qpid broker require-encryption option and ssl trigger parameter

[nicolae claudius <ni...@yahoo.com>]

1. The qpid broker has a parameter:

  --require-encryption                     Only accept connections that are  encrypted

Does this parameter make the AMQP connection encrypted or does it mean that the broker should speak with the saslauth daemon over a secure connection ? It's a pretty unclear.

2. After generating proper certificates, one can start a SSL-enabled broker using: 

(a)
export $CERT_LOC=/root/my_certs/server_db
qpidd  --ssl-cert-db $CERT_LOC/server_db/ \
          --ssl-cert-password-file $CERT_LOC/pfile \
          --ssl-cert-name localhost.localdomain \
          --ssl-port 5674

The parameter that triggers the SSL-enableing is "--ssl-cert-db". The problem is that this parameter only enables the SSL if given in the command line (a), using it in the configuration file (b) does not enable SSL. Is that by design ? I belive it's a bug.

(b)
# in /etc/qpidc.conf
ssl-cert-db = /root/certs/server_db
ssl-cert-password-file /root/certs/pfile
ssl-cert-name = localhost.localdomain
ssl-port = 5674

# start like
# qpidd --config in /etc/qpidc.conf


      

Re: qpid broker require-encryption option and ssl trigger parameter

[Gordon Sim <gs...@redhat.com>]

On 05/03/2010 02:46 PM, nicolae claudius wrote:
> 1. The qpid broker has a parameter:
>
>    --require-encryption                     Only accept connections that are  encrypted
>
> Does this parameter make the AMQP connection encrypted or does it mean that the broker should speak with the saslauth daemon over a secure connection ? It's a pretty unclear.
>
> 2. After generating proper certificates, one can start a SSL-enabled broker using:
>
> (a)
> export $CERT_LOC=/root/my_certs/server_db
> qpidd  --ssl-cert-db $CERT_LOC/server_db/ \
>            --ssl-cert-password-file $CERT_LOC/pfile \
>            --ssl-cert-name localhost.localdomain \
>            --ssl-port 5674
>
> The parameter that triggers the SSL-enableing is "--ssl-cert-db". The problem is that this parameter only enables the SSL if given in the command line (a), using it in the configuration file (b) does not enable SSL. Is that by design ? I belive it's a bug.

No it is not by design, the option should be configurable via the config 
file but...
>
> (b)
> # in /etc/qpidc.conf
> ssl-cert-db = /root/certs/server_db
> ssl-cert-password-file /root/certs/pfile
> ssl-cert-name = localhost.localdomain
> ssl-port = 5674

...you can't have spaces around the '=' I don't believe.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: qpid broker require-encryption option and ssl trigger parameter

[Rajith Attapattu <ra...@gmail.com>]

2010/5/3 Ján Sáreník <js...@redhat.com>:
> Hello,
>
> On Mon, May 03, 2010 at 06:46:17AM -0700, nicolae claudius wrote:
>> 1. The qpid broker has a parameter:
>>
>>   --require-encryption      Only accept connections that are  encrypted
>
> That one should mean only SSL-enabled AMQP connections are
> accepted.
>
Small correction.
You can use either SSL or Kerberos encrypted connections.

>  Best regards, Ján
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>



-- 
Regards,

Rajith Attapattu
Red Hat
http://rajith.2rlabs.com/

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: qpid broker require-encryption option and ssl trigger parameter

[Ján Sáreník <js...@redhat.com>]

Hello,

On Mon, May 03, 2010 at 06:46:17AM -0700, nicolae claudius wrote:
> 1. The qpid broker has a parameter:
> 
>   --require-encryption      Only accept connections that are  encrypted

That one should mean only SSL-enabled AMQP connections are
accepted.

  Best regards, Ján

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org