You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by slew77 <st...@yahoo.co.uk> on 2015/10/14 18:48:02 UTC

Artemis - Certificate Security

Hi,

Hoping to get some advice on adding a security plugin to Artemis.

We are using an Artemis 1.1.0 broker. 

Client systems post messages to a common queue and listen for messages on a
client specific queue.

There will be thousands of client systems.

Each client should be able to write to the common queue, but not read from
it. Each client should be able to read from their response queue only, but
not write to it.

We must base this access on the client certificate used to connect, i.e. we
can't use username/password.

The docs suggest it's possible to add a JAAS plugin, is that correct and is
there an example I could follow? If it is possible, is it feasible to base
the authorisation on the client certificate? Ideally we'd do a lookup from
the certificate thumbprint to get either a username or the roles that we
need. Any help gratefully received!

Thanks in advance,
Steve.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Artemis - Certificate Security

Posted by Clebert Suconic <cl...@gmail.com>.
You want to do this specifically for openWire only? what about Artemis
Core Protocol?

On Thu, Oct 15, 2015 at 12:01 PM, slew77 <st...@yahoo.co.uk> wrote:
> So based on ActiveMQ 5, I want to grab the certificate from the
> ConnectionInfo.transportContext.
>
> I can get the certificate array in ActiveMQChannelHandler.channelRead, but
> means I have to propagate it using bufferReceived.
>
> Then in OpenWireConnection.bufferReceived I can setTransportContext on the
> ConnectionInfo object, which is the unmarshalled buffer.
>
> OK approach or did you have another plan in mind?
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960p4703003.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.



-- 
Clebert Suconic

Re: Artemis - Certificate Security

Posted by Justin Bertram <jb...@redhat.com>.
FYI - I'm almost done with this.  I'll be sending a PR in the next few days.


Justin

----- Original Message -----
From: "Justin Bertram" <jb...@apache.com>
To: users@activemq.apache.org
Sent: Tuesday, October 27, 2015 9:26:55 AM
Subject: Re: Artemis - Certificate Security

Have you made any progress on this?  I'm getting ready to devote a bit of time to this and wanted to make sure I wasn't going to implement something you already had working.


Justin

----- Original Message -----
From: "slew77" <st...@yahoo.co.uk>
To: users@activemq.apache.org
Sent: Friday, October 16, 2015 2:34:02 AM
Subject: Re: Artemis - Certificate Security

Hi,

If the certificates are set in ActiveMQChannelHandler.channelRead then they
should be available to all protocols no?

E.g.:


Then we'll need a different ActiveMQSecurityManager depending on which
callback handler is needed, JaasCertificateCallbackHandler or
JaasCredentialCallbackHandler.

Cheers,
Steve



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960p4703026.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Artemis - Certificate Security

Posted by Justin Bertram <jb...@apache.com>.
Have you made any progress on this?  I'm getting ready to devote a bit of time to this and wanted to make sure I wasn't going to implement something you already had working.


Justin

----- Original Message -----
From: "slew77" <st...@yahoo.co.uk>
To: users@activemq.apache.org
Sent: Friday, October 16, 2015 2:34:02 AM
Subject: Re: Artemis - Certificate Security

Hi,

If the certificates are set in ActiveMQChannelHandler.channelRead then they
should be available to all protocols no?

E.g.:


Then we'll need a different ActiveMQSecurityManager depending on which
callback handler is needed, JaasCertificateCallbackHandler or
JaasCredentialCallbackHandler.

Cheers,
Steve



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960p4703026.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Artemis - Certificate Security

Posted by slew77 <st...@yahoo.co.uk>.
Hi,

If the certificates are set in ActiveMQChannelHandler.channelRead then they
should be available to all protocols no?

E.g.:


Then we'll need a different ActiveMQSecurityManager depending on which
callback handler is needed, JaasCertificateCallbackHandler or
JaasCredentialCallbackHandler.

Cheers,
Steve



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960p4703026.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Artemis - Certificate Security

Posted by Justin Bertram <jb...@apache.com>.
I haven't looked into it in too much details but whatever is done should be done far enough into the broker that it works for all (or at least most) of the protocols.  I think you'd probably need to create a new extension of org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager.


Justin

----- Original Message -----
From: "slew77" <st...@yahoo.co.uk>
To: users@activemq.apache.org
Sent: Thursday, October 15, 2015 11:01:37 AM
Subject: Re: Artemis - Certificate Security

So based on ActiveMQ 5, I want to grab the certificate from the
ConnectionInfo.transportContext.

I can get the certificate array in ActiveMQChannelHandler.channelRead, but
means I have to propagate it using bufferReceived.

Then in OpenWireConnection.bufferReceived I can setTransportContext on the
ConnectionInfo object, which is the unmarshalled buffer.

OK approach or did you have another plan in mind?



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960p4703003.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Artemis - Certificate Security

Posted by slew77 <st...@yahoo.co.uk>.
So based on ActiveMQ 5, I want to grab the certificate from the
ConnectionInfo.transportContext.

I can get the certificate array in ActiveMQChannelHandler.channelRead, but
means I have to propagate it using bufferReceived.

Then in OpenWireConnection.bufferReceived I can setTransportContext on the
ConnectionInfo object, which is the unmarshalled buffer.

OK approach or did you have another plan in mind?



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960p4703003.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Artemis - Certificate Security

Posted by Justin Bertram <jb...@apache.com>.
I recently added support for JAAS modules which utilize username/password for authentication and authorization.  See here [1].  Part of that work involved importing the certificate JAAS module as well, but Artemis doesn't yet have all the plumbing necessary to support it since it doesn't pass around the certificate to all the relevant parties.  I plan on adding support for this in the future, but I'm working on other things at the moment.  Feel free to contribute.


Justin

[1] https://github.com/jbertram/activemq-artemis/commit/6ed9c5ae91dc7a08cdb3825fb17a5da24037fa36

----- Original Message -----
From: "slew77" <st...@yahoo.co.uk>
To: users@activemq.apache.org
Sent: Wednesday, October 14, 2015 11:48:02 AM
Subject: Artemis - Certificate Security

Hi,

Hoping to get some advice on adding a security plugin to Artemis.

We are using an Artemis 1.1.0 broker. 

Client systems post messages to a common queue and listen for messages on a
client specific queue.

There will be thousands of client systems.

Each client should be able to write to the common queue, but not read from
it. Each client should be able to read from their response queue only, but
not write to it.

We must base this access on the client certificate used to connect, i.e. we
can't use username/password.

The docs suggest it's possible to add a JAAS plugin, is that correct and is
there an example I could follow? If it is possible, is it feasible to base
the authorisation on the client certificate? Ideally we'd do a lookup from
the certificate thumbprint to get either a username or the roles that we
need. Any help gratefully received!

Thanks in advance,
Steve.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Artemis-Certificate-Security-tp4702960.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.