Hi Jakob, thank you for the answer. Actually at this most basic, web-browser level of security where just the communication is encrypted but without client authentication, I didn't need the certificate either. Just pointing at the server's SSL port, 5671 was enough:
qpid-config -a amqps://localhost:5671 add queue queue1.q qpid-stat -b amqps://localhost:5671 -q ... queue dur autoDel excl msg msgIn msgOut bytes bytesIn bytesOut cons bind ========================================================================================================================= b3ef21b5-3b34-4e88-8f61-91375d854a1c:0.0 Y Y 0 0 0 0 0 0 1 2 queue1.q 0 0 0 0 0 0 0 1 ie both work fine because there's no authentication. For searchable posterity, when I just removed the --ssl-key I got: scripts$ qpid-config -a amqps://localhost:5671 --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem add queue queue1.q Failed: ConnectError: [SSL] PEM lib (_ssl.c:2600) Thanks again; Jeff ________________________________________ From: Jakub Scholz [[email protected]] Sent: Friday, August 05, 2016 12:32 AM To: [email protected] Subject: Re: Use of qpid-config with SSL Hi Jeff, The password it is asking for is to decrypt the private key. However, looking at your qpidd configuration, I'm not sure you really need the private key to be specified. It looks like the broker is configured to use SSL only with Server authentication. Therefore the client should need only the public key. Have you tried to use the qpid-config without the --ssl-key parameter? Should you really need the private key, I don't think you can pass the password as parameter in qpid-config, but you can use PEM file without encryption. In such case it would not ask for password, but of course the private key will not be protected by the password and encryption. Regards Jakub On Fri, Aug 5, 2016 at 1:52 AM, Jeff Donner <[email protected]> wrote: > Hi - > > I get qpid-config connecting to the qpidd broker (on Linux), but it asks > for a password each time. Since there are a lot of queues and exchanges is > there a way not to enter it manually? I don't see any way to use a response > file. > > Also, I think I'm making clients connect via SSL, but not be > authenticated themselves (as a first step), so why is qpidd or qpid-config > asking for a password? > > $ cat /space/play/ssl.qpidd.conf > ssl-cert-db=/space/play/ssl_certs > ssl-cert-name=test_server > ssl-cert-password-file=/space/play/ssl_certs/tserverpw > ssl-use-export-policy=yes > ssl-require-client-authentication=no > auth=no > > $ qpidd --conf /space/play/ssl.qpidd.conf > > $ > > $ qpid-config --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem > --ssl-key=/space/play/ssl_certs/tserver-private-key.pem -a > amqps://localhost:5671 add queue queue1.q > Enter PEM pass phrase: ('tserverpw' works) > > The cert and key are from the Proton cpp examples and seem fine, and I > believe I've turned /space/play/ssl_certs into a proper db with certutil. > > Thanks, > Jeff > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
