You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Jeff Donner <jd...@morphodetection.com> on 2016/08/04 23:52:36 UTC

Use of qpid-config with SSL

Hi -

  I get qpid-config connecting to the qpidd broker (on Linux), but it asks for a password each time. Since there are a lot of queues and exchanges is there a way not to enter it manually? I don't see any way to use a response file.

Also, I think I'm  making clients connect via SSL, but not be authenticated themselves (as a first step), so why is qpidd or qpid-config asking for a password?

$ cat /space/play/ssl.qpidd.conf
ssl-cert-db=/space/play/ssl_certs
ssl-cert-name=test_server
ssl-cert-password-file=/space/play/ssl_certs/tserverpw
ssl-use-export-policy=yes
ssl-require-client-authentication=no
auth=no

$ qpidd --conf /space/play/ssl.qpidd.conf

$

$ qpid-config --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem --ssl-key=/space/play/ssl_certs/tserver-private-key.pem -a amqps://localhost:5671 add queue queue1.q
Enter PEM pass phrase: ('tserverpw' works)

The cert and key are from the Proton cpp examples and seem fine, and I believe I've turned /space/play/ssl_certs into a proper db with certutil.

Thanks,
Jeff

RE: Use of qpid-config with SSL

Posted by Jeff Donner <jd...@morphodetection.com>.

Hi Jakob, thank you for the answer. 

Actually at this most basic, web-browser level of security where just the communication is encrypted but without client authentication, I didn't need the certificate either. Just pointing at the server's SSL port, 5671 was enough:

  qpid-config -a amqps://localhost:5671 add queue queue1.q

  qpid-stat -b amqps://localhost:5671 -q
...
  queue                                     dur  autoDel  excl  msg   msgIn  msgOut  bytes  bytesIn  bytesOut  cons  bind
  =========================================================================================================================
  b3ef21b5-3b34-4e88-8f61-91375d854a1c:0.0       Y        Y        0     0      0       0      0        0         1     2
  queue1.q                                                         0     0      0       0      0        0         0     1

ie both work fine because there's no authentication. 

For searchable posterity, when I just removed the --ssl-key I got: 
  scripts$ qpid-config -a amqps://localhost:5671 --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem add queue queue1.q
  Failed: ConnectError: [SSL] PEM lib (_ssl.c:2600)

Thanks again;

Jeff
________________________________________
From: Jakub Scholz [jakub@scholz.cz]
Sent: Friday, August 05, 2016 12:32 AM
To: users@qpid.apache.org
Subject: Re: Use of qpid-config with SSL

Hi Jeff,

The password it is asking for is to decrypt the private key. However,
looking at your qpidd configuration, I'm not sure you really need the
private key to be specified. It looks like the broker is configured to use
SSL only with Server authentication. Therefore the client should need only
the public key. Have you tried to use the qpid-config without the --ssl-key
parameter?

Should you really need the private key, I don't think you can pass the
password as parameter in qpid-config, but you can use PEM file without
encryption. In such case it would not ask for password, but of course the
private key will not be protected by the password and encryption.

Regards
Jakub

On Fri, Aug 5, 2016 at 1:52 AM, Jeff Donner <jd...@morphodetection.com>
wrote:

> Hi -
>
>   I get qpid-config connecting to the qpidd broker (on Linux), but it asks
> for a password each time. Since there are a lot of queues and exchanges is
> there a way not to enter it manually? I don't see any way to use a response
> file.
>
> Also, I think I'm  making clients connect via SSL, but not be
> authenticated themselves (as a first step), so why is qpidd or qpid-config
> asking for a password?
>
> $ cat /space/play/ssl.qpidd.conf
> ssl-cert-db=/space/play/ssl_certs
> ssl-cert-name=test_server
> ssl-cert-password-file=/space/play/ssl_certs/tserverpw
> ssl-use-export-policy=yes
> ssl-require-client-authentication=no
> auth=no
>
> $ qpidd --conf /space/play/ssl.qpidd.conf
>
> $
>
> $ qpid-config --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem
> --ssl-key=/space/play/ssl_certs/tserver-private-key.pem -a
> amqps://localhost:5671 add queue queue1.q
> Enter PEM pass phrase: ('tserverpw' works)
>
> The cert and key are from the Proton cpp examples and seem fine, and I
> believe I've turned /space/play/ssl_certs into a proper db with certutil.
>
> Thanks,
> Jeff
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Use of qpid-config with SSL

Posted by Jakub Scholz <ja...@scholz.cz>.

Hi Jeff,

The password it is asking for is to decrypt the private key. However,
looking at your qpidd configuration, I'm not sure you really need the
private key to be specified. It looks like the broker is configured to use
SSL only with Server authentication. Therefore the client should need only
the public key. Have you tried to use the qpid-config without the --ssl-key
parameter?

Should you really need the private key, I don't think you can pass the
password as parameter in qpid-config, but you can use PEM file without
encryption. In such case it would not ask for password, but of course the
private key will not be protected by the password and encryption.

Regards
Jakub

On Fri, Aug 5, 2016 at 1:52 AM, Jeff Donner <jd...@morphodetection.com>
wrote:

> Hi -
>
>   I get qpid-config connecting to the qpidd broker (on Linux), but it asks
> for a password each time. Since there are a lot of queues and exchanges is
> there a way not to enter it manually? I don't see any way to use a response
> file.
>
> Also, I think I'm  making clients connect via SSL, but not be
> authenticated themselves (as a first step), so why is qpidd or qpid-config
> asking for a password?
>
> $ cat /space/play/ssl.qpidd.conf
> ssl-cert-db=/space/play/ssl_certs
> ssl-cert-name=test_server
> ssl-cert-password-file=/space/play/ssl_certs/tserverpw
> ssl-use-export-policy=yes
> ssl-require-client-authentication=no
> auth=no
>
> $ qpidd --conf /space/play/ssl.qpidd.conf
>
> $
>
> $ qpid-config --ssl-certificate=/space/play/ssl_certs/tserver-certificate.pem
> --ssl-key=/space/play/ssl_certs/tserver-private-key.pem -a
> amqps://localhost:5671 add queue queue1.q
> Enter PEM pass phrase: ('tserverpw' works)
>
> The cert and key are from the Proton cpp examples and seem fine, and I
> believe I've turned /space/play/ssl_certs into a proper db with certutil.
>
> Thanks,
> Jeff
>
>