You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Rob Godfrey (JIRA)" <ji...@apache.org> on 2012/05/17 21:46:08 UTC
[jira] [Commented] (QPID-4007) [Java Broker] Add Kerberos
authentication support to the Java Broker
[ https://issues.apache.org/jira/browse/QPID-4007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13278160#comment-13278160 ]
Rob Godfrey commented on QPID-4007:
-----------------------------------
Configuration of KerberosAuthenticationManager in the config.xml is done as follows:
{code:xml}
<security>
<kerberos-auth-manager/>
{code}
Since Kerberos support only works where SASL authentication is available (i.e. not for JMX authentication) you may wish to also include an alternative Authentication Manager configuration, and use this for other ports:
{code:xml}
<security>
<pd-auth-manager>
<principal-database>
<class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
<attributes>
<attribute>
<name>passwordFile</name>
<value>${conf}/passwd</value>
</attribute>
</attributes>
</principal-database>
</pd-auth-manager>
<kerberos-auth-manager><auth-name>sib</auth-name></kerberos-auth-manager>
<default-auth-manager>PrincipalDatabaseAuthenticationManager</default-auth-manager>
<port-mappings>
<port-mapping>
<port>5672</port>
<auth-manager>KerberosAuthenticationManager</auth-manager>
</port-mapping>
</port-mappings>
</security>
{code}
Configuration of kerberos is done through system properties (there doesn't seem to be a way around this unfortunately)
e.g.
{code}
export QPID_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
${QPID_HOME}/bin/qpid-server
{code}
Where qpid.conf would look something like this:
{code}
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
doNotPrompt=true
realm="EXAMPLE.COM"
useSubjectCredsOnly=false
kdc="kerberos.example.com"
keyTab="/path/to/keytab-file"
principal="<name>/<host>";
};
{code}
where realm, kdc, keyTab and principal should obviously be set correctly for the environment where you are running (see the existing documentation for the C++ broker about creating a keytab file).
(!) Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working
> [Java Broker] Add Kerberos authentication support to the Java Broker
> --------------------------------------------------------------------
>
> Key: QPID-4007
> URL: https://issues.apache.org/jira/browse/QPID-4007
> Project: Qpid
> Issue Type: Improvement
> Components: Java Broker
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Fix For: 0.17
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> Add SASL GSSAPI/Kerberos support to the Java Broker
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org