You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Marcello <mf...@euro-finance-systems.fr> on 2012/10/23 14:11:17 UTC
QPid 0.18 C++/C# - client-side certificate authentication -
QpidException
Hi,
I’m trying to connect to a Red Hat MRG 2.0 (Qpid 0.10) broker (compliant
with AMQP 0-10).
My client application is a .Net Windows application and we use the Apache
QPid 0.18 C++/C# module (compliant with AMQP 0-10), provided to us by
Riverace ( http://www.riverace.com/qpid/downloads.htm
<http://www.riverace.com/qpid/downloads.htm> ).
In order to be connected and authenticate us to the remote broker we have
currently referenced the .Net assembly org.apache.qpid.messaging.dll found
in the installation package, which encapsulates the Apache QPid C++ native
component. You will find the code source below.
Any connection attempt fails and a QpidException is raised « Failed to
connect (reconnect disabled) ». Stack trace :
.Apache.Qpid.Messaging.Connection.Open() dans
c:\qpid\0.18\qpid\cpp\bindings\qpid\dotnet\src\connection.cpp:ligne 243
The broker and the client run on different machines connected to the same
VPN network, the client and the broker are directly connected on the same
subnet.
The authentication process to the broker is done via a SASL EXTERNAL
mechanism, that uses SSL either for encryption and authentication. The
authentication process uses certificates registered on the Windows machine
where the client is running.
On the Windows client machine the public broker certificate is currently
registered on the “Root” store as well as the client certificate
(self-signed and created by us) is currently registered on the “My” store.
The public part of the client certificate has been correctly registered on
the broker side.
Our own .Net client set the following connection properties:
using Org.Apache.Qpid.Messaging;
...
Connection connection = null;
connection = new Connection("amqp:ssl:<broker address>:<broker ssl
port>");
connection.SetOption("reconnect", true);
connection.SetOption("transport", "ssl");
connection.SetOption("reconnect_limit", <number of maximal attempts>);
connection.SetOption("reconnect_urls", "amqp:ssl:<broker
address>:<broker ssl port>");
// the following option, set username, is mandatory when an EXTERNAL
sasl_mechanisms is provided
connection.SetOption("username", "<client certificate>");
connection.SetOption("sasl_mechanisms", "EXTERNAL");
connection.Open();
When the Open command is executed the client attempts to connect to the
default SSL port of the broker without success, raising the QpidException.
Riverace ( http://www.riverace.com/ <http://www.riverace.com/> ), where we
get the Apache Qpid component, warned us that the Apache QPid 0.18 C++/C#
does not have native support for client-side certificate authentication.
Then we have probably to build our own Apache QPid C++ component, starting
from the source available onto the Apache Qpid site, after having applied
some enhancements to the SSL handling for the Qpid C++ code.
I would be glad if someone could answer the questions below:
1. The SSL enhancement I need is it provided applying the patch «
SSL Client Authentication support for the Windows C++ client »,
https://issues.apache.org/jira/browse/QPID-3914
<https://issues.apache.org/jira/browse/QPID-3914> ?
2. The only .net source package available on the Apache QPid site
( http://qpid.apache.org/download.html ) is « C# (.NET, WCF) WCF channel
(C++ Broker Compatible) » and the assembly we are currently using the
org.apache.qpid.messaging dll is not available anymore or I am not able to
found it, do you know where I can find the org.apache.qpid.messaging .Net
source code ?
3. Do you know where I can find a QPid component installation
package that includes SSL support with client-side certificate
authentication and compliant with AMQP 0-10 standard? Maybe The Red Hat MRG
Messaging ( http://www.redhat.com/mrg/messaging/
<http://www.redhat.com/mrg/messaging/> ) includes this feature ?
Thanks in advance for your support
Marcello
--
View this message in context: http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: QPid 0.18 C++/C# - client-side certificate authentication - QpidException
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Marcello,
Sorry, I meant another store. One more idea ... since you used the
ssl-client-auth-filecert.path version of the patch, you should be able to
point the application to the certificates stored in a files. Have you tried
whether that helps to solve the problem?
Regards
Jakub
On Thu, Nov 8, 2012 at 1:58 PM, Marcello <mf...@euro-finance-systems.fr>wrote:
> Thank you Jakob
>
> i ask you just to complete the option a).
>
> a) load the certificate into another .... account? or store?
>
> Best regards
> Marcello
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696p7584448.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: QPid 0.18 C++/C# - client-side certificate authentication -
QpidException
Posted by Marcello <mf...@euro-finance-systems.fr>.
Thank you Jakob
i ask you just to complete the option a).
a) load the certificate into another .... account? or store?
Best regards
Marcello
--
View this message in context: http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696p7584448.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: QPid 0.18 C++/C# - client-side certificate authentication - QpidException
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Marcello,
Honestly, I'm not really a Windows developer - when working on the patch,
the certificate system on Windows seemed to me incredibly chaotic -
especially compared to Java or to the Qpid C++ client on Linux :-(. I also
experienced some issues with finding the proper certificate store.
I would assume that if you run the service under user LocalSystem it has
its own "MY" store. So although it may have access to the "MY" store of the
other user, the store would need to be identified differently. I can try to
investigate it a bit more once I find some free time. In the meantime, you
can try to a) load the certificate into another or b) try to make your
application to search for the certificates in another store (there is an
connection option ssl-cert-store which can be used to point the application
to different stores).
Regards
Jakub
On Thu, Nov 8, 2012 at 12:48 PM, Marcello <mf...@euro-finance-systems.fr>wrote:
> Hi Jakub
>
> I would like to inform you that we applied the FIRST patch attached to JIRA
> QPID-3914, the file sel-client-authentication.patch, the client-side
> certificate authentication is now possible in many cases, but we continue
> to
> have some issues.
> (NB: We have not applied the second patch file
> ssl-client-auth-filecert.patch)
>
> The patch has been applied to the QPid C++ 0.18 source-code downloaded from
> the Apache website.
>
> I have registered my private certificate in the “My” system store either
> for
> the current user (the user logged onto the machine) either for the local
> machine, via the MMC console. Be sure that the certificate is good and it
> includes my private key.
>
> Our application is a .Net Windows service, to reference our certificate in
> our application we use this code sample: connection.SetOption("username",
> "<our account Id>");
>
> When I run theWindows service as the user for whom I registered the
> certificate, then the certificate is correctly loaded, instead the
> certificate is not loaded when I run the service as the user “LocalSystem”
> (the default user we use to run our Windows services). The error
> "Impossible
> to find object or property", is then raised from the Qpid module when it
> calls the procedure CertFindCertificateInStore (this call exists since you
> applied the first patch attached to JIRA QPID-3914). I point up that the
> “My” store instead continues to be accessible.
>
> I used either the MMC console either the winhttpcertcfg.exe system tool in
> order to verify that the “LocalSystem” user has the rights to access my
> certificate. Afterwards either the MMC console and the winhttpcertcfg.exe
> tool confirm that THEORETICALLY the user “LocalSystem” has the rights to
> access the certificate.
>
> Do you have any suggestion to help me to solve this problem? Maybe have i
> to
> apply the second patch ssl-client-auth-filecert.patch attached to JIRA
> QPID-3914 and use in my service the certificate physical files instead the
> certificates system store?
>
> Thanks you in advance..
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696p7584446.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: QPid 0.18 C++/C# - client-side certificate authentication -
QpidException
Posted by Marcello <mf...@euro-finance-systems.fr>.
Hi Jakub
I would like to inform you that we applied the FIRST patch attached to JIRA
QPID-3914, the file sel-client-authentication.patch, the client-side
certificate authentication is now possible in many cases, but we continue to
have some issues.
(NB: We have not applied the second patch file
ssl-client-auth-filecert.patch)
The patch has been applied to the QPid C++ 0.18 source-code downloaded from
the Apache website.
I have registered my private certificate in the “My” system store either for
the current user (the user logged onto the machine) either for the local
machine, via the MMC console. Be sure that the certificate is good and it
includes my private key.
Our application is a .Net Windows service, to reference our certificate in
our application we use this code sample: connection.SetOption("username",
"<our account Id>");
When I run theWindows service as the user for whom I registered the
certificate, then the certificate is correctly loaded, instead the
certificate is not loaded when I run the service as the user “LocalSystem”
(the default user we use to run our Windows services). The error "Impossible
to find object or property", is then raised from the Qpid module when it
calls the procedure CertFindCertificateInStore (this call exists since you
applied the first patch attached to JIRA QPID-3914). I point up that the
“My” store instead continues to be accessible.
I used either the MMC console either the winhttpcertcfg.exe system tool in
order to verify that the “LocalSystem” user has the rights to access my
certificate. Afterwards either the MMC console and the winhttpcertcfg.exe
tool confirm that THEORETICALLY the user “LocalSystem” has the rights to
access the certificate.
Do you have any suggestion to help me to solve this problem? Maybe have i to
apply the second patch ssl-client-auth-filecert.patch attached to JIRA
QPID-3914 and use in my service the certificate physical files instead the
certificates system store?
Thanks you in advance..
--
View this message in context: http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696p7584446.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: QPid 0.18 C++/C# - client-side certificate authentication - QpidException
Posted by Cliff Jansen <cl...@gmail.com>.
Hi Marcello,
Supplementing Jakub's reply, the source for the
Org.Apache.Qpid.Messaging dll is written in C++/CLI (not C#). You can
find it in the C++ Multiple component package or the full C++ source
release. It will be in:
qpidXX/cpp/bindings/qpid/dotnet/src
It is probably safer using the full source release if you are building
from scratch. Look at the README-winsdk.txt file. Since the C++/CLI
code relies on the underlying pure native C++ libraries to handle the
certificates, you should first verify that a pure C++ test program
works as you expect first.
Cliff
On Mon, Oct 29, 2012 at 6:14 AM, Jakub Scholz <ja...@scholz.cz> wrote:
> Hi Marcello,
>
> The QPID-3914 JIRA delivers the SASL EXTERNAL support. You will need to
> download the patch and apply it to the source codes and build your own
> versionn of the library.
>
> If you follow the guide for building the C++/.NET library on Windows, which
> is somewhere in the SVN trunk, it is fairly simple.
>
> Since the QPID-3914 is not part of the SVN, but just an patch which is not
> committed, you will probably not find binaries for download which contain
> the SASL EXTERNAL patch ...
>
> Regards
> Jakub
> Dne 23.10.2012 14:11 "Marcello" <mf...@euro-finance-systems.fr> napsal(a):
>
>> Hi,
>>
>> I’m trying to connect to a Red Hat MRG 2.0 (Qpid 0.10) broker (compliant
>> with AMQP 0-10).
>>
>> My client application is a .Net Windows application and we use the Apache
>> QPid 0.18 C++/C# module (compliant with AMQP 0-10), provided to us by
>> Riverace ( http://www.riverace.com/qpid/downloads.htm
>> <http://www.riverace.com/qpid/downloads.htm> ).
>>
>> In order to be connected and authenticate us to the remote broker we have
>> currently referenced the .Net assembly org.apache.qpid.messaging.dll found
>> in the installation package, which encapsulates the Apache QPid C++ native
>> component. You will find the code source below.
>>
>> Any connection attempt fails and a QpidException is raised « Failed to
>> connect (reconnect disabled) ». Stack trace :
>> .Apache.Qpid.Messaging.Connection.Open() dans
>> c:\qpid\0.18\qpid\cpp\bindings\qpid\dotnet\src\connection.cpp:ligne 243
>>
>> The broker and the client run on different machines connected to the same
>> VPN network, the client and the broker are directly connected on the same
>> subnet.
>>
>> The authentication process to the broker is done via a SASL EXTERNAL
>> mechanism, that uses SSL either for encryption and authentication. The
>> authentication process uses certificates registered on the Windows machine
>> where the client is running.
>>
>> On the Windows client machine the public broker certificate is currently
>> registered on the “Root” store as well as the client certificate
>> (self-signed and created by us) is currently registered on the “My” store.
>> The public part of the client certificate has been correctly registered on
>> the broker side.
>>
>> Our own .Net client set the following connection properties:
>>
>> using Org.Apache.Qpid.Messaging;
>>
>> ...
>>
>> Connection connection = null;
>> connection = new Connection("amqp:ssl:<broker address>:<broker ssl
>> port>");
>>
>> connection.SetOption("reconnect", true);
>> connection.SetOption("transport", "ssl");
>> connection.SetOption("reconnect_limit", <number of maximal attempts>);
>> connection.SetOption("reconnect_urls", "amqp:ssl:<broker
>> address>:<broker ssl port>");
>>
>> // the following option, set username, is mandatory when an EXTERNAL
>> sasl_mechanisms is provided
>> connection.SetOption("username", "<client certificate>");
>> connection.SetOption("sasl_mechanisms", "EXTERNAL");
>>
>> connection.Open();
>>
>> When the Open command is executed the client attempts to connect to the
>> default SSL port of the broker without success, raising the QpidException.
>>
>> Riverace ( http://www.riverace.com/ <http://www.riverace.com/> ), where
>> we
>> get the Apache Qpid component, warned us that the Apache QPid 0.18 C++/C#
>> does not have native support for client-side certificate authentication.
>>
>> Then we have probably to build our own Apache QPid C++ component, starting
>> from the source available onto the Apache Qpid site, after having applied
>> some enhancements to the SSL handling for the Qpid C++ code.
>>
>> I would be glad if someone could answer the questions below:
>> 1. The SSL enhancement I need is it provided applying the patch
>> «
>> SSL Client Authentication support for the Windows C++ client »,
>> https://issues.apache.org/jira/browse/QPID-3914
>> <https://issues.apache.org/jira/browse/QPID-3914> ?
>> 2. The only .net source package available on the Apache QPid
>> site
>> ( http://qpid.apache.org/download.html ) is « C# (.NET, WCF) WCF channel
>> (C++ Broker Compatible) » and the assembly we are currently using the
>> org.apache.qpid.messaging dll is not available anymore or I am not able to
>> found it, do you know where I can find the org.apache.qpid.messaging .Net
>> source code ?
>> 3. Do you know where I can find a QPid component installation
>> package that includes SSL support with client-side certificate
>> authentication and compliant with AMQP 0-10 standard? Maybe The Red Hat MRG
>> Messaging ( http://www.redhat.com/mrg/messaging/
>> <http://www.redhat.com/mrg/messaging/> ) includes this feature ?
>>
>> Thanks in advance for your support
>>
>> Marcello
>>
>>
>>
>>
>> --
>> View this message in context:
>> http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696.html
>> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: QPid 0.18 C++/C# - client-side certificate authentication - QpidException
Posted by Jakub Scholz <ja...@scholz.cz>.
Hi Marcello,
The QPID-3914 JIRA delivers the SASL EXTERNAL support. You will need to
download the patch and apply it to the source codes and build your own
versionn of the library.
If you follow the guide for building the C++/.NET library on Windows, which
is somewhere in the SVN trunk, it is fairly simple.
Since the QPID-3914 is not part of the SVN, but just an patch which is not
committed, you will probably not find binaries for download which contain
the SASL EXTERNAL patch ...
Regards
Jakub
Dne 23.10.2012 14:11 "Marcello" <mf...@euro-finance-systems.fr> napsal(a):
> Hi,
>
> I’m trying to connect to a Red Hat MRG 2.0 (Qpid 0.10) broker (compliant
> with AMQP 0-10).
>
> My client application is a .Net Windows application and we use the Apache
> QPid 0.18 C++/C# module (compliant with AMQP 0-10), provided to us by
> Riverace ( http://www.riverace.com/qpid/downloads.htm
> <http://www.riverace.com/qpid/downloads.htm> ).
>
> In order to be connected and authenticate us to the remote broker we have
> currently referenced the .Net assembly org.apache.qpid.messaging.dll found
> in the installation package, which encapsulates the Apache QPid C++ native
> component. You will find the code source below.
>
> Any connection attempt fails and a QpidException is raised « Failed to
> connect (reconnect disabled) ». Stack trace :
> .Apache.Qpid.Messaging.Connection.Open() dans
> c:\qpid\0.18\qpid\cpp\bindings\qpid\dotnet\src\connection.cpp:ligne 243
>
> The broker and the client run on different machines connected to the same
> VPN network, the client and the broker are directly connected on the same
> subnet.
>
> The authentication process to the broker is done via a SASL EXTERNAL
> mechanism, that uses SSL either for encryption and authentication. The
> authentication process uses certificates registered on the Windows machine
> where the client is running.
>
> On the Windows client machine the public broker certificate is currently
> registered on the “Root” store as well as the client certificate
> (self-signed and created by us) is currently registered on the “My” store.
> The public part of the client certificate has been correctly registered on
> the broker side.
>
> Our own .Net client set the following connection properties:
>
> using Org.Apache.Qpid.Messaging;
>
> ...
>
> Connection connection = null;
> connection = new Connection("amqp:ssl:<broker address>:<broker ssl
> port>");
>
> connection.SetOption("reconnect", true);
> connection.SetOption("transport", "ssl");
> connection.SetOption("reconnect_limit", <number of maximal attempts>);
> connection.SetOption("reconnect_urls", "amqp:ssl:<broker
> address>:<broker ssl port>");
>
> // the following option, set username, is mandatory when an EXTERNAL
> sasl_mechanisms is provided
> connection.SetOption("username", "<client certificate>");
> connection.SetOption("sasl_mechanisms", "EXTERNAL");
>
> connection.Open();
>
> When the Open command is executed the client attempts to connect to the
> default SSL port of the broker without success, raising the QpidException.
>
> Riverace ( http://www.riverace.com/ <http://www.riverace.com/> ), where
> we
> get the Apache Qpid component, warned us that the Apache QPid 0.18 C++/C#
> does not have native support for client-side certificate authentication.
>
> Then we have probably to build our own Apache QPid C++ component, starting
> from the source available onto the Apache Qpid site, after having applied
> some enhancements to the SSL handling for the Qpid C++ code.
>
> I would be glad if someone could answer the questions below:
> 1. The SSL enhancement I need is it provided applying the patch
> «
> SSL Client Authentication support for the Windows C++ client »,
> https://issues.apache.org/jira/browse/QPID-3914
> <https://issues.apache.org/jira/browse/QPID-3914> ?
> 2. The only .net source package available on the Apache QPid
> site
> ( http://qpid.apache.org/download.html ) is « C# (.NET, WCF) WCF channel
> (C++ Broker Compatible) » and the assembly we are currently using the
> org.apache.qpid.messaging dll is not available anymore or I am not able to
> found it, do you know where I can find the org.apache.qpid.messaging .Net
> source code ?
> 3. Do you know where I can find a QPid component installation
> package that includes SSL support with client-side certificate
> authentication and compliant with AMQP 0-10 standard? Maybe The Red Hat MRG
> Messaging ( http://www.redhat.com/mrg/messaging/
> <http://www.redhat.com/mrg/messaging/> ) includes this feature ?
>
> Thanks in advance for your support
>
> Marcello
>
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/QPid-0-18-C-C-client-side-certificate-authentication-QpidException-tp7583696.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>