Hi Kirankumar, There is a typo in cipher suite names: the GSM is used instead of GCM. Thus, the correct cipherSuiteWhiteList would be:
"qpid.security.tls.cipherSuiteWhiteList": "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]" Please note that cipher suites TLS_AES_128_GCM_SHA256 and TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. Regarding encryption of replication traffic I do not have any documentation/recommendation on how to set-up the ssh tunnels. KInd Regards, Alex On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <kirankumar.maly...@accenture.com.invalid> wrote: > Hi Alex, > > 1)We are using Qpid 7.1.6 version. When we add below context in our Port > map getting SSL handshake error, working fine only for > "qpid.security.tls.protocolWhiteList": "TLSv1.2". > > "qpid.security.tls.protocolWhiteList": "TLSv1.2", --------> WORKING > "qpid.security.tls.cipherSuiteWhiteList": > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]" > --------> NOT WORKING > > 2)Also, please let us know which approach would be best for encrypting > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share it's > configuration documentation/procedure. > > Regards, > Kirankumar Malyala > > -----Original Message----- > From: Oleksandr Rudyy <oru...@gmail.com> > Sent: Wednesday, November 11, 2020 12:03 AM > To: users@qpid.apache.org > Subject: Re: [External] Re: Queries on Qpid setup > > Hi Kirankumar, > > The context variable can be set on any configured object. For example, you > can set context variables in the attribute "context" of Broker configured > object or/and Port configured object. > The children configured objects inherit context settings from their > parents. Thus, the Port configured object inherits all context settings > from the Broker as Broker is a parent of the Port. > The context settings can be overridden on the child configured object if > required. For example, you can set the context variable > "qpid.security.tls.protocolAllowList" on the Broker to > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and override > it on the Port to "[\\"TLSv1.3\"]" in order to restrict the port > connections to TLSv1.3. Another port object without overridden context > variable "qpid.security.tls.protocolAllowList" would inherit the support of > TLSv1.2 and TLSv1.3 from the broker. > > As mentioned above, the context variables are kept in the attributes > "context" as a "map "of string keys and values. You can create your initial > configuration and define the context variables in the "context" attribute > as illustrated in the example below: > > { > "name" : "${broker.name}", > "modelVersion" : "7.1", > "context": { > "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]", > "qpid.security.tls.cipherSuiteAllowList": > > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]" > }, > > ... > "ports": [{ > "name" : "AMQP", > "port" : "${qpid.amqp_port}", > "context": { > "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]", > }, > ... > }, > ... > ] > } > > In the example above, the context variables > "qpid.security.tls.protocolAllowList" and > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level. > The port "AMQP" has its own "context" attribute where > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP" > will have "qpid.security.tls.protocolAllowList" defined on the port and > "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker. > > I hope that the example above helps you to understand the context variable > settings. > > You can update the context variables using REST API. Though, the TLS needs > to be configured first on the HTTP port in order to use REST API. > > > Kind Regards, > Alex > > > > > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar > <kirankumar.maly...@accenture.com.invalid> wrote: > > > Hi Alex, > > > > Thank you for your help. This is useful to look into the areas where > > we wanted clarity. > > I want to clear a few things from the points which you have mentioned. > > > > As you mentioned, the TLS version can set in multiple ways through > > context variable. Could you explain how we can set in JVM settings > > config.json > > > > Please share the code if you have it. > > > > Also, related to ssh tunnel configuration, could you share with us any > > existing references which have used ssh tunneling and master/replica > > concept. Then, it would be easier for us to mold it as per our > requirement. > > > > Regards, > > Kirankumar Malyala > > > > > > -----Original Message----- > > From: Oleksandr Rudyy <oru...@gmail.com> > > Sent: Tuesday, November 10, 2020 5:24 AM > > To: users@qpid.apache.org > > Subject: Re: [External] Re: Queries on Qpid setup > > > > Hi Kirankumar, > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP > > transports. > > > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore > > configured > > object(s) needs to be configured. > > The keystore object should contain a private key and certificates > > (including intermediates if required). > > > > A number of Keystore types is supported on the broker: > > * FileKeyStore - in this type of Keystore a java keystore is used > > underneath to hold the private key and certificates > > * NonJavaKeyStore - used to configure private key and certificates > > directly in PEM or DER formats > > > > The Broker allows users to quickly create a self-signed certificate > > with a special type of Keystore called "AutoGeneratedSelfSigned" (with > > Oracle JDK or OpenJDK). > > > > The TLS protocols and TLS cipher suites can be customised (if > > required) using special context variables: > > * qpid.security.tls.protocolAllowList > > * qpid.security.tls.protocolDenyList > > * qpid.security.tls.cipherSuiteAllowList > > * qpid.security.tls.cipherSuiteDenyList > > or > > * qpid.security.tls.protocolWhiteList > > * qpid.security.tls.protocolBlackList > > * qpid.security.tls.cipherSuiteWhiteList > > * qpid.security.tls.cipherSuiteBlackList > > > > Before 7.1.9 only "white/black" list terminology was supported. > > Starting from version 7.1.9 the alternative names "allow/deny" lists > > can be used. In version 9.0 the "allow/deny" lists completely replace > > "white/black" list terminology. > > > > For example, you can allow only TLSv1.3 with JDK11 by setting context > > variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can > > specify the allowed or denied values using regular expressions > > represented as JSON stringified lists. > > For example, you can limit allowed cipher suites to only some of them > > by setting qpid.security.tls.cipherSuiteAllowList to > > > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]". > > The same applies to deny lists. > > > > The context variable can be set in multiple ways: > > * as JVM settings > > * as command line arguments (for example, ./bin/qpid-server -prop > > qpid.security.tls.protocolAllowList=TLSv1.3 ) > > * in a properties file system.properties (it needs to be in broker > > classpath) > > * as configured object context variables (for example, context > > variable set on the Broker object using REST API) > > > > > > The Qpid Broker HA is based on Oracle BDB JE. Unfortunately the BDB > > JE does not support TLS transport. The data replication is unencrypted. > > Potentially, you can use SSH tunnels, but that requires configuring > > tunes between each of HA nodes, as the nodes communicate with each > > other. I believe that it should be possible to configure SSH tunnels, > > though I cannot give you any useful advice on how to do that. > > > > You can download Qpid Broker distribution files from Qpid Download > > page at > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_do > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=Y > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEp > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e= > > . > > > > KInd Regards, > > Alex > > > > > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar > > <kirankumar.maly...@accenture.com.invalid> wrote: > > > > > Hi Alex, > > > > > > We are using broker-j (for java). As of now, we are exploring on > > > version > > 7. > > > Please do let us know if you want any other information. > > > > > > Regards, > > > Kirankumar Malyala > > > > > > -----Original Message----- > > > From: Oleksandr Rudyy <oru...@gmail.com> > > > Sent: Friday, November 6, 2020 5:44 AM > > > To: users@qpid.apache.org > > > Subject: [External] Re: Queries on Qpid setup > > > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly > > > with links and attachments. > > > > > > Hi Kirankumar, > > > Could you please clarify what exactly Qpid broker are you trying to > use? > > > There are two brokers in Qpid project: c++ broker and broker-j (for > > java). > > > > > > Are you using Qpid Broker-J? > > > > > > Kind regards, > > > Alex > > > > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar > > > <kirankumar.maly...@accenture.com.invalid> wrote: > > > > > > > Hi Team, > > > > > > > > We have been doing some POC on Qpid. While working on the > > > > configuration, we came across multiple blockers which we have > > > > mentioned > > > below. > > > > > > > > > > > > * How to use a specific version of TLS encryption for Qpid if we > > > > deploy on VM. > > > > * We understood from the Qpid documentation that we have to > deploy > > > > broker on multiple VM's to create a group and introduce > > > > master/replica nodes. Any SOP on this part ? > > > > * How to apply SSL/TLS encryption to replicas in the group > consists > > > of > > > > master and replica nodes using SSH tunnel/IPsec. > > > > * How can we fetch file in Apache > > > > > > > > Please let us know if some one from your team can guide us on > > > > these > > > points. > > > > > > > > Regards, > > > > Kirankumar Malyala > > > > > > > > ________________________________ > > > > > > > > This message is for the designated recipient only and may contain > > > > privileged, proprietary, or otherwise confidential information. If > > > > you have received it in error, please notify the sender > > > > immediately and delete the original. Any other use of the e-mail > > > > by you is > > prohibited. > > > > Where allowed by local law, electronic communications with > > > > Accenture and its affiliates, including e-mail and instant > > > > messaging (including content), may be scanned by our systems for > > > > the purposes of information security and assessment of internal > > > > compliance with > > > Accenture policy. Your privacy is important to us. > > > > Accenture uses your personal data only in compliance with data > > > > protection laws. For further information on how Accenture > > > > processes your personal data, please see our privacy statement at > > > > https://www.accenture.com/us-en/privacy-policy. > > > > > > > > __________________________________________________________________ > > > > __ > > > > __ > > > > ________________ > > > > > > > > http://www.accenture.com > > > > > > > > > > ________________________________ > > > > > > This message is for the designated recipient only and may contain > > > privileged, proprietary, or otherwise confidential information. If > > > you have received it in error, please notify the sender immediately > > > and delete the original. Any other use of the e-mail by you is > prohibited. > > > Where allowed by local law, electronic communications with Accenture > > > and its affiliates, including e-mail and instant messaging > > > (including content), may be scanned by our systems for the purposes > > > of information security and assessment of internal compliance with > > Accenture policy. Your privacy is important to us. > > > Accenture uses your personal data only in compliance with data > > > protection laws. For further information on how Accenture processes > > > your personal data, please see our privacy statement at > > > https://www.accenture.com/us-en/privacy-policy. > > > > > > ____________________________________________________________________ > > > __ > > > ________________ > > > > > > http://www.accenture.com > > > > > > > ________________________________ > > > > This message is for the designated recipient only and may contain > > privileged, proprietary, or otherwise confidential information. If you > > have received it in error, please notify the sender immediately and > > delete the original. Any other use of the e-mail by you is prohibited. > > Where allowed by local law, electronic communications with Accenture > > and its affiliates, including e-mail and instant messaging (including > > content), may be scanned by our systems for the purposes of > > information security and assessment of internal compliance with > Accenture policy. Your privacy is important to us. > > Accenture uses your personal data only in compliance with data > > protection laws. For further information on how Accenture processes > > your personal data, please see our privacy statement at > > https://www.accenture.com/us-en/privacy-policy. > > > > ______________________________________________________________________ > > ________________ > > > > www.accenture.com > > > > ________________________________ > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. Your privacy is important to us. > Accenture uses your personal data only in compliance with data protection > laws. For further information on how Accenture processes your personal > data, please see our privacy statement at > https://www.accenture.com/us-en/privacy-policy. > > ______________________________________________________________________________________ > > www.accenture.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > >