Hi Kirankumar,
There is a typo in cipher suite names: the GSM is used instead of GCM.
Thus, the correct cipherSuiteWhiteList would be:
"qpid.security.tls.cipherSuiteWhiteList":
"[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
Please note that cipher suites TLS_AES_128_GCM_SHA256 and
TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
Regarding encryption of replication traffic I do not have any
documentation/recommendation on how to set-up the ssh tunnels.
KInd Regards,
Alex
On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar
<kirankumar.maly...@accenture.com.invalid> wrote:
> Hi Alex,
>
> 1)We are using Qpid 7.1.6 version. When we add below context in our Port
> map getting SSL handshake error, working fine only for
> "qpid.security.tls.protocolWhiteList": "TLSv1.2".
>
> "qpid.security.tls.protocolWhiteList": "TLSv1.2", --------> WORKING
> "qpid.security.tls.cipherSuiteWhiteList":
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> --------> NOT WORKING
>
> 2)Also, please let us know which approach would be best for encrypting
> replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share it's
> configuration documentation/procedure.
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <oru...@gmail.com>
> Sent: Wednesday, November 11, 2020 12:03 AM
> To: users@qpid.apache.org
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
>
> The context variable can be set on any configured object. For example, you
> can set context variables in the attribute "context" of Broker configured
> object or/and Port configured object.
> The children configured objects inherit context settings from their
> parents. Thus, the Port configured object inherits all context settings
> from the Broker as Broker is a parent of the Port.
> The context settings can be overridden on the child configured object if
> required. For example, you can set the context variable
> "qpid.security.tls.protocolAllowList" on the Broker to
> "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and override
> it on the Port to "[\\"TLSv1.3\"]" in order to restrict the port
> connections to TLSv1.3. Another port object without overridden context
> variable "qpid.security.tls.protocolAllowList" would inherit the support of
> TLSv1.2 and TLSv1.3 from the broker.
>
> As mentioned above, the context variables are kept in the attributes
> "context" as a "map "of string keys and values. You can create your initial
> configuration and define the context variables in the "context" attribute
> as illustrated in the example below:
>
> {
> "name" : "${broker.name}",
> "modelVersion" : "7.1",
> "context": {
> "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> "qpid.security.tls.cipherSuiteAllowList":
>
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> },
>
> ...
> "ports": [{
> "name" : "AMQP",
> "port" : "${qpid.amqp_port}",
> "context": {
> "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> },
> ...
> },
> ...
> ]
> }
>
> In the example above, the context variables
> "qpid.security.tls.protocolAllowList" and
> "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
> The port "AMQP" has its own "context" attribute where
> "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
> will have "qpid.security.tls.protocolAllowList" defined on the port and
> "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
>
> I hope that the example above helps you to understand the context variable
> settings.
>
> You can update the context variables using REST API. Though, the TLS needs
> to be configured first on the HTTP port in order to use REST API.
>
>
> Kind Regards,
> Alex
>
>
>
>
> On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> <kirankumar.maly...@accenture.com.invalid> wrote:
>
> > Hi Alex,
> >
> > Thank you for your help. This is useful to look into the areas where
> > we wanted clarity.
> > I want to clear a few things from the points which you have mentioned.
> >
> > As you mentioned, the TLS version can set in multiple ways through
> > context variable. Could you explain how we can set in JVM settings
> > config.json
> >
> > Please share the code if you have it.
> >
> > Also, related to ssh tunnel configuration, could you share with us any
> > existing references which have used ssh tunneling and master/replica
> > concept. Then, it would be easier for us to mold it as per our
> requirement.
> >
> > Regards,
> > Kirankumar Malyala
> >
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <oru...@gmail.com>
> > Sent: Tuesday, November 10, 2020 5:24 AM
> > To: users@qpid.apache.org
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > transports.
> >
> > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > configured
> > object(s) needs to be configured.
> > The keystore object should contain a private key and certificates
> > (including intermediates if required).
> >
> > A number of Keystore types is supported on the broker:
> > * FileKeyStore - in this type of Keystore a java keystore is used
> > underneath to hold the private key and certificates
> > * NonJavaKeyStore - used to configure private key and certificates
> > directly in PEM or DER formats
> >
> > The Broker allows users to quickly create a self-signed certificate
> > with a special type of Keystore called "AutoGeneratedSelfSigned" (with
> > Oracle JDK or OpenJDK).
> >
> > The TLS protocols and TLS cipher suites can be customised (if
> > required) using special context variables:
> > * qpid.security.tls.protocolAllowList
> > * qpid.security.tls.protocolDenyList
> > * qpid.security.tls.cipherSuiteAllowList
> > * qpid.security.tls.cipherSuiteDenyList
> > or
> > * qpid.security.tls.protocolWhiteList
> > * qpid.security.tls.protocolBlackList
> > * qpid.security.tls.cipherSuiteWhiteList
> > * qpid.security.tls.cipherSuiteBlackList
> >
> > Before 7.1.9 only "white/black" list terminology was supported.
> > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > can be used. In version 9.0 the "allow/deny" lists completely replace
> > "white/black" list terminology.
> >
> > For example, you can allow only TLSv1.3 with JDK11 by setting context
> > variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can
> > specify the allowed or denied values using regular expressions
> > represented as JSON stringified lists.
> > For example, you can limit allowed cipher suites to only some of them
> > by setting qpid.security.tls.cipherSuiteAllowList to
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > The same applies to deny lists.
> >
> > The context variable can be set in multiple ways:
> > * as JVM settings
> > * as command line arguments (for example, ./bin/qpid-server -prop
> > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > * in a properties file system.properties (it needs to be in broker
> > classpath)
> > * as configured object context variables (for example, context
> > variable set on the Broker object using REST API)
> >
> >
> > The Qpid Broker HA is based on Oracle BDB JE. Unfortunately the BDB
> > JE does not support TLS transport. The data replication is unencrypted.
> > Potentially, you can use SSH tunnels, but that requires configuring
> > tunes between each of HA nodes, as the nodes communicate with each
> > other. I believe that it should be possible to configure SSH tunnels,
> > though I cannot give you any useful advice on how to do that.
> >
> > You can download Qpid Broker distribution files from Qpid Download
> > page at
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_do
> > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=Y
> > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEp
> > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > .
> >
> > KInd Regards,
> > Alex
> >
> >
> > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > <kirankumar.maly...@accenture.com.invalid> wrote:
> >
> > > Hi Alex,
> > >
> > > We are using broker-j (for java). As of now, we are exploring on
> > > version
> > 7.
> > > Please do let us know if you want any other information.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <oru...@gmail.com>
> > > Sent: Friday, November 6, 2020 5:44 AM
> > > To: users@qpid.apache.org
> > > Subject: [External] Re: Queries on Qpid setup
> > >
> > > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly
> > > with links and attachments.
> > >
> > > Hi Kirankumar,
> > > Could you please clarify what exactly Qpid broker are you trying to
> use?
> > > There are two brokers in Qpid project: c++ broker and broker-j (for
> > java).
> > >
> > > Are you using Qpid Broker-J?
> > >
> > > Kind regards,
> > > Alex
> > >
> > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > <kirankumar.maly...@accenture.com.invalid> wrote:
> > >
> > > > Hi Team,
> > > >
> > > > We have been doing some POC on Qpid. While working on the
> > > > configuration, we came across multiple blockers which we have
> > > > mentioned
> > > below.
> > > >
> > > >
> > > > * How to use a specific version of TLS encryption for Qpid if we
> > > > deploy on VM.
> > > > * We understood from the Qpid documentation that we have to
> deploy
> > > > broker on multiple VM's to create a group and introduce
> > > > master/replica nodes. Any SOP on this part ?
> > > > * How to apply SSL/TLS encryption to replicas in the group
> consists
> > > of
> > > > master and replica nodes using SSH tunnel/IPsec.
> > > > * How can we fetch file in Apache
> > > >
> > > > Please let us know if some one from your team can guide us on
> > > > these
> > > points.
> > > >
> > > > Regards,
> > > > Kirankumar Malyala
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may contain
> > > > privileged, proprietary, or otherwise confidential information. If
> > > > you have received it in error, please notify the sender
> > > > immediately and delete the original. Any other use of the e-mail
> > > > by you is
> > prohibited.
> > > > Where allowed by local law, electronic communications with
> > > > Accenture and its affiliates, including e-mail and instant
> > > > messaging (including content), may be scanned by our systems for
> > > > the purposes of information security and assessment of internal
> > > > compliance with
> > > Accenture policy. Your privacy is important to us.
> > > > Accenture uses your personal data only in compliance with data
> > > > protection laws. For further information on how Accenture
> > > > processes your personal data, please see our privacy statement at
> > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > __________________________________________________________________
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender immediately
> > > and delete the original. Any other use of the e-mail by you is
> prohibited.
> > > Where allowed by local law, electronic communications with Accenture
> > > and its affiliates, including e-mail and instant messaging
> > > (including content), may be scanned by our systems for the purposes
> > > of information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture processes
> > > your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > ____________________________________________________________________
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________
> > ________________
> >
> > www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>
>
