You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Robert Gemmell <ge...@dcs.gla.ac.uk> on 2008/11/30 17:41:26 UTC
RE: [jira] Created: (QPID-1491) Secure Management Console connections do not work[MESSAGE NOT SCANNED]
This should be fixed by the patches I submitted previously, once the remaining ones are applied to the trunk. After repairing the PLAIN authentication, I used CRAM-MD5 several times without any issue.
Also, just a note: removing -Dsecurity=CRAM-MD5 does not make it use PLAIN, it makes the connection to the broker totally unauthenticated. -Dsecurity=PLAIN makes it use PLAIN authentication.
-----Original Message-----
From: Marnie McCormack (JIRA) [mailto:qpid-dev@incubator.apache.org]
Sent: 28 November 2008 11:50
To: qpid-dev@incubator.apache.org
Subject: [jira] Created: (QPID-1491) Secure Management Console connections do not work[MESSAGE NOT SCANNED]
Secure Management Console connections do not work
-------------------------------------------------
Key: QPID-1491
URL: https://issues.apache.org/jira/browse/QPID-1491
Project: Qpid
Issue Type: Bug
Components: Java Management : JMX Console
Affects Versions: M3
Reporter: Marnie McCormack
Summary:
The current build of the management console is unable to connect to the broker using the CRAM-MD5 JMX SASL.
It is potentially a classpath problem with a newer JDK version than was originally tested as the console reports it cannot load a class from the JMXRemote jar.
Current work around is to use the default PLAIN authentication
Have to edit qpidmc.bat and remove -Dsecurity=CRAM-MD5
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
RE: [jira] Created: (QPID-1491) Secure Management Console connections do not work[MESSAGE NOT SCANNED]
Posted by Robbie Gemmell <ge...@dcs.gla.ac.uk>.
By this I assume you mean check the profiles given by the broker and pick
from them in order of security? I looked into doing that the other day but
im not sure how to achieve it as it is set up at present, since whilst you
can give it as many sasl profiles as you like for it to pick from based on
what the broker offers you can only seem to give the environment properties
for a JMXConnector one callback handler, which with the current use of
CRAM-MD5-HASHED on the broker(JMXManagedObjectRegistry) side means it needs
to know whether its dealing with hashed or non hashed principal databases to
ensure it sends the right thing. Using normal CRAM-MD5 for the JMX connector
instead would sort that, but to quote CRAMMD5Initialiser:
"//fixme we need a server that will correctly has the incomming plain text
for comparison to file.
_logger.warn("we need a server that will correctly convert the incomming
plain text for comparison to file.");"
Expanding a little on my original email, the main reason removing
-Dsecurity=<profile> makes it unauthenticated is that it uses that property
to determine whether or not to use the jmxremote_optional.jar classes to
establish a JMXMP connection rather than an RMI based connection using the
standard connectors included with the JVM, and the RMIconnector server which
the broker starts up if admin security is disabled does not use
authentication. The reason you need to pick a security type when using the
JMXMP connector appears to be due to the above situation.
-----Original Message-----
From: aidan.skinner@gmail.com [mailto:aidan.skinner@gmail.com] On Behalf Of
Aidan Skinner
Sent: 01 December 2008 09:38
To: qpid-dev@incubator.apache.org
Subject: Re: [jira] Created: (QPID-1491) Secure Management Console
connections do not work[MESSAGE NOT SCANNED]
On Sun, Nov 30, 2008 at 4:41 PM, Robert Gemmell <ge...@dcs.gla.ac.uk>
wrote:
> This should be fixed by the patches I submitted previously, once the
remaining ones are applied to the trunk. After repairing the PLAIN
authentication, I used CRAM-MD5 several times without any issue.
>
> Also, just a note: removing -Dsecurity=CRAM-MD5 does not make it use
PLAIN, it makes the connection to the broker totally unauthenticated.
-Dsecurity=PLAIN makes it use PLAIN authentication.
Ugh, really? Lame. We should make it do SASL negotiation properly.
- Aidan
--
Apache Qpid - World Domination through Advanced Message Queueing
http://cwiki.apache.org/qpid
"Have we anything resembling a plan?" "Mm-hm. Ride till we find
them... and kill them all." - The 13th Warrior
Re: [jira] Created: (QPID-1491) Secure Management Console connections do not work[MESSAGE NOT SCANNED]
Posted by Aidan Skinner <ai...@apache.org>.
On Sun, Nov 30, 2008 at 4:41 PM, Robert Gemmell <ge...@dcs.gla.ac.uk> wrote:
> This should be fixed by the patches I submitted previously, once the remaining ones are applied to the trunk. After repairing the PLAIN authentication, I used CRAM-MD5 several times without any issue.
>
> Also, just a note: removing -Dsecurity=CRAM-MD5 does not make it use PLAIN, it makes the connection to the broker totally unauthenticated. -Dsecurity=PLAIN makes it use PLAIN authentication.
Ugh, really? Lame. We should make it do SASL negotiation properly.
- Aidan
--
Apache Qpid - World Domination through Advanced Message Queueing
http://cwiki.apache.org/qpid
"Have we anything resembling a plan?" "Mm-hm. Ride till we find
them... and kill them all." - The 13th Warrior