You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Jeff Donner <jd...@morphodetection.com> on 2017/01/09 07:50:03 UTC

Want to add a key PEM file password option to qpidd admin tools

Hi,

  I want to authenticate the admin tools to qpidd with SSL + SASL EXTERNAL,

which so far looks something like this:

qpid-config --broker amqps://dev-qpidclient@localhost:5672 \
            --ssl-certificate=pki/client/certs/client-cert.pem \
            --ssl-key=pki/client/private/client-keys.pem \
            --sasl-mechanism=EXTERNAL \
            add queue examples

(Clients proper I have working.)

Are you expected to leave the client-keys.pem file unencrypted, but readable only by an admin account which runs the qpid-config etc commands, or is there a way to pass a filename that /contains the password for/ an encrypted client-keys.pem file?

Any tips for how to go about adding support for this if not?

Thanks,
Jeff

RE: Want to add a key PEM file password option to qpidd admin tools

Posted by Jeff Donner <jd...@morphodetection.com>.

>> Are you expected to leave the client-keys.pem file unencrypted, but readable only by an admin account which runs the qpid-config etc commands,

> Yes, I *think* that is the case at present.

Yes, that works - I should have tested it earlier. 

Thanks for the roadmap, I think I'm going to go with the first method though.

Jeff
________________________________________
From: Gordon Sim [gsim@redhat.com]
Sent: Monday, January 09, 2017 4:16 AM
To: users@qpid.apache.org
Subject: Re: Want to add a key PEM file password option to qpidd admin tools

On 09/01/17 07:50, Jeff Donner wrote:
> Hi,
>
>   I want to authenticate the admin tools to qpidd with SSL + SASL EXTERNAL,
>
> which so far looks something like this:
>
> qpid-config --broker amqps://dev-qpidclient@localhost:5672 \
>             --ssl-certificate=pki/client/certs/client-cert.pem \
>             --ssl-key=pki/client/private/client-keys.pem \
>             --sasl-mechanism=EXTERNAL \
>             add queue examples
>
> (Clients proper I have working.)
>
> Are you expected to leave the client-keys.pem file unencrypted, but readable only by an admin account which runs the qpid-config etc commands,

Yes, I *think* that is the case at present.

> or is there a way to pass a filename that /contains the password for/ an encrypted client-keys.pem file?
>
> Any tips for how to go about adding support for this if not?

 From a quick look at the code, the python client the tool uses, uses
ssl.wrap_socket which doesn't expose the ability to set a password. The
python docs suggest using SSLContext.wrap_socket() instead, as
SSLContext allows a password providing function to be specified when
retrieving the key.

So I think the fix required would first be to move the code in
qpid.messaging.transports.py to use SSLContext.wrap_socket. Then to
expose an extra option on the connection to specify the password file
(in qpid.messaging.endpoints.py) and use that from transports.py.
Finally that option would need to be exposed to qpid-config, qpid-stat etc.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: Want to add a key PEM file password option to qpidd admin tools

Posted by Gordon Sim <gs...@redhat.com>.

On 09/01/17 07:50, Jeff Donner wrote:
> Hi,
>
>   I want to authenticate the admin tools to qpidd with SSL + SASL EXTERNAL,
>
> which so far looks something like this:
>
> qpid-config --broker amqps://dev-qpidclient@localhost:5672 \
>             --ssl-certificate=pki/client/certs/client-cert.pem \
>             --ssl-key=pki/client/private/client-keys.pem \
>             --sasl-mechanism=EXTERNAL \
>             add queue examples
>
> (Clients proper I have working.)
>
> Are you expected to leave the client-keys.pem file unencrypted, but readable only by an admin account which runs the qpid-config etc commands,

Yes, I *think* that is the case at present.

> or is there a way to pass a filename that /contains the password for/ an encrypted client-keys.pem file?
>
> Any tips for how to go about adding support for this if not?

 From a quick look at the code, the python client the tool uses, uses 
ssl.wrap_socket which doesn't expose the ability to set a password. The 
python docs suggest using SSLContext.wrap_socket() instead, as 
SSLContext allows a password providing function to be specified when 
retrieving the key.

So I think the fix required would first be to move the code in 
qpid.messaging.transports.py to use SSLContext.wrap_socket. Then to 
expose an extra option on the connection to specify the password file 
(in qpid.messaging.endpoints.py) and use that from transports.py. 
Finally that option would need to be exposed to qpid-config, qpid-stat etc.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org