You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Melvin E Santos-Piza (JIRA)" <ji...@apache.org> on 2016/03/21 15:43:25 UTC
[jira] [Updated] (AMQ-6220) Enhance AMQ jaasAuthenticationPlugin(s)
[ https://issues.apache.org/jira/browse/AMQ-6220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Melvin E Santos-Piza updated AMQ-6220:
--------------------------------------
Description:
I'm standing a cluster of AMQs, which I will offer in a multi-tenant setup. Each tenant will have a networkOfBrokers with SSL transports (only) on each broker. Each broker will have two transports: 1) frontdoor - which is what the clients will connect to (1-way TLS + LDAP Auth) 2) backdoor - will connect the network (2-way TLS). The problem is that the broker expects me to also authenticate via LDAP on the backdoor. This proves troublesome as I would've to configure, and protect, customers LDAP credentials. I would much rather have 2-Way TLS, as I can have the certificates in a keystore + its key vaulted somewhere in the host.
I've looked at 1) org.apache.activemq.jaas.TextFileCertificateLoginModule + org.apache.activemq.security.JaasCertificateAuthenticationPlugin
2) org.apache.activemq.jaas.LDAPLoginModule + org.apache.activemq.security.JaasAuthenticationPlugin
but, both of these LoginModules handle different callBacks + the authenticationPlugins expect sequential successes; the way BrokerFilter works, one can't have a fallback jaasPlugin. What's needed, is an authenticationPlugin that will use a CertificateCallBackHandler as the primary logon, and a CredentialsCallBackHandler as a the default, kind of what SSH does (i.e org.apache.karaf.shell.ssh.KarafJaasAuthenticator)
was:
I'm standing a cluster of AMQs, which I will offer in a multi-tenant setup. Each tenant will have a networkOfBrokers with SSL transports (only) on each broker. Each broker will have two transports: 1) frontdoor - which is what the clients will connect to (1-way TLS + LDAP Auth) 2) backdoor - will connect the network (2-way TLS). The problem is that the broker expects me to also authenticate the broker via LDAP on the backdoor. This proves troublesome as I would've to configure, and protect, customers LDAP credentials. I would much rather have 2-Way TLS, as I can have the certificates in a keystore + its key vaulted somewhere in the host.
I've looked at 1) org.apache.activemq.jaas.TextFileCertificateLoginModule + org.apache.activemq.security.JaasCertificateAuthenticationPlugin
2) org.apache.activemq.jaas.LDAPLoginModule + org.apache.activemq.security.JaasAuthenticationPlugin
but, both of these LoginModules handle different callBacks + the authenticationPlugins expect sequential successes; the way BrokerFilter works, one can't have a fallback jaasPlugin. What's needed, is an authenticationPlugin that will use a CertificateCallBackHandler as the primary logon, and a CredentialsCallBackHandler as a the default, kind of what SSH does (i.e org.apache.karaf.shell.ssh.KarafJaasAuthenticator)
> Enhance AMQ jaasAuthenticationPlugin(s)
> ---------------------------------------
>
> Key: AMQ-6220
> URL: https://issues.apache.org/jira/browse/AMQ-6220
> Project: ActiveMQ
> Issue Type: New Feature
> Affects Versions: 5.x
> Reporter: Melvin E Santos-Piza
> Labels: ActiveMQ, BrokerFilter, JaasAuthenticationPlugin
>
> I'm standing a cluster of AMQs, which I will offer in a multi-tenant setup. Each tenant will have a networkOfBrokers with SSL transports (only) on each broker. Each broker will have two transports: 1) frontdoor - which is what the clients will connect to (1-way TLS + LDAP Auth) 2) backdoor - will connect the network (2-way TLS). The problem is that the broker expects me to also authenticate via LDAP on the backdoor. This proves troublesome as I would've to configure, and protect, customers LDAP credentials. I would much rather have 2-Way TLS, as I can have the certificates in a keystore + its key vaulted somewhere in the host.
> I've looked at 1) org.apache.activemq.jaas.TextFileCertificateLoginModule + org.apache.activemq.security.JaasCertificateAuthenticationPlugin
> 2) org.apache.activemq.jaas.LDAPLoginModule + org.apache.activemq.security.JaasAuthenticationPlugin
> but, both of these LoginModules handle different callBacks + the authenticationPlugins expect sequential successes; the way BrokerFilter works, one can't have a fallback jaasPlugin. What's needed, is an authenticationPlugin that will use a CertificateCallBackHandler as the primary logon, and a CredentialsCallBackHandler as a the default, kind of what SSH does (i.e org.apache.karaf.shell.ssh.KarafJaasAuthenticator)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)