You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gm...@apache.org on 2018/01/15 16:36:16 UTC
qpid-dispatch git commit: DISPATCH-906 - Create procedure for
integrating dispatch router with kerberos. This closes #241
Repository: qpid-dispatch
Updated Branches:
refs/heads/master 0f521c0de -> e9f8502ea
DISPATCH-906 - Create procedure for integrating dispatch router with kerberos. This closes #241
Project: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/commit/e9f8502e
Tree: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/tree/e9f8502e
Diff: http://git-wip-us.apache.org/repos/asf/qpid-dispatch/diff/e9f8502e
Branch: refs/heads/master
Commit: e9f8502ea393720c451f99d9a2a34e3e2332c09a
Parents: 0f521c0
Author: Ben Hardesty <bh...@redhat.com>
Authored: Wed Jan 3 17:28:36 2018 -0500
Committer: Ganesh Murthy <gm...@redhat.com>
Committed: Mon Jan 15 11:30:34 2018 -0500
----------------------------------------------------------------------
doc/new-book/configuration-security.adoc | 60 +++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/qpid-dispatch/blob/e9f8502e/doc/new-book/configuration-security.adoc
----------------------------------------------------------------------
diff --git a/doc/new-book/configuration-security.adoc b/doc/new-book/configuration-security.adoc
index 5c63afb..9341f7e 100644
--- a/doc/new-book/configuration-security.adoc
+++ b/doc/new-book/configuration-security.adoc
@@ -352,3 +352,63 @@ For a full list of supported Cyrus SASL authentication mechanisms, see link:http
`saslUsername`:: If any of the SASL mechanisms uses username/password authentication, then provide the username to connect to the external container.
`saslPassword`:: If any of the SASL mechanisms uses username/password authentication, then provide the password to connect to the external container.
--
+
+[[integrating_with_kerberos]]
+== Integrating with Kerberos
+
+By using the `GSSAPI` SASL mechanism, you can configure {RouterName} to authenticate incoming connections using Kerberos.
+
+.Prerequisites
+
+* A Kerberos infrastructure must be deployed in your environment.
+
+* In the Kerberos environment, a service principal of `amqp/_HOSTNAME_@_REALM_` must be configured.
++
+This is the service principal that {RouterName} uses.
+
+* The `cyrus-sasl-gssapi` package must be installed on each client and router host machine.
+
+* xref:setting_up_sasl_for_authentication_and_payload_encryption[SASL must be set up for {RouterName}].
+
+.Procedure
+
+. On the router's host machine, open the `/etc/sasl2/qdrouterd.conf` configuration file.
++
+--
+.An `/etc/sasl2/qdrouterd.conf` Configuration File
+====
+[options="nowrap"]
+----
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: qdrouterd.sasldb
+keytab: /etc/krb5.keytab
+mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN GSSAPI
+----
+====
+--
+
+. Verify the following:
+** The `mech_list` attribute contains the `GSSAPI` mechanism.
+** The `keytab` attribute points to the location of the keytab file.
+
+
+. Open the router's configuration file.
+
+. For each incoming connection that should use Kerberos for authentication, set the router's `listener` to use the `GSSAPI` mechanism.
++
+--
+.A `listener` in the Router Configuration File
+====
+[options="nowrap"]
+----
+listener {
+ ...
+ authenticatePeer: yes
+ saslMechanisms: GSSAPI
+}
+----
+====
+
+For more information about these attributes, see xref:adding_sasl_authentication_to_incoming_connection[].
+--
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org