Google Git
Sign in
apache / qpid-site / 255aeca4bd52dc8a8e5d341d49d795b3c3d54f38 / . / misc / amqp / security.xml
blob: 04779459b88e4ec9b577fbbceb8be20935f90c72 [file] [log] [blame]
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="amqp.xsl"?>
<!--
Copyright Notice
================
(c) Copyright Bank of America, N.A., Barclays Bank PLC, Cisco Systems, Credit Suisse, Deutsche
Boerse, Envoy Technologies Inc., Goldman Sachs, HCL Technologies Ltd, IIT Software GmbH, iMatix
Corporation, INETCO Systems Limited, Informatica Corporation, JPMorgan Chase & Co., Kaazing
Corporation, N.A, Microsoft Corporation, my-Channels, Novell, Progress Software, Red Hat Inc.,
Software AG, Solace Systems Inc., StormMQ Ltd., Tervela Inc., TWIST Process Innovations Ltd,
VMware, Inc., and WS02 Inc.
2006-2011. All rights reserved.
License
=======
Bank of America, N.A., Barclays Bank PLC, Cisco Systems, Credit Suisse, Deutsche Boerse, Goldman
Sachs, HCL Technologies Ltd, IIT Software GmbH, INETCO Systems Limited, Informatica Corporation,
JPMorgan Chase & Co., Kaazing Corporation, N.A, Microsoft Corporation, my-Channels, Novell,
Progress Software, Red Hat Inc., Software AG, Solace Systems Inc., StormMQ Ltd., Tervela Inc.,
TWIST Process Innovations Ltd, VMware, Inc., and WS02 Inc. (collectively, the "Authors") each
hereby grants to you a worldwide, perpetual, royalty-free, nontransferable, nonexclusive license
to (i) copy, display, distribute and implement the Advanced Message Queuing Protocol ("AMQP")
Specification and (ii) the Licensed Claims that are held by the Authors, all for the purpose of
implementing the Advanced Message Queuing Protocol Specification. Your license and any rights
under this Agreement will terminate immediately without notice from any Author if you bring any
claim, suit, demand, or action related to the Advanced Message Queuing Protocol Specification
against any Author. Upon termination, you shall destroy all copies of the Advanced Message Queuing
Protocol Specification in your possession or control.
As used hereunder, "Licensed Claims" means those claims of a patent or patent application,
throughout the world, excluding design patents and design registrations, owned or controlled, or
that can be sublicensed without fee and in compliance with the requirements of this Agreement, by
an Author or its affiliates now or at any future time and which would necessarily be infringed by
implementation of the Advanced Message Queuing Protocol Specification. A claim is necessarily
infringed hereunder only when it is not possible to avoid infringing it because there is no
plausible non-infringing alternative for implementing the required portions of the Advanced
Message Queuing Protocol Specification. Notwithstanding the foregoing, Licensed Claims shall not
include any claims other than as set forth above even if contained in the same patent as Licensed
Claims; or that read solely on any implementations of any portion of the Advanced Message Queuing
Protocol Specification that are not required by the Advanced Message Queuing Protocol
Specification, or that, if licensed, would require a payment of royalties by the licensor to
unaffiliated third parties. Moreover, Licensed Claims shall not include (i) any enabling
technologies that may be necessary to make or use any Licensed Product but are not themselves
expressly set forth in the Advanced Message Queuing Protocol Specification (e.g., semiconductor
manufacturing technology, compiler technology, object oriented technology, networking technology,
operating system technology, and the like); or (ii) the implementation of other published
standards developed elsewhere and merely referred to in the body of the Advanced Message Queuing
Protocol Specification, or (iii) any Licensed Product and any combinations thereof the purpose or
function of which is not required for compliance with the Advanced Message Queuing Protocol
Specification. For purposes of this definition, the Advanced Message Queuing Protocol
Specification shall be deemed to include both architectural and interconnection requirements
essential for interoperability and may also include supporting source code artifacts where such
architectural, interconnection requirements and source code artifacts are expressly identified as
being required or documentation to achieve compliance with the Advanced Message Queuing Protocol
Specification.
As used hereunder, "Licensed Products" means only those specific portions of products (hardware,
software or combinations thereof) that implement and are compliant with all relevant portions of
the Advanced Message Queuing Protocol Specification.
The following disclaimers, which you hereby also acknowledge as to any use you may make of the
Advanced Message Queuing Protocol Specification:
THE ADVANCED MESSAGE QUEUING PROTOCOL SPECIFICATION IS PROVIDED "AS IS," AND THE AUTHORS MAKE NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR TITLE; THAT THE CONTENTS
OF THE ADVANCED MESSAGE QUEUING PROTOCOL SPECIFICATION ARE SUITABLE FOR ANY PURPOSE; NOR THAT THE
IMPLEMENTATION OF THE ADVANCED MESSAGE QUEUING PROTOCOL SPECIFICATION WILL NOT INFRINGE ANY THIRD
PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
THE AUTHORS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL
DAMAGES ARISING OUT OF OR RELATING TO ANY USE, IMPLEMENTATION OR DISTRIBUTION OF THE ADVANCED
MESSAGE QUEUING PROTOCOL SPECIFICATION.
The name and trademarks of the Authors may NOT be used in any manner, including advertising or
publicity pertaining to the Advanced Message Queuing Protocol Specification or its contents
without specific, written prior permission. Title to copyright in the Advanced Message Queuing
Protocol Specification will at all times remain with the Authors.
No other rights are granted by implication, estoppel or otherwise.
Upon termination of your license or rights under this Agreement, you shall destroy all copies of
the Advanced Message Queuing Protocol Specification in your possession or control.
Trademarks
==========
"JPMorgan", "JPMorgan Chase", "Chase", the JPMorgan Chase logo and the Octagon Symbol are
trademarks of JPMorgan Chase & Co.
RED HAT is a registered trademarks of Red Hat, Inc. in the US and other countries.
Other company, product, or service names may be trademarks or service marks of others.
Link to full AMQP specification:
=================================
http://www.amqp.org/confluence/display/AMQP/AMQP+Specification
-->
<!DOCTYPE amqp SYSTEM "amqp.dtd">
<amqp xmlns="http://www.amqp.org/schema/amqp.xsd"
name="security" label="working version">
<section name="security-layers" title="Security Layers" label="Security Layers">
<doc>
<p>
Security Layers are used to establish an authenticated and/or encrypted transport over which
regular AMQP traffic can be tunneled. Security Layers may be tunneled over one another (for
instance a Security Layer used by the peers to do authentication may be tunneled over a
Security Layer established for encryption purposes).
</p>
<p>
The framing and protocol definitions for security layers are expected to be defined
externally to the AMQP specification as in the case of TLS. An exception to this is the SASL
security layer which depends on its host protocol to provide framing. Because of this we
define the frames necessary for SASL to function in <xref name="sasl"/> below. When a
security layer terminates (either before or after a secure tunnel is established), the TCP
Connection MUST be closed by first shutting down the outgoing stream and then reading the
incoming stream until it is terminated.
</p>
</doc>
</section>
<section name="tls" title="TLS" label="TLS Security Layer">
<doc>
<p>
To establish a TLS tunnel, each peer MUST start by sending a protocol header. The protocol
header consists of the upper case ASCII letters "AMQP" followed by a protocol id of two,
followed by three unsigned bytes representing the major, minor, and revision of the
specification version (currently <xref name="TLS-MAJOR"/>, <xref name="TLS-MINOR"/>,
<xref name="TLS-REVISION"/>). In total this is an 8-octet sequence:
</p>
<picture><![CDATA[
4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET
+----------+---------+---------+---------+----------+
| "AMQP" | %d2 | major | minor | revision |
+----------+---------+---------+---------+----------+
]]>
</picture>
<p>
Other than using a protocol id of two, the exchange of TLS tunnel headers follows the same
rules specified in the version negotiation section of the transport specification (See
<xref name="version-negotiation"/>).
</p>
</doc>
<doc>
<p>
The following diagram illustrates the interaction involved in creating a TLS Security Layer:
</p>
<picture><![CDATA[
TCP Client TCP Server
=========================================
AMQP%d2.1.0.0 --------->
<--------- AMQP%d2.1.0.0
:
:
<TLS negotiation>
:
:
AMQP%d0.1.0.0 ---------> (over TLS secured connection)
<--------- AMQP%d0.1.0.0
open --------->
<--------- open
]]>
</picture>
<p>
When the use of the TLS Security Layer is negotiated, the following rules apply:
</p>
<ul>
<li>
<p>
The TLS client peer and TLS server peer are determined by the TCP client peer and TCP
server peer respectively.
</p>
</li>
<li>
<p>
The TLS client peer SHOULD use the server name indication extension as described in
RFC-4366. If it does so, then it is implementation-specific what happens if this
differs to hostname in the <xref type="type" name="sasl-init"/> and
<xref type="type" name="open"/> frame frames.
</p>
<p>
This field can be used by AMQP proxies to determine the correct back-end service to
connect the client to, and to determine the domain to validate the client's
credentials against if TLS client certificates are being used.
</p>
</li>
<li>
<p>
The TLS client MUST validate the certificate presented by the TLS server.
</p>
</li>
<li>
<p>
Implementations MAY choose to use TLS with unidirectional shutdown, i.e. an application
initiating shutdown using close_notify is not obliged to wait for the peer to respond,
and MAY close the write-half of the TCP socket.
</p>
</li>
</ul>
</doc>
<doc title="Alternative Establishment">
<p>
In certain situations, such as connecting through firewalls, it may not be possible to
establish a TLS security layer using tunnelling. This might be because a deep packet
inspecting firewall sees the first few bytes of the connection 'as not being TLS'.
</p>
<p>
As an alternative, implementations MAY run a pure TLS server, i.e., one that does not
expect the tunnel negotiation handshake. The IANA service name for this is amqps and the
port is <xref name="SECURE-PORT"/> (5671). Implementations may also choose to run this pure
TLS server on other ports, should this be operationally required (e.g. to tunnel through a
legacy firewall that only expects TLS traffic on port 443).
</p>
</doc>
<definition name="TLS-MAJOR" value="1" label="major protocol version" />
<definition name="TLS-MINOR" value="0" label="minor protocol version" />
<definition name="TLS-REVISION" value="0" label="protocol revision" />
</section>
<!-- == Section: sasl ======================================================================== -->
<section name="sasl" title="SASL" label="SASL Security Layer">
<doc>
<p>
To establish a SASL tunnel, each peer MUST start by sending a protocol header. The protocol
header consists of the upper case ASCII letters "AMQP" followed by a protocol id of three,
followed by three unsigned bytes representing the major, minor, and revision of the
specification version (currently <xref name="SASL-MAJOR"/>, <xref name="SASL-MINOR"/>,
<xref name="SASL-REVISION"/>). In total this is an 8-octet sequence:
</p>
<picture><![CDATA[
4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET
+----------+---------+---------+---------+----------+
| "AMQP" | %d3 | major | minor | revision |
+----------+---------+---------+---------+----------+
]]>
</picture>
<p>
Other than using a protocol id of three, the exchange of SASL tunnel headers follows the
same rules specified in the version negotiation section of the transport specification (See
<xref name="version-negotiation"/>).
</p>
<p>
The following diagram illustrates the interaction involved in creating a SASL Security
Layer:
</p>
<picture><![CDATA[
TCP Client TCP Server
=========================================
AMQP%d3.1.0.0 --------->
<--------- AMQP%d3.1.0.0
:
:
<SASL negotiation>
:
:
AMQP%d0.1.0.0 ---------> (over SASL secured connection)
<--------- AMQP%d0.1.0.0
open --------->
<--------- open
]]>
</picture>
</doc>
<doc title="SASL Frames">
<p>
SASL is negotiated using <xref name="framing"/>. A SASL frame has a type code of 0x01.
Bytes 6 and 7 of the header are ignored. Implementations SHOULD set these to 0x00. The
extended header is ignored. Implementations SHOULD therefore set DOFF to 0x02.
</p>
<picture title="SASL Frame"><![CDATA[
type: 0x01 - SASL frame
+0 +1 +2 +3
+-----------------------------------+ -.
0 | SIZE | |
+-----------------------------------+ |---> Frame Header
4 | DOFF | TYPE | <IGNORED>*1 | | (8 bytes)
+-----------------------------------+ -'
+-----------------------------------+ -.
8 | ... | |
. . |---> Extended Header
. <IGNORED>*2 . | (DOFF * 4 - 8) bytes
| ... | |
+-----------------------------------+ -'
+-----------------------------------+ -.
4*DOFF | | |
. . |
. . |
. Sasl Mechanisms / Sasl Init . |
. Sasl Challenge / Sasl Response . |---> Frame Body
. Sasl Outcome . | (SIZE - DOFF * 4) bytes
. . |
. . |
. ________| |
| ... | |
+--------------------------+ -'
*1 SHOULD be set to 0x0000
*2 Ignored, so DOFF should be set to 0x02
]]>
</picture>
<p>
The maximum size of a SASL frame is defined by <xref name="MIN-MAX-FRAME-SIZE"/>. There is
no mechanism within the SASL negotiation to negotiate a different size. The frame body of a
SASL frame may contain exactly one AMQP type, whose type encoding must have
<![CDATA[ provides="sasl-frame" ]]>. Receipt of an empty frame is an irrecoverable error.
</p>
</doc>
<doc title="SASL Negotiation">
<p>
The peer acting as the SASL Server must announce supported authentication mechanisms using
the <xref name="sasl-mechanisms"/> frame. The partner must then choose one of the supported
mechanisms and initiate a sasl exchange.
</p>
<picture title="SASL Exchange"><![CDATA[
SASL Client SASL Server
================================
<-- SASL-MECHANISMS
SASL-INIT -->
...
<-- SASL-CHALLENGE *
SASL-RESPONSE -->
...
<-- SASL-OUTCOME
--------------------------------
* Note that the SASL
challenge/response step may
occur zero or more times
depending on the details of
the SASL mechanism chosen.
]]>
</picture>
<p>
The peer playing the role of the SASL Client and the peer playing the role of the SASL
server MUST correspond to the TCP client and server respectively.
</p>
</doc>
<doc title="Security Frame Bodies"/>
<!-- - Frame: sasl-mechanisms - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<type class="composite" name="sasl-mechanisms" source="list" provides="sasl-frame"
label="advertise available sasl mechanisms">
<doc>
<p>
Advertises the available SASL mechanisms that may be used for authentication.
</p>
</doc>
<descriptor name="amqp:sasl-mechanisms:list" code="0x00000000:0x00000040"/>
<field name="sasl-server-mechanisms" type="symbol" multiple="true" mandatory="true"
label="supported sasl mechanisms">
<doc>
<p>
A list of the sasl security mechanisms supported by the sending peer. It is invalid
for this list to be null or empty. If the sending peer does not require its partner
to authenticate with it, then it should send a list of one element with its value as
the SASL mechanism <i>ANONYMOUS</i>. The server mechanisms are ordered in decreasing
level of preference.
</p>
</doc>
</field>
</type>
<!-- - Frame: sasl-init - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<type class="composite" name="sasl-init" source="list" provides="sasl-frame"
label="initiate sasl exchange">
<doc>
<p>Selects the sasl mechanism and provides the initial response if needed.</p>
</doc>
<descriptor name="amqp:sasl-init:list" code="0x00000000:0x00000041"/>
<field name="mechanism" type="symbol" label="selected security mechanism" mandatory="true">
<doc>
<p>
The name of the SASL mechanism used for the SASL exchange. If the selected mechanism is
not supported by the receiving peer, it MUST close the Connection with the
authentication-failure close-code. Each peer MUST authenticate using the highest-level
security profile it can handle from the list provided by the partner.
</p>
</doc>
</field>
<field name="initial-response" type="binary" label="security response data">
<doc>
<p>
A block of opaque data passed to the security mechanism. The contents of this data are
defined by the SASL security mechanism.
</p>
</doc>
</field>
<field name="hostname" type="string" label="the name of the target host">
<doc>
<p>
The DNS name of the host (either fully qualified or relative) to which the sending peer
is connecting. It is not mandatory to provide the hostname. If no hostname is provided
the receiving peer should select a default based on its own configuration.
</p>
<p>
This field can be used by AMQP proxies to determine the correct back-end service to
connect the client to, and to determine the domain to validate the client's credentials
against.
</p>
<p>
This field may already have been specified by the server name indication extension as
described in RFC-4366, if a TLS layer is used, in which case this field SHOULD be null
or contain the same value. It is undefined what a different value to those already
specific means.
</p>
</doc>
</field>
</type>
<!-- - Frame: sasl-challenge - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<type class="composite" name="sasl-challenge" source="list" provides="sasl-frame"
label="security mechanism challenge">
<doc>
<p>Send the SASL challenge data as defined by the SASL specification.</p>
</doc>
<descriptor name="amqp:sasl-challenge:list" code="0x00000000:0x00000042"/>
<field name="challenge" type="binary" label="security challenge data" mandatory="true">
<doc>
<p>
Challenge information, a block of opaque binary data passed to the security
mechanism.
</p>
</doc>
</field>
</type>
<!-- - Frame: sasl-response - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<type class="composite" name="sasl-response" source="list" provides="sasl-frame"
label="security mechanism response">
<doc>
<p>Send the SASL response data as defined by the SASL specification.</p>
</doc>
<descriptor name="amqp:sasl-response:list" code="0x00000000:0x00000043"/>
<field name="response" type="binary" label="security response data" mandatory="true">
<doc>
<p>
A block of opaque data passed to the security mechanism. The contents of this data are
defined by the SASL security mechanism.
</p>
</doc>
</field>
</type>
<!-- - Frame: sasl-outcome - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<type class="composite" name="sasl-outcome" source="list" provides="sasl-frame"
label="indicates the outcome of the sasl dialog">
<doc>
<p>
This frame indicates the outcome of the SASL dialog. Upon successful completion of the
SASL dialog the Security Layer has been established, and the peers must exchange protocol
headers to either start a nested Security Layer, or to establish the AMQP Connection.
</p>
</doc>
<descriptor name="amqp:sasl-outcome:list" code="0x00000000:0x00000044"/>
<field name="code" type="sasl-code" mandatory="true"
label="indicates the outcome of the sasl dialog">
<doc>
<p>A reply-code indicating the outcome of the SASL dialog.</p>
</doc>
</field>
<field name="additional-data" type="binary" label="additional data as specified in RFC-4422">
<doc>
<p>
The additional-data field carries additional data on successful authentication outcome
as specified by the SASL specification (RFC-4422). If the authentication is
unsuccessful, this field is not set.
</p>
</doc>
</field>
</type>
<type class="restricted" name="sasl-code" source="ubyte"
label="codes to indicate the outcome of the sasl dialog">
<choice name="ok" value="0">
<doc>
<p>Connection authentication succeeded.</p>
</doc>
</choice>
<choice name="auth" value="1">
<doc>
<p>
Connection authentication failed due to an unspecified problem with the supplied
credentials.
</p>
</doc>
</choice>
<choice name="sys" value="2">
<doc>
<p>Connection authentication failed due to a system error.</p>
</doc>
</choice>
<choice name="sys-perm" value="3">
<doc>
<p>
Connection authentication failed due to a system error that is unlikely to be corrected
without intervention.
</p>
</doc>
</choice>
<choice name="sys-temp" value="4">
<doc>
<p>
Connection authentication failed due to a transient system error.
</p>
</doc>
</choice>
</type>
<definition name="SASL-MAJOR" value="1" label="major protocol version" />
<definition name="SASL-MINOR" value="0" label="minor protocol version" />
<definition name="SASL-REVISION" value="0" label="protocol revision" />
</section>
</amqp>