You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/07/15 15:41:00 UTC

[jira] [Commented] (ARTEMIS-3387) LDAPLoginModule using ssl with specific truststore and password

    [ https://issues.apache.org/jira/browse/ARTEMIS-3387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381426#comment-17381426 ] 

Justin Bertram commented on ARTEMIS-3387:
-----------------------------------------

All of the connection properties for the {{LDAPLoginModule}} are used to configure the underlying {{com.sun.jndi.ldap.LdapCtxFactory}} which is provided by the JVM.  Looking at [the documentation|https://docs.oracle.com/javase/8/docs/technotes/guides/jndi/jndi-ldap.html] I don't see a way to configure these truststore parameters. It looks like we would need to implement our own {{javax.net.ssl.SSLSocketFactory}} to load the specified truststore and then set that on the {{LdapCtxFactory}} using {{java.naming.ldap.factory.socket}}.

This is technically feasible, but it seems a fair bit of work to support the self-signed LDAP use-case when you could just add the CA cert to the JVM's {{cacerts}} file instead of using the system properties

> LDAPLoginModule using ssl with specific truststore and password
> ---------------------------------------------------------------
>
>                 Key: ARTEMIS-3387
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3387
>             Project: ActiveMQ Artemis
>          Issue Type: Wish
>          Components: JAAS
>            Reporter: Paul Vogt
>            Priority: Minor
>
> Using ldaps requires to specify a truststore if the CA certificate of the ldap server is not in the cacerts file. The truststore can be set  using command line parameters like
> -Djavax.net.ssl.trustStore=/appl/amq/security/paul_1_test/paul_1_test_ts.p12
> -Djavax.net.ssl.trustStorePassword=changeit
> -Djavax.net.ssl.trustStoreType=PKCS12
> However this shows the truststore password with the ps -ef command. 
> Desired solution : adding 3 properties to  org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule
> connectionTrustStore=
> connectionTrustStorePassword=
> connectionTrustStoreType=
>  
> So the truststore can be specified without showing it in the process list. 
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)