You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by nicolae claudius <ni...@yahoo.com> on 2010/05/03 15:46:17 UTC
qpid broker require-encryption option and ssl trigger parameter
1. The qpid broker has a parameter:
--require-encryption Only accept connections that are encrypted
Does this parameter make the AMQP connection encrypted or does it mean that the broker should speak with the saslauth daemon over a secure connection ? It's a pretty unclear.
2. After generating proper certificates, one can start a SSL-enabled broker using:
(a)
export $CERT_LOC=/root/my_certs/server_db
qpidd --ssl-cert-db $CERT_LOC/server_db/ \
--ssl-cert-password-file $CERT_LOC/pfile \
--ssl-cert-name localhost.localdomain \
--ssl-port 5674
The parameter that triggers the SSL-enableing is "--ssl-cert-db". The problem is that this parameter only enables the SSL if given in the command line (a), using it in the configuration file (b) does not enable SSL. Is that by design ? I belive it's a bug.
(b)
# in /etc/qpidc.conf
ssl-cert-db = /root/certs/server_db
ssl-cert-password-file /root/certs/pfile
ssl-cert-name = localhost.localdomain
ssl-port = 5674
# start like
# qpidd --config in /etc/qpidc.conf
Re: qpid broker require-encryption option and ssl trigger parameter
Posted by Gordon Sim <gs...@redhat.com>.
On 05/03/2010 02:46 PM, nicolae claudius wrote:
> 1. The qpid broker has a parameter:
>
> --require-encryption Only accept connections that are encrypted
>
> Does this parameter make the AMQP connection encrypted or does it mean that the broker should speak with the saslauth daemon over a secure connection ? It's a pretty unclear.
>
> 2. After generating proper certificates, one can start a SSL-enabled broker using:
>
> (a)
> export $CERT_LOC=/root/my_certs/server_db
> qpidd --ssl-cert-db $CERT_LOC/server_db/ \
> --ssl-cert-password-file $CERT_LOC/pfile \
> --ssl-cert-name localhost.localdomain \
> --ssl-port 5674
>
> The parameter that triggers the SSL-enableing is "--ssl-cert-db". The problem is that this parameter only enables the SSL if given in the command line (a), using it in the configuration file (b) does not enable SSL. Is that by design ? I belive it's a bug.
No it is not by design, the option should be configurable via the config
file but...
>
> (b)
> # in /etc/qpidc.conf
> ssl-cert-db = /root/certs/server_db
> ssl-cert-password-file /root/certs/pfile
> ssl-cert-name = localhost.localdomain
> ssl-port = 5674
...you can't have spaces around the '=' I don't believe.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: qpid broker require-encryption option and ssl trigger parameter
Posted by Rajith Attapattu <ra...@gmail.com>.
2010/5/3 Ján Sáreník <js...@redhat.com>:
> Hello,
>
> On Mon, May 03, 2010 at 06:46:17AM -0700, nicolae claudius wrote:
>> 1. The qpid broker has a parameter:
>>
>> --require-encryption Only accept connections that are encrypted
>
> That one should mean only SSL-enabled AMQP connections are
> accepted.
>
Small correction.
You can use either SSL or Kerberos encrypted connections.
> Best regards, Ján
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>
--
Regards,
Rajith Attapattu
Red Hat
http://rajith.2rlabs.com/
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: qpid broker require-encryption option and ssl trigger parameter
Posted by Ján Sáreník <js...@redhat.com>.
Hello,
On Mon, May 03, 2010 at 06:46:17AM -0700, nicolae claudius wrote:
> 1. The qpid broker has a parameter:
>
> --require-encryption Only accept connections that are encrypted
That one should mean only SSL-enabled AMQP connections are
accepted.
Best regards, Ján
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org