You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by "Kumar Mishra, Rajesh" <r....@accenture.com.INVALID> on 2021/02/04 19:05:55 UTC
Re: [External] Re: Queries on Qpid setup
Hi Team,
We have enable the TLS on HTTP port, we want to fource user to use HTTPS for web, but we also calling some APIs and we don't want to use https here.
WEB - https://qpid-host.com:8080
for APIs call we want to use - http://qpid-host.com:8080/api-end-point or http://localhost:8080/api-end-point
Colud you please help me with the configuration.
Thanks,
Rajesh Mishra
________________________________
From: Malyala, Kirankumar <ki...@accenture.com>
Sent: Tuesday, November 17, 2020 9:29 AM
To: Kumar Mishra, Rajesh <r....@accenture.com>; Grover, Rahul <ra...@accenture.com>; Kumari, Arti A. <ar...@accenture.com>; Mitra, Dibbojyoti <di...@accenture.com>
Cc: Sharma, Tulsi Ram <tu...@accenture.com>
Subject: FW: [External] Re: Queries on Qpid setup
Hi All,
FYI
Regards,
Kirankumar Malyala
-----Original Message-----
From: Oleksandr Rudyy <or...@gmail.com>
Sent: Tuesday, November 17, 2020 4:02 AM
To: users@qpid.apache.org
Subject: Re: [External] Re: Queries on Qpid setup
Hi Kirankumar,
There is a typo in cipher suite names: the GSM is used instead of GCM.
Thus, the correct cipherSuiteWhiteList would be:
"qpid.security.tls.cipherSuiteWhiteList":
"[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
Please note that cipher suites TLS_AES_128_GCM_SHA256 and
TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
Regarding encryption of replication traffic I do not have any documentation/recommendation on how to set-up the ssh tunnels.
KInd Regards,
Alex
On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <ki...@accenture.com.invalid> wrote:
> Hi Alex,
>
> 1)We are using Qpid 7.1.6 version. When we add below context in our
> Port map getting SSL handshake error, working fine only for
> "qpid.security.tls.protocolWhiteList": "TLSv1.2".
>
> "qpid.security.tls.protocolWhiteList": "TLSv1.2", --------> WORKING
> "qpid.security.tls.cipherSuiteWhiteList":
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> --------> NOT WORKING
>
> 2)Also, please let us know which approach would be best for encrypting
> replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> it's configuration documentation/procedure.
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <or...@gmail.com>
> Sent: Wednesday, November 11, 2020 12:03 AM
> To: users@qpid.apache.org
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
>
> The context variable can be set on any configured object. For example,
> you can set context variables in the attribute "context" of Broker
> configured object or/and Port configured object.
> The children configured objects inherit context settings from their
> parents. Thus, the Port configured object inherits all context
> settings from the Broker as Broker is a parent of the Port.
> The context settings can be overridden on the child configured object
> if required. For example, you can set the context variable
> "qpid.security.tls.protocolAllowList" on the Broker to
> "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> override it on the Port to "[\\"TLSv1.3\"]" in order to restrict the
> port connections to TLSv1.3. Another port object without overridden
> context variable "qpid.security.tls.protocolAllowList" would inherit
> the support of
> TLSv1.2 and TLSv1.3 from the broker.
>
> As mentioned above, the context variables are kept in the attributes
> "context" as a "map "of string keys and values. You can create your
> initial configuration and define the context variables in the
> "context" attribute as illustrated in the example below:
>
> {
> "name" : "${broker.name}",
> "modelVersion" : "7.1",
> "context": {
> "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> "qpid.security.tls.cipherSuiteAllowList":
>
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> },
>
> ...
> "ports": [{
> "name" : "AMQP",
> "port" : "${qpid.amqp_port}",
> "context": {
> "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> },
> ...
> },
> ...
> ]
> }
>
> In the example above, the context variables
> "qpid.security.tls.protocolAllowList" and
> "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
> The port "AMQP" has its own "context" attribute where
> "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
> will have "qpid.security.tls.protocolAllowList" defined on the port
> and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
>
> I hope that the example above helps you to understand the context
> variable settings.
>
> You can update the context variables using REST API. Though, the TLS
> needs to be configured first on the HTTP port in order to use REST API.
>
>
> Kind Regards,
> Alex
>
>
>
>
> On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> <ki...@accenture.com.invalid> wrote:
>
> > Hi Alex,
> >
> > Thank you for your help. This is useful to look into the areas where
> > we wanted clarity.
> > I want to clear a few things from the points which you have mentioned.
> >
> > As you mentioned, the TLS version can set in multiple ways through
> > context variable. Could you explain how we can set in JVM settings
> > config.json
> >
> > Please share the code if you have it.
> >
> > Also, related to ssh tunnel configuration, could you share with us
> > any existing references which have used ssh tunneling and
> > master/replica concept. Then, it would be easier for us to mold it
> > as per our
> requirement.
> >
> > Regards,
> > Kirankumar Malyala
> >
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <or...@gmail.com>
> > Sent: Tuesday, November 10, 2020 5:24 AM
> > To: users@qpid.apache.org
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > transports.
> >
> > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > configured
> > object(s) needs to be configured.
> > The keystore object should contain a private key and certificates
> > (including intermediates if required).
> >
> > A number of Keystore types is supported on the broker:
> > * FileKeyStore - in this type of Keystore a java keystore is used
> > underneath to hold the private key and certificates
> > * NonJavaKeyStore - used to configure private key and certificates
> > directly in PEM or DER formats
> >
> > The Broker allows users to quickly create a self-signed certificate
> > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > (with Oracle JDK or OpenJDK).
> >
> > The TLS protocols and TLS cipher suites can be customised (if
> > required) using special context variables:
> > * qpid.security.tls.protocolAllowList
> > * qpid.security.tls.protocolDenyList
> > * qpid.security.tls.cipherSuiteAllowList
> > * qpid.security.tls.cipherSuiteDenyList
> > or
> > * qpid.security.tls.protocolWhiteList
> > * qpid.security.tls.protocolBlackList
> > * qpid.security.tls.cipherSuiteWhiteList
> > * qpid.security.tls.cipherSuiteBlackList
> >
> > Before 7.1.9 only "white/black" list terminology was supported.
> > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > can be used. In version 9.0 the "allow/deny" lists completely
> > replace "white/black" list terminology.
> >
> > For example, you can allow only TLSv1.3 with JDK11 by setting
> > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > You can specify the allowed or denied values using regular
> > expressions represented as JSON stringified lists.
> > For example, you can limit allowed cipher suites to only some of
> > them by setting qpid.security.tls.cipherSuiteAllowList to
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > The same applies to deny lists.
> >
> > The context variable can be set in multiple ways:
> > * as JVM settings
> > * as command line arguments (for example, ./bin/qpid-server -prop
> > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > * in a properties file system.properties (it needs to be in broker
> > classpath)
> > * as configured object context variables (for example, context
> > variable set on the Broker object using REST API)
> >
> >
> > The Qpid Broker HA is based on Oracle BDB JE. Unfortunately the BDB
> > JE does not support TLS transport. The data replication is unencrypted.
> > Potentially, you can use SSH tunnels, but that requires configuring
> > tunes between each of HA nodes, as the nodes communicate with each
> > other. I believe that it should be possible to configure SSH
> > tunnels, though I cannot give you any useful advice on how to do that.
> >
> > You can download Qpid Broker distribution files from Qpid Download
> > page at
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > do
> > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > =Y
> > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > Ep
> > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > .
> >
> > KInd Regards,
> > Alex
> >
> >
> > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > <ki...@accenture.com.invalid> wrote:
> >
> > > Hi Alex,
> > >
> > > We are using broker-j (for java). As of now, we are exploring on
> > > version
> > 7.
> > > Please do let us know if you want any other information.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <or...@gmail.com>
> > > Sent: Friday, November 6, 2020 5:44 AM
> > > To: users@qpid.apache.org
> > > Subject: [External] Re: Queries on Qpid setup
> > >
> > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > > particularly with links and attachments.
> > >
> > > Hi Kirankumar,
> > > Could you please clarify what exactly Qpid broker are you trying
> > > to
> use?
> > > There are two brokers in Qpid project: c++ broker and broker-j
> > > (for
> > java).
> > >
> > > Are you using Qpid Broker-J?
> > >
> > > Kind regards,
> > > Alex
> > >
> > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > <ki...@accenture.com.invalid> wrote:
> > >
> > > > Hi Team,
> > > >
> > > > We have been doing some POC on Qpid. While working on the
> > > > configuration, we came across multiple blockers which we have
> > > > mentioned
> > > below.
> > > >
> > > >
> > > > * How to use a specific version of TLS encryption for Qpid if we
> > > > deploy on VM.
> > > > * We understood from the Qpid documentation that we have to
> deploy
> > > > broker on multiple VM's to create a group and introduce
> > > > master/replica nodes. Any SOP on this part ?
> > > > * How to apply SSL/TLS encryption to replicas in the group
> consists
> > > of
> > > > master and replica nodes using SSH tunnel/IPsec.
> > > > * How can we fetch file in Apache
> > > >
> > > > Please let us know if some one from your team can guide us on
> > > > these
> > > points.
> > > >
> > > > Regards,
> > > > Kirankumar Malyala
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may
> > > > contain privileged, proprietary, or otherwise confidential
> > > > information. If you have received it in error, please notify the
> > > > sender immediately and delete the original. Any other use of the
> > > > e-mail by you is
> > prohibited.
> > > > Where allowed by local law, electronic communications with
> > > > Accenture and its affiliates, including e-mail and instant
> > > > messaging (including content), may be scanned by our systems for
> > > > the purposes of information security and assessment of internal
> > > > compliance with
> > > Accenture policy. Your privacy is important to us.
> > > > Accenture uses your personal data only in compliance with data
> > > > protection laws. For further information on how Accenture
> > > > processes your personal data, please see our privacy statement
> > > > at https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > ________________________________________________________________
> > > > __
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender
> > > immediately and delete the original. Any other use of the e-mail
> > > by you is
> prohibited.
> > > Where allowed by local law, electronic communications with
> > > Accenture and its affiliates, including e-mail and instant
> > > messaging (including content), may be scanned by our systems for
> > > the purposes of information security and assessment of internal
> > > compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture
> > > processes your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > __________________________________________________________________
> > > __
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If
> > you have received it in error, please notify the sender immediately
> > and delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging
> > (including content), may be scanned by our systems for the purposes
> > of information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ____________________________________________________________________
> > __
> > ________________
> >
> > www.accenture.com<http://www.accenture.com>
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________
> ________________
>
> www.accenture.com<http://www.accenture.com>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> additional commands, e-mail: users-help@qpid.apache.org
>
>
________________________________
This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________
www.accenture.com
Re: [External] Re: Queries on Qpid setup
Posted by Oleksandr Rudyy <or...@gmail.com>.
Hi Rajesh,
If required the HTTP port can be configured with a support of both TCP
and TLS transports. Though, managing Broker via plain HTTP would be
inherently insecure, as the credentials would be sent in plain sign
and could be easily intercepted.
Thus, in order to secure your Broker, it is strongly recommended to use
HTTPS for both UI and REST API calls.
Kind Regards,
Alex
On Thu, 4 Feb 2021 at 19:25, Kumar Mishra, Rajesh
<r....@accenture.com.invalid> wrote:
>
> Hi Team,
>
> We have enable the TLS on HTTP port, we want to fource user to use HTTPS for web, but we also calling some APIs and we don't want to use https here.
>
> WEB - https://qpid-host.com:8080
> for APIs call we want to use - http://qpid-host.com:8080/api-end-point or http://localhost:8080/api-end-point
>
> Colud you please help me with the configuration.
>
>
> Thanks,
> Rajesh Mishra
> ________________________________
> From: Malyala, Kirankumar <ki...@accenture.com>
> Sent: Tuesday, November 17, 2020 9:29 AM
> To: Kumar Mishra, Rajesh <r....@accenture.com>; Grover, Rahul <ra...@accenture.com>; Kumari, Arti A. <ar...@accenture.com>; Mitra, Dibbojyoti <di...@accenture.com>
> Cc: Sharma, Tulsi Ram <tu...@accenture.com>
> Subject: FW: [External] Re: Queries on Qpid setup
>
> Hi All,
>
> FYI
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <or...@gmail.com>
> Sent: Tuesday, November 17, 2020 4:02 AM
> To: users@qpid.apache.org
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> There is a typo in cipher suite names: the GSM is used instead of GCM.
> Thus, the correct cipherSuiteWhiteList would be:
>
> "qpid.security.tls.cipherSuiteWhiteList":
> "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
>
>
> Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
>
> Regarding encryption of replication traffic I do not have any documentation/recommendation on how to set-up the ssh tunnels.
>
> KInd Regards,
> Alex
>
> On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <ki...@accenture.com.invalid> wrote:
>
> > Hi Alex,
> >
> > 1)We are using Qpid 7.1.6 version. When we add below context in our
> > Port map getting SSL handshake error, working fine only for
> > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> >
> > "qpid.security.tls.protocolWhiteList": "TLSv1.2", --------> WORKING
> > "qpid.security.tls.cipherSuiteWhiteList":
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > --------> NOT WORKING
> >
> > 2)Also, please let us know which approach would be best for encrypting
> > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> > it's configuration documentation/procedure.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <or...@gmail.com>
> > Sent: Wednesday, November 11, 2020 12:03 AM
> > To: users@qpid.apache.org
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> >
> > The context variable can be set on any configured object. For example,
> > you can set context variables in the attribute "context" of Broker
> > configured object or/and Port configured object.
> > The children configured objects inherit context settings from their
> > parents. Thus, the Port configured object inherits all context
> > settings from the Broker as Broker is a parent of the Port.
> > The context settings can be overridden on the child configured object
> > if required. For example, you can set the context variable
> > "qpid.security.tls.protocolAllowList" on the Broker to
> > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> > override it on the Port to "[\\"TLSv1.3\"]" in order to restrict the
> > port connections to TLSv1.3. Another port object without overridden
> > context variable "qpid.security.tls.protocolAllowList" would inherit
> > the support of
> > TLSv1.2 and TLSv1.3 from the broker.
> >
> > As mentioned above, the context variables are kept in the attributes
> > "context" as a "map "of string keys and values. You can create your
> > initial configuration and define the context variables in the
> > "context" attribute as illustrated in the example below:
> >
> > {
> > "name" : "${broker.name}",
> > "modelVersion" : "7.1",
> > "context": {
> > "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> > "qpid.security.tls.cipherSuiteAllowList":
> >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > },
> >
> > ...
> > "ports": [{
> > "name" : "AMQP",
> > "port" : "${qpid.amqp_port}",
> > "context": {
> > "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> > },
> > ...
> > },
> > ...
> > ]
> > }
> >
> > In the example above, the context variables
> > "qpid.security.tls.protocolAllowList" and
> > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
> > The port "AMQP" has its own "context" attribute where
> > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
> > will have "qpid.security.tls.protocolAllowList" defined on the port
> > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> >
> > I hope that the example above helps you to understand the context
> > variable settings.
> >
> > You can update the context variables using REST API. Though, the TLS
> > needs to be configured first on the HTTP port in order to use REST API.
> >
> >
> > Kind Regards,
> > Alex
> >
> >
> >
> >
> > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> > <ki...@accenture.com.invalid> wrote:
> >
> > > Hi Alex,
> > >
> > > Thank you for your help. This is useful to look into the areas where
> > > we wanted clarity.
> > > I want to clear a few things from the points which you have mentioned.
> > >
> > > As you mentioned, the TLS version can set in multiple ways through
> > > context variable. Could you explain how we can set in JVM settings
> > > config.json
> > >
> > > Please share the code if you have it.
> > >
> > > Also, related to ssh tunnel configuration, could you share with us
> > > any existing references which have used ssh tunneling and
> > > master/replica concept. Then, it would be easier for us to mold it
> > > as per our
> > requirement.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <or...@gmail.com>
> > > Sent: Tuesday, November 10, 2020 5:24 AM
> > > To: users@qpid.apache.org
> > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > > Hi Kirankumar,
> > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > > transports.
> > >
> > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > > configured
> > > object(s) needs to be configured.
> > > The keystore object should contain a private key and certificates
> > > (including intermediates if required).
> > >
> > > A number of Keystore types is supported on the broker:
> > > * FileKeyStore - in this type of Keystore a java keystore is used
> > > underneath to hold the private key and certificates
> > > * NonJavaKeyStore - used to configure private key and certificates
> > > directly in PEM or DER formats
> > >
> > > The Broker allows users to quickly create a self-signed certificate
> > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > > (with Oracle JDK or OpenJDK).
> > >
> > > The TLS protocols and TLS cipher suites can be customised (if
> > > required) using special context variables:
> > > * qpid.security.tls.protocolAllowList
> > > * qpid.security.tls.protocolDenyList
> > > * qpid.security.tls.cipherSuiteAllowList
> > > * qpid.security.tls.cipherSuiteDenyList
> > > or
> > > * qpid.security.tls.protocolWhiteList
> > > * qpid.security.tls.protocolBlackList
> > > * qpid.security.tls.cipherSuiteWhiteList
> > > * qpid.security.tls.cipherSuiteBlackList
> > >
> > > Before 7.1.9 only "white/black" list terminology was supported.
> > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > > can be used. In version 9.0 the "allow/deny" lists completely
> > > replace "white/black" list terminology.
> > >
> > > For example, you can allow only TLSv1.3 with JDK11 by setting
> > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > > You can specify the allowed or denied values using regular
> > > expressions represented as JSON stringified lists.
> > > For example, you can limit allowed cipher suites to only some of
> > > them by setting qpid.security.tls.cipherSuiteAllowList to
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > > The same applies to deny lists.
> > >
> > > The context variable can be set in multiple ways:
> > > * as JVM settings
> > > * as command line arguments (for example, ./bin/qpid-server -prop
> > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > > * in a properties file system.properties (it needs to be in broker
> > > classpath)
> > > * as configured object context variables (for example, context
> > > variable set on the Broker object using REST API)
> > >
> > >
> > > The Qpid Broker HA is based on Oracle BDB JE. Unfortunately the BDB
> > > JE does not support TLS transport. The data replication is unencrypted.
> > > Potentially, you can use SSH tunnels, but that requires configuring
> > > tunes between each of HA nodes, as the nodes communicate with each
> > > other. I believe that it should be possible to configure SSH
> > > tunnels, though I cannot give you any useful advice on how to do that.
> > >
> > > You can download Qpid Broker distribution files from Qpid Download
> > > page at
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > > do
> > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > > =Y
> > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > > Ep
> > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > > .
> > >
> > > KInd Regards,
> > > Alex
> > >
> > >
> > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > > <ki...@accenture.com.invalid> wrote:
> > >
> > > > Hi Alex,
> > > >
> > > > We are using broker-j (for java). As of now, we are exploring on
> > > > version
> > > 7.
> > > > Please do let us know if you want any other information.
> > > >
> > > > Regards,
> > > > Kirankumar Malyala
> > > >
> > > > -----Original Message-----
> > > > From: Oleksandr Rudyy <or...@gmail.com>
> > > > Sent: Friday, November 6, 2020 5:44 AM
> > > > To: users@qpid.apache.org
> > > > Subject: [External] Re: Queries on Qpid setup
> > > >
> > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > > > particularly with links and attachments.
> > > >
> > > > Hi Kirankumar,
> > > > Could you please clarify what exactly Qpid broker are you trying
> > > > to
> > use?
> > > > There are two brokers in Qpid project: c++ broker and broker-j
> > > > (for
> > > java).
> > > >
> > > > Are you using Qpid Broker-J?
> > > >
> > > > Kind regards,
> > > > Alex
> > > >
> > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > > <ki...@accenture.com.invalid> wrote:
> > > >
> > > > > Hi Team,
> > > > >
> > > > > We have been doing some POC on Qpid. While working on the
> > > > > configuration, we came across multiple blockers which we have
> > > > > mentioned
> > > > below.
> > > > >
> > > > >
> > > > > * How to use a specific version of TLS encryption for Qpid if we
> > > > > deploy on VM.
> > > > > * We understood from the Qpid documentation that we have to
> > deploy
> > > > > broker on multiple VM's to create a group and introduce
> > > > > master/replica nodes. Any SOP on this part ?
> > > > > * How to apply SSL/TLS encryption to replicas in the group
> > consists
> > > > of
> > > > > master and replica nodes using SSH tunnel/IPsec.
> > > > > * How can we fetch file in Apache
> > > > >
> > > > > Please let us know if some one from your team can guide us on
> > > > > these
> > > > points.
> > > > >
> > > > > Regards,
> > > > > Kirankumar Malyala
> > > > >
> > > > > ________________________________
> > > > >
> > > > > This message is for the designated recipient only and may
> > > > > contain privileged, proprietary, or otherwise confidential
> > > > > information. If you have received it in error, please notify the
> > > > > sender immediately and delete the original. Any other use of the
> > > > > e-mail by you is
> > > prohibited.
> > > > > Where allowed by local law, electronic communications with
> > > > > Accenture and its affiliates, including e-mail and instant
> > > > > messaging (including content), may be scanned by our systems for
> > > > > the purposes of information security and assessment of internal
> > > > > compliance with
> > > > Accenture policy. Your privacy is important to us.
> > > > > Accenture uses your personal data only in compliance with data
> > > > > protection laws. For further information on how Accenture
> > > > > processes your personal data, please see our privacy statement
> > > > > at https://www.accenture.com/us-en/privacy-policy.
> > > > >
> > > > > ________________________________________________________________
> > > > > __
> > > > > __
> > > > > __
> > > > > ________________
> > > > >
> > > > > http://www.accenture.com
> > > > >
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may contain
> > > > privileged, proprietary, or otherwise confidential information. If
> > > > you have received it in error, please notify the sender
> > > > immediately and delete the original. Any other use of the e-mail
> > > > by you is
> > prohibited.
> > > > Where allowed by local law, electronic communications with
> > > > Accenture and its affiliates, including e-mail and instant
> > > > messaging (including content), may be scanned by our systems for
> > > > the purposes of information security and assessment of internal
> > > > compliance with
> > > Accenture policy. Your privacy is important to us.
> > > > Accenture uses your personal data only in compliance with data
> > > > protection laws. For further information on how Accenture
> > > > processes your personal data, please see our privacy statement at
> > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > __________________________________________________________________
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender immediately
> > > and delete the original. Any other use of the e-mail by you is prohibited.
> > > Where allowed by local law, electronic communications with Accenture
> > > and its affiliates, including e-mail and instant messaging
> > > (including content), may be scanned by our systems for the purposes
> > > of information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture processes
> > > your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > ____________________________________________________________________
> > > __
> > > ________________
> > >
> > > www.accenture.com<http://www.accenture.com>
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________
> > ________________
> >
> > www.accenture.com<http://www.accenture.com>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> ______________________________________________________________________________________
>
> www.accenture.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org