| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| |
| Using SSL |
| ========= |
| |
| The implementation and use of SSL has some differences on Linux and |
| on Windows. |
| |
| Linux |
| ===== |
| |
| SSL support for Qpid-C++ is based on Mozilla's Network Security Services |
| library. SSL support will be built automatically providing this library |
| and include files are found at build time. |
| |
| Broker side SSL Settings (note you can get these by qpidd --help) |
| |
| SSL Settings: |
| --ssl-use-export-policy Use NSS export policy |
| --ssl-cert-password-file PATH File containing password to use for accessing |
| certificate database |
| --ssl-cert-db PATH Path to directory containing certificate |
| database |
| --ssl-cert-name NAME (hostname) Name of the certificate to use |
| --ssl-port PORT (5671) Port on which to listen for SSL connections |
| --ssl-require-client-authentication Forces clients to authenticate in order |
| to establish an SSL connection |
| --ssl-sasl-no-dict Disables SASL mechanisms that are vulner able to |
| passive dictionary-based password attacks |
| |
| The first four of these are also available as client options (where |
| they must either be in the client config file or set as environment |
| variables e.g. QPID_SSL_CERT_DB). |
| |
| To run either the broker or client you need ssl-cert-db-path to point |
| to the directory where relevant certificate and key databases can be |
| found. |
| |
| Certificate databases are set up using certutil (included in the |
| nss-tools package on fedora). See the NSS site for examples[1] and |
| full details[2]. |
| |
| For a simple testing you can set up a single db with a single self |
| signed certificate. E.g (with myhost and mydomain replaced by the |
| hostname and domainname of the machine in question respectively): |
| |
| mkdir test_cert_db |
| certutil -N -d test_cert_db -f cert.password |
| certutil -S -d test_cert_db -n "myhost.mydomain" \ |
| -s "CN=myhost.mydomain" -t "CT,," -x \ |
| -f cert.password -z /usr/bin/certutil |
| |
| Here cert.password is a file with a password in it that will be needed |
| for accessing the created db. |
| |
| The daemon can then be started with something like the following: |
| |
| ./src/qpidd --auth no \ |
| --ssl-cert-db ./test_cert_db \ |
| --ssl-cert-password-file ./cert.password \ |
| --ssl-cert-name myhost.mydomain |
| |
| then for client set: |
| |
| QPID_SSL_CERT_DB=./test_cert_db |
| |
| and run e.g. |
| |
| ./src/tests/perftest --count 10000 -P ssl --port 5671 \ |
| --broker myhost.mydomain |
| |
| When authentication is enabled, the EXTERNAL mechanism will be |
| available on client authenticated SSL connections. This allows the |
| clients authorisation id to be taken from the validated client |
| certificate (it will be the CN with any DCs present appended as the |
| domain, e.g. CN=bob,DC=acme,DC=com would result in an identity of |
| bob@acme.com). |
| |
| [1] http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html |
| [2] http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html |
| |
| |
| Windows |
| ======= |
| |
| SSL support for Qpid-C++ on Windows is implemented using the Microsoft |
| Secure Channel (Schannel) package. Currently, only registry based |
| certificates scoped to the local machine are supported on the broker. |
| The client may specify client certificates in a user scoped store or in |
| a pkcs#12 file. |
| |
| For testing purposes, a self signed certificate can be created as |
| follows (requiring Administrator privilege on more recent versions of |
| Windows): |
| |
| makecert -ss qpidstore -n "CN=myhost.mydomain" -r -sr localmachine myhost.cer |
| |
| where "qpidstore" is an abitrary certificate store name. The |
| resulting output file "myhost.cer" is the public key of the |
| certificate that will be required by any client that wishes to |
| authenticate myhost. |
| |
| To run the server (also as Administrator on recent Windows versions): |
| |
| qpidd --ssl-cert-name myhost.mydomain --ssl-cert-store qpidstore [other-args] |
| |
| On the Windows client side, the SSL support is available without |
| loading a separate support module. For each machine or separate user |
| that will be using qpid, you must import the self signed certificate |
| as a trusted root. This can be done from the MMC certificate snapin |
| or directly using certmgr.exe. From the main window: |
| |
| select "Trusted Root Certification Authorities" |
| select "Action" -> "Import..." |
| then direct the Certificate Import Wizard to the "myhost.cer" file |
| |
| To test the setup: |
| |
| perftest --count 10000 -P ssl --port 5671 --broker myhost.mydomain |
| |
| To export the certificate to non Windows clients, note that |
| "myhost.cer" is the X.509 representation of the public key of the |
| certificate in DER format. Import the certificate into the other |
| clients if they support the DER format. Otherwise the certificate can |
| be converted to PEM format using OpenSSL |
| |
| openssl x509 -in myhost.cer -inform DER -out myhost.pem -outform PEM |
| |
| Client certificates operate much the same as for Linux, except for |
| identifying the certificate storage. Process environment variables |
| are used but the certificate name may be set or overridden by its Qpid |
| Messaging connection option. For Windows registry stores, you specify |
| the store: |
| |
| QPID_SSL_CERT_STORE=teststore |
| |
| If you omit the certificate store name, it defaults to the "Personal" or |
| "MY" store. For a certificate stored in a pkcs#12 format file, you must |
| supply the filename and a file containing the password for the |
| certificate's private key: |
| |
| QPID_SSL_CERT_FILENAME=wg444.pfx |
| QPID_SSL_CERT_PASSWORD_FILE=pw_wg444.txt |
| |
| The certificate is specified by its "friendly name", i.e. |
| |
| QPID_SSL_CERT_NAME=guest123 |
| |
| as an environment variable, or in the case of a Qpid Messaging |
| connection option: |
| |
| {transport:ssl,sasl-mechanism:EXTERNAL,ssl-cert-name:guest789} |
