run Time: Cannot set peer
> > > > > > authentication
> > > > > >
> > > > > > Dispatcher config
> > > > > > ssl-profile {
> > > > > > name: ssl-profile-name
> > > > > > certFile: cert_ssl_encryption.pem
> > > > > > keyFile:key_ssl_encryption.pem
> > > > > > }
> > > > > >
> > > > > > listener {
> > > > > > host: 0.0.0.0
> > > > > > port: 10398
> > > > > > saslMechanisms: EXTERNAL
> > > > > > sslProfile: ssl-profile-name
> > > > > > authenticatePeer: yes
> > > > > > requireSsl: yes
> > > > > > trustedCerts: cert_sasl.pem
> > > > > > }
> > > > > >
> > > > > > JMS Client
> > > > > > System.setProperty("javax.net.ssl.trustStore",
> > > > > > resourcePath("trustStore.jks"));
> > > > > > System.setProperty("javax.net.ssl.keyStore",
> > > > > > resourcePath("clientKeyStore.jks"));
> > > > > > System.setProperty("javax.net.ssl.keyStorePassword", "password");
> > > > > > JmsConnectionFactory jmsConnectionFactory = new
> > > > > > JmsConnectionFactory("amqps://hostname:10398?transport.keyAlias=client");
> > > > > > Connection connection = jmsConnectionFactory.createConnection();
> > > > > >
> > > > > > PS: trustStore.jks contains the cert_ssl_encryption.pem and
> > > > > > clientKeyStore.jks contains the sasl certificate (cert_sasl.pem)
> > > > > > which is
> > > > > > aliased by "client"
> > > > > >
> > > > > > Should I merge cert_sasl.pem and cert_ssl_encryption.pem in the
> > > > > > ssl-profile?
> > > > > >
> > > > > > Regards,
> > > > > > Adel
> > > > > >
> > > > > > > Date: Wed, 22 Jun 2016 11:23:16 -0400
> > > > > > > From: gmur...@redhat.com
> > > > > > > To: users@qpid.apache.org
> > > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a listener
> > > > > > >
> > > > > > > "Of course I want to use a certificate for SSL encryption
> > > > > > > (provided
> > > > > > > in
> > > > > > the ssl-profile) and a different one for SASL authentication but on
> > > > > > the
> > > > > > same listener."
> > > > > > >
> > > > > > > Are you saying that you have two pairs of server/client certs and
> > > > > > > you
> > > > > > want to use one pair for initial SSL encryption (to encrypt the
> > > > > > entire
> > > > > > exchange) and another pair for SASL EXTERNAL ? If this is the case,
> > > > > > you can
> > > > > > have only one server side cert per listener which you can specify
> > > > > > in
> > > > > > certFile.
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Ted Ross" <tr...@redhat.com>
> > > > > > > > To: users@qpid.apache.org
> > > > > > > > Sent: Wednesday, June 22, 2016 10:55:47 AM
> > > > > > > > Subject: Re: [Qpid-Dispatch] SSL/SASL configuration on a
> > > > > > > > listener
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On 06/22/2016 10:47 AM, Adel Boutros wrote:
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I want to use SASL authentication mechanism using a client
> > > > > > certificate. I
> > > > > > > > > looked at the examples and tests but I didn't quite get
> > > > > > > > > everything.
> > > > > > > > > I know I have to setup a listener with "sasl-mechanisms:
> > > > > > > > > EXTERNAL"
> > > > > > and
> > > > > > > > > "require-peer-auth: yes" but then how do I tell the
> > > > > > > > > dispatcher
> > > > > > > > > which
> > > > > > > > > certificates are accepted and which aren't?
> > > > > > > > > Of course I want to use a certificate for SSL encryption
> > > > > > > > > (provided
> > > > > > in the
> > > > > > > > > ssl-profile) and a different one for SASL authentication but
> > > > > > > > > on
> > > > > > > > > the
> > > > > > same
> > > > > > > > > listener.
> > > > > > > > > ssl-profile {
> > > > > > > > > name: ssl-profile-name
> > > > > > > > > certFile: cert_ssl_encryption.pem
> > > > > > > > > keyFile: key_ssl_encryption.pem
> > > > > > > > > }
> > > > > > > > >
> > > > > > > > > listener {
> > > > > > > > > host: 0.0.0.0
> > > > > > > > > port: 10399
> > > > > > > > > sasl-mechanisms: EXTERNAL
> > > > > > > > > ssl-profile: ssl-profile-name
> > > > > > > > > authenticatePeer: yes
> > > > > > > > > requireSsl: yes
> > > > > > > > > }
> > > > > > > > > In the above configuration, where should I add the
> > > > > > > > > "cert_sasl.pem"?
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Adel
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > From the qdrouterd.conf man page:
> > > > > > > >
> > > > > > > > Under "listener":
> > > > > > > >
> > > > > > > > trustedCerts (path)
> > > > > > > > This optional setting can be used to reduce the set of
> > > > > > > > available
> > > > > > > > CAs for client authentication. If used, this setting must
> > > > > > > > provide
> > > > > > a
> > > > > > > > path to a PEM file that contains the trusted certificates.
> > > > > > > >
> > > > > > > > ---------------------------------------------------------------------
> > > > > > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > > > > > > For additional commands, e-mail: users-h...@qpid.apache.org
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > > > > > For additional commands, e-mail: users-h...@qpid.apache.org
> > > > > > >
> > > > > >
> > > > > >
> > > >
> > >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org
