You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Adel Boutros <ad...@live.com> on 2016/07/13 09:44:05 UTC
[qpid-dispatch 0.6.0] Client certificate authentication with Java
Broker 6.0.0
Hello,
On a previous post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html), I had asked about how to setup the qpid-dispatch to work with SSL and SASL authentication and I was able thanks to your help to get clients (Consumer/producer) to connect to the dispatcher using the correct certificates.
At that time, I was connected to the open AMQP port of the Java Broker which had no security. I then, tried to connect to a port which only required SSL and this is also working.
What is not working however is connecting the dispatcher to a port which has SSL and requires client certificates on the Java Broker. When I run the qdmanage command to create the connector, no connections shows up on the virtual host tab in the Java Broker Web management console.
The qdmanage commands are not showing any errors and there are no errors on the Java Broker's side. Is there a way to debug further what is happening with qdmanage?
As a reminder, my certificates are generated by a self-signed CA composed of a root authority and an intermediate one.
Dispatcher config
router {
id: router.10396
mode: interior
worker-threads: 4
}
ssl-profile {
name: ssl-full-profile
certFile: cert_lx.pem
keyFile: key_lx.pem
certDb: ca-chain.cert.pem
}
listener {
host: 0.0.0.0
port: 10396
role: normal
saslMechanisms: EXTERNAL
sslProfile: ssl-full-profile
requireSsl: yes
authenticatePeer: yes
}
listener {
host: 0.0.0.0
port: 10395
role: normal
saslMechanisms: ANONYMOUS
sslProfile: ssl-full-profile
requireSsl: yes
authenticatePeer: no
}
log {
module: DEFAULT
enable: warn+
output: dispatch.10396.log
}
Java Broker
AMP port is 10101 configured with the proper "KeyStore" of the broker, a "NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the root and intermediate certificates) and "Want SSL Client Certificate".
qdmanage commands
qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue waypoint=true name=perf.queue.addr
qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=connector role=route-container addr=localhost port=10101 name=localhost.broker.10101.connector certFile=cert_lx.pem certDb=ca-chain.cert.pem
Regards,
Adel
RE: [qpid-dispatch 0.6.0] Client certificate authentication with
Java Broker 6.0.0
Posted by Adel Boutros <ad...@live.com>.
Found the issue! Actually for the connector, "certFile" should correspond to the client authentication certificate. I had a belief it should be the broker's SSL certificate and that "certDb" should have contained the client authentication certificate.
As for the proton logs, I put the logger in TRACE mode and got all the errors I was hoping to see.
Sorry for wasting your time.
Regards,
Adel
> From: adelboutros@live.com
> To: users@qpid.apache.org
> Subject: RE: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0
> Date: Wed, 13 Jul 2016 13:54:30 +0200
>
> It seems the error is coming from Proton side and is related to my certificate configuration. However, I would expect to have some proton logs in my log file but this is not the case. Did I miss something in the configuration?
>
> Qpid-dispatch 0.6.0 (src/server.c)
> if (config->ssl_certificate_file) {
> if (pn_ssl_domain_set_credentials(domain,
> config->ssl_certificate_file,
> config->ssl_private_key_file,
> config->ssl_password)) {
> qd_log(ct->server->log_source, QD_LOG_ERROR,
> "SSL local configuration failed for %s:%s",
> ct->config->host, ct->config->port);
> }
> }
>
> Proton 0.12.2 (proton-c/src/ssl/openssl.c)
> Before returning, for every error, there is a log line ("ssl_log_error") but I cannot find any of them in the dispatch.10396.log file
>
> int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
> const char *certificate_file,
> const char *private_key_file,
> const char *password)
> {
> if (!domain || !domain->ctx) return -1;
>
> if (SSL_CTX_use_certificate_chain_file(domain->ctx, certificate_file) != 1) {
> ssl_log_error("SSL_CTX_use_certificate_chain_file( %s ) failed", certificate_file);
> return -3;
> }
>
> if (password) {
> domain->keyfile_pw = pn_strdup(password); // @todo: obfuscate me!!!
> SSL_CTX_set_default_passwd_cb(domain->ctx, keyfile_pw_cb);
> SSL_CTX_set_default_passwd_cb_userdata(domain->ctx, domain->keyfile_pw);
> }
>
> if (SSL_CTX_use_PrivateKey_file(domain->ctx, private_key_file, SSL_FILETYPE_PEM) != 1) {
> ssl_log_error("SSL_CTX_use_PrivateKey_file( %s ) failed", private_key_file);
> return -4;
> }
> ...
>
> Regards,
> Adel
>
> > From: adelboutros@live.com
> > To: users@qpid.apache.org
> > Subject: RE: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0
> > Date: Wed, 13 Jul 2016 12:38:57 +0200
> >
> > Actually, I have an error message in the log file of the dispatcher which comes up every 5 seconds (If I am not mistaken, every x seconds the dispatcher will re-try to connect to the broker?)
> >
> > bash$ tail -f dispatch.10396.log
> > Wed Jul 13 12:35:51 2016 SERVER (error) SSL local configuration failed for localhost:10101
> > Wed Jul 13 12:35:56 2016 SERVER (error) SSL local configuration failed for localhost:10101
> > Wed Jul 13 12:36:01 2016 SERVER (error) SSL local configuration failed for localhost:10101
> > Wed Jul 13 12:36:06 2016 SERVER (error) SSL local configuration failed for localhost:10101
> >
> > Regards,
> > Adel
> >
> > > From: adelboutros@live.com
> > > To: users@qpid.apache.org
> > > Subject: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0
> > > Date: Wed, 13 Jul 2016 11:44:05 +0200
> > >
> > > Hello,
> > >
> > > On a previous post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html), I had asked about how to setup the qpid-dispatch to work with SSL and SASL authentication and I was able thanks to your help to get clients (Consumer/producer) to connect to the dispatcher using the correct certificates.
> > >
> > > At that time, I was connected to the open AMQP port of the Java Broker which had no security. I then, tried to connect to a port which only required SSL and this is also working.
> > >
> > > What is not working however is connecting the dispatcher to a port which has SSL and requires client certificates on the Java Broker. When I run the qdmanage command to create the connector, no connections shows up on the virtual host tab in the Java Broker Web management console.
> > >
> > > The qdmanage commands are not showing any errors and there are no errors on the Java Broker's side. Is there a way to debug further what is happening with qdmanage?
> > >
> > > As a reminder, my certificates are generated by a self-signed CA composed of a root authority and an intermediate one.
> > >
> > > Dispatcher config
> > > router {
> > > id: router.10396
> > > mode: interior
> > > worker-threads: 4
> > > }
> > >
> > > ssl-profile {
> > > name: ssl-full-profile
> > > certFile: cert_lx.pem
> > > keyFile: key_lx.pem
> > > certDb: ca-chain.cert.pem
> > > }
> > >
> > > listener {
> > > host: 0.0.0.0
> > > port: 10396
> > > role: normal
> > > saslMechanisms: EXTERNAL
> > > sslProfile: ssl-full-profile
> > > requireSsl: yes
> > > authenticatePeer: yes
> > > }
> > >
> > > listener {
> > > host: 0.0.0.0
> > > port: 10395
> > > role: normal
> > > saslMechanisms: ANONYMOUS
> > > sslProfile: ssl-full-profile
> > > requireSsl: yes
> > > authenticatePeer: no
> > > }
> > >
> > > log {
> > > module: DEFAULT
> > > enable: warn+
> > > output: dispatch.10396.log
> > > }
> > >
> > > Java Broker
> > > AMP port is 10101 configured with the proper "KeyStore" of the broker, a "NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the root and intermediate certificates) and "Want SSL Client Certificate".
> > >
> > > qdmanage commands
> > > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue waypoint=true name=perf.queue.addr
> > >
> > > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=connector role=route-container addr=localhost port=10101 name=localhost.broker.10101.connector certFile=cert_lx.pem certDb=ca-chain.cert.pem
> > >
> > > Regards,
> > > Adel
> > >
> >
>
RE: [qpid-dispatch 0.6.0] Client certificate authentication with
Java Broker 6.0.0
Posted by Adel Boutros <ad...@live.com>.
It seems the error is coming from Proton side and is related to my certificate configuration. However, I would expect to have some proton logs in my log file but this is not the case. Did I miss something in the configuration?
Qpid-dispatch 0.6.0 (src/server.c)
if (config->ssl_certificate_file) {
if (pn_ssl_domain_set_credentials(domain,
config->ssl_certificate_file,
config->ssl_private_key_file,
config->ssl_password)) {
qd_log(ct->server->log_source, QD_LOG_ERROR,
"SSL local configuration failed for %s:%s",
ct->config->host, ct->config->port);
}
}
Proton 0.12.2 (proton-c/src/ssl/openssl.c)
Before returning, for every error, there is a log line ("ssl_log_error") but I cannot find any of them in the dispatch.10396.log file
int pn_ssl_domain_set_credentials( pn_ssl_domain_t *domain,
const char *certificate_file,
const char *private_key_file,
const char *password)
{
if (!domain || !domain->ctx) return -1;
if (SSL_CTX_use_certificate_chain_file(domain->ctx, certificate_file) != 1) {
ssl_log_error("SSL_CTX_use_certificate_chain_file( %s ) failed", certificate_file);
return -3;
}
if (password) {
domain->keyfile_pw = pn_strdup(password); // @todo: obfuscate me!!!
SSL_CTX_set_default_passwd_cb(domain->ctx, keyfile_pw_cb);
SSL_CTX_set_default_passwd_cb_userdata(domain->ctx, domain->keyfile_pw);
}
if (SSL_CTX_use_PrivateKey_file(domain->ctx, private_key_file, SSL_FILETYPE_PEM) != 1) {
ssl_log_error("SSL_CTX_use_PrivateKey_file( %s ) failed", private_key_file);
return -4;
}
...
Regards,
Adel
> From: adelboutros@live.com
> To: users@qpid.apache.org
> Subject: RE: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0
> Date: Wed, 13 Jul 2016 12:38:57 +0200
>
> Actually, I have an error message in the log file of the dispatcher which comes up every 5 seconds (If I am not mistaken, every x seconds the dispatcher will re-try to connect to the broker?)
>
> bash$ tail -f dispatch.10396.log
> Wed Jul 13 12:35:51 2016 SERVER (error) SSL local configuration failed for localhost:10101
> Wed Jul 13 12:35:56 2016 SERVER (error) SSL local configuration failed for localhost:10101
> Wed Jul 13 12:36:01 2016 SERVER (error) SSL local configuration failed for localhost:10101
> Wed Jul 13 12:36:06 2016 SERVER (error) SSL local configuration failed for localhost:10101
>
> Regards,
> Adel
>
> > From: adelboutros@live.com
> > To: users@qpid.apache.org
> > Subject: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0
> > Date: Wed, 13 Jul 2016 11:44:05 +0200
> >
> > Hello,
> >
> > On a previous post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html), I had asked about how to setup the qpid-dispatch to work with SSL and SASL authentication and I was able thanks to your help to get clients (Consumer/producer) to connect to the dispatcher using the correct certificates.
> >
> > At that time, I was connected to the open AMQP port of the Java Broker which had no security. I then, tried to connect to a port which only required SSL and this is also working.
> >
> > What is not working however is connecting the dispatcher to a port which has SSL and requires client certificates on the Java Broker. When I run the qdmanage command to create the connector, no connections shows up on the virtual host tab in the Java Broker Web management console.
> >
> > The qdmanage commands are not showing any errors and there are no errors on the Java Broker's side. Is there a way to debug further what is happening with qdmanage?
> >
> > As a reminder, my certificates are generated by a self-signed CA composed of a root authority and an intermediate one.
> >
> > Dispatcher config
> > router {
> > id: router.10396
> > mode: interior
> > worker-threads: 4
> > }
> >
> > ssl-profile {
> > name: ssl-full-profile
> > certFile: cert_lx.pem
> > keyFile: key_lx.pem
> > certDb: ca-chain.cert.pem
> > }
> >
> > listener {
> > host: 0.0.0.0
> > port: 10396
> > role: normal
> > saslMechanisms: EXTERNAL
> > sslProfile: ssl-full-profile
> > requireSsl: yes
> > authenticatePeer: yes
> > }
> >
> > listener {
> > host: 0.0.0.0
> > port: 10395
> > role: normal
> > saslMechanisms: ANONYMOUS
> > sslProfile: ssl-full-profile
> > requireSsl: yes
> > authenticatePeer: no
> > }
> >
> > log {
> > module: DEFAULT
> > enable: warn+
> > output: dispatch.10396.log
> > }
> >
> > Java Broker
> > AMP port is 10101 configured with the proper "KeyStore" of the broker, a "NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the root and intermediate certificates) and "Want SSL Client Certificate".
> >
> > qdmanage commands
> > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue waypoint=true name=perf.queue.addr
> >
> > qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=connector role=route-container addr=localhost port=10101 name=localhost.broker.10101.connector certFile=cert_lx.pem certDb=ca-chain.cert.pem
> >
> > Regards,
> > Adel
> >
>
RE: [qpid-dispatch 0.6.0] Client certificate authentication with
Java Broker 6.0.0
Posted by Adel Boutros <ad...@live.com>.
Actually, I have an error message in the log file of the dispatcher which comes up every 5 seconds (If I am not mistaken, every x seconds the dispatcher will re-try to connect to the broker?)
bash$ tail -f dispatch.10396.log
Wed Jul 13 12:35:51 2016 SERVER (error) SSL local configuration failed for localhost:10101
Wed Jul 13 12:35:56 2016 SERVER (error) SSL local configuration failed for localhost:10101
Wed Jul 13 12:36:01 2016 SERVER (error) SSL local configuration failed for localhost:10101
Wed Jul 13 12:36:06 2016 SERVER (error) SSL local configuration failed for localhost:10101
Regards,
Adel
> From: adelboutros@live.com
> To: users@qpid.apache.org
> Subject: [qpid-dispatch 0.6.0] Client certificate authentication with Java Broker 6.0.0
> Date: Wed, 13 Jul 2016 11:44:05 +0200
>
> Hello,
>
> On a previous post(http://qpid.2158936.n2.nabble.com/Qpid-Dispatch-SSL-SASL-configuration-on-a-listener-tp7646048.html), I had asked about how to setup the qpid-dispatch to work with SSL and SASL authentication and I was able thanks to your help to get clients (Consumer/producer) to connect to the dispatcher using the correct certificates.
>
> At that time, I was connected to the open AMQP port of the Java Broker which had no security. I then, tried to connect to a port which only required SSL and this is also working.
>
> What is not working however is connecting the dispatcher to a port which has SSL and requires client certificates on the Java Broker. When I run the qdmanage command to create the connector, no connections shows up on the virtual host tab in the Java Broker Web management console.
>
> The qdmanage commands are not showing any errors and there are no errors on the Java Broker's side. Is there a way to debug further what is happening with qdmanage?
>
> As a reminder, my certificates are generated by a self-signed CA composed of a root authority and an intermediate one.
>
> Dispatcher config
> router {
> id: router.10396
> mode: interior
> worker-threads: 4
> }
>
> ssl-profile {
> name: ssl-full-profile
> certFile: cert_lx.pem
> keyFile: key_lx.pem
> certDb: ca-chain.cert.pem
> }
>
> listener {
> host: 0.0.0.0
> port: 10396
> role: normal
> saslMechanisms: EXTERNAL
> sslProfile: ssl-full-profile
> requireSsl: yes
> authenticatePeer: yes
> }
>
> listener {
> host: 0.0.0.0
> port: 10395
> role: normal
> saslMechanisms: ANONYMOUS
> sslProfile: ssl-full-profile
> requireSsl: yes
> authenticatePeer: no
> }
>
> log {
> module: DEFAULT
> enable: warn+
> output: dispatch.10396.log
> }
>
> Java Broker
> AMP port is 10101 configured with the proper "KeyStore" of the broker, a "NonJavaTrustStore" containing the ca-chain.cert.pem (Combination of the root and intermediate certificates) and "Want SSL Client Certificate".
>
> qdmanage commands
> qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=address prefix=perfQueue waypoint=true name=perf.queue.addr
>
> qdmanage -b amqps://localhost:10395 --ssl-key=key_lx.pem --ssl-certificate=cert_lx.pem create --type=connector role=route-container addr=localhost port=10101 name=localhost.broker.10101.connector certFile=cert_lx.pem certDb=ca-chain.cert.pem
>
> Regards,
> Adel
>