[qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0

Wed, 13 Jul 2016 02:44:47 -0700 

Hello,

On a previous 
post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html),
 I had asked about how to setup the qpid-dispatch to work with SSL and SASL 
authentication and I was able thanks to your help to get clients 
(Consumer/producer) to connect to the dispatcher using the correct 
certificates. 

At that time, I was connected to the open AMQP port of the Java Broker which 
had no security. I then, tried to connect to a port which only required SSL and 
this is also working.

What is not working however is connecting the dispatcher to a port which has 
SSL and requires client certificates on the Java Broker. When I run the 
qdmanage command to create the connector, no connections shows up on the 
virtual host tab in the Java Broker Web management console.

The qdmanage commands are not showing any errors and there are no errors on the 
 Java Broker's side. Is there a way to debug further what is happening with 
qdmanage?

As a reminder, my certificates are generated by a self-signed CA composed of a 
root authority and an intermediate one.

Dispatcher config
router {
    id: router.10396
    mode: interior
    worker-threads: 4
}

ssl-profile {
    name: ssl-full-profile
    certFile: cert_lx.pem
    keyFile: key_lx.pem
    certDb: ca-chain.cert.pem
}

listener {
    host: 0.0.0.0
    port: 10396
    role: normal
    saslMechanisms: EXTERNAL
    sslProfile: ssl-full-profile
    requireSsl: yes
    authenticatePeer: yes
}

listener {
    host: 0.0.0.0
    port: 10395
    role: normal
    saslMechanisms: ANONYMOUS
    sslProfile: ssl-full-profile
    requireSsl: yes
    authenticatePeer: no
}

log {
    module: DEFAULT
    enable: warn+
    output: dispatch.10396.log
}

Java Broker
AMP port is 10101 configured with the proper "KeyStore" of the broker, a 
"NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the root 
and intermediate certificates) and "Want SSL Client Certificate".

qdmanage commands
qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem 
--ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue 
waypoint=true name=perf.queue.addr

qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem 
--ssl-certificate=cert_lx.pem create --type=connector role=route-container 
addr=localhost port=10101 name=localhost.broker.10101.connector 
certFile=cert_lx.pem certDb=ca-chain.cert.pem

Regards,
Adel

Reply via email to