Status of Windows SSL / ACL ?

[Kerry Bonin <ke...@gmail.com>]

Hello!  I had a few questions regarding the state of broker security for
Windows platforms.

On the SSL front, I see QPID-1403 has been resolved, and I can now build w/
BUILD_SSL enabled.  What I haven't been able to get working yet is to get my
broker to actually load a certificate - ::CertFindCertificateInStore fails.
On this issue, do we have a known good set of instructions to generate a
working system?  The windows error ("Cannot find object or property") is so
vague I'm not sure why it isn't loading my cert.  I'm generating a
self-signed cert w/ openssl, loading as trusted root cert, generating a
client cert w/ the CN of my node, converting to pkcs12 along w/ password
free private key and importing to the personal store w/ friendly name of
node, not sure what else I need to do...

On the ACL front, QPID-1842 is still keeping Windows link from working.  Any
idea when this will be fixed?

On a related note, I have time to help fix these, as I need secure broker
(with clustering) on the Windows platform working in the next few months for
my project here.

Appreciate any pointers, and please let me know if there is anything I can
do to help...

Kerry Bonin
Sr. Systems Architect
GE Security

RE: Status of Windows SSL / ACL ?

["Cliff Jansen (Interop Systems Inc)" <v-...@microsoft.com>]

Hi Kerry,

By coincidence, I have gone through the certificate learning curve in
the last few days.

The Windows broker currently supports registry based (as opposed to
file based) certificates that are in a certificate store that is
scoped to the local machine (not the current user).  I am not up to
speed on mixing OpenSSL data files with Windows registry stores.  You
can try the following (with Administrator privilege) to create a new
self signed cert:

  makecert -ss qpidstore -n "CN=myserver" -r -sr localmachine myserver.cer

Where qpidstore is an arbitrary store name to place your qpid related
cert(s) and myserver is the name the clients expect your server's
common name to be.  This registry entry contains the private and
public keys of the certificate.

myserver.cer contains the public key.  You must import this into the
trusted roots on Windows via certmgr for each client that needs to
connect to the server.  You can examine it from OpenSSL via
 
  openssl x509 -in myserver.cer -inform DER -text

To run the server, again as Administrator:

  qpidd --ssl-cert-name myserver --ssl-cert-store qpidstore --other-args

I am not aware that anyone is currently working on QPID-1842.  If you
have time to donate here, it would be greatly appreciated.  But note:

> [...] I need secure broker (with clustering) on the Windows platform working
> in the next few months for my project here.

Clustering support has not yet been ported to Windows.  I am not aware
that it has even been seriously scoped in terms of effort.  Steve
Huston would be the best source of information on this.

Cliff

-----Original Message-----
From: Kerry Bonin [mailto:kerrybonin@gmail.com] 
Sent: Wednesday, February 03, 2010 12:43 PM
To: qpid-dev
Subject: Status of Windows SSL / ACL ?

Hello!  I had a few questions regarding the state of broker security for
Windows platforms.

On the SSL front, I see QPID-1403 has been resolved, and I can now build w/
BUILD_SSL enabled.  What I haven't been able to get working yet is to get my
broker to actually load a certificate - ::CertFindCertificateInStore fails.
On this issue, do we have a known good set of instructions to generate a
working system?  The windows error ("Cannot find object or property") is so
vague I'm not sure why it isn't loading my cert.  I'm generating a
self-signed cert w/ openssl, loading as trusted root cert, generating a
client cert w/ the CN of my node, converting to pkcs12 along w/ password
free private key and importing to the personal store w/ friendly name of
node, not sure what else I need to do...

On the ACL front, QPID-1842 is still keeping Windows link from working.  Any
idea when this will be fixed?

On a related note, I have time to help fix these, as I need secure broker
(with clustering) on the Windows platform working in the next few months for
my project here.

Appreciate any pointers, and please let me know if there is anything I can
do to help...

Kerry Bonin
Sr. Systems Architect
GE Security

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

RE: Status of Windows SSL / ACL ?

[Steve Huston <sh...@riverace.com>]

Hi Kerry,

> Hello!  I had a few questions regarding the state of broker 
> security for Windows platforms.
> 
> On the SSL front, I see QPID-1403 has been resolved, and I 
> can now build w/ BUILD_SSL enabled.  What I haven't been able 
> to get working yet is to get my broker to actually load a 
> certificate - ::CertFindCertificateInStore fails. On this 
> issue, do we have a known good set of instructions to 
> generate a working system?

I think Cliff is planning to write up some notes expanding on his reply
to you last week.

> On the ACL front, QPID-1842 is still keeping Windows link 
> from working.  Any idea when this will be fixed?

I put in a workaround last night - it now will build the ACL support
into the broker, not as a separate plug-in as for Linux.

> On a related note, I have time to help fix these, as I need 
> secure broker (with clustering) on the Windows platform 
> working in the next few months for my project here.
> 
> Appreciate any pointers, and please let me know if there is 
> anything I can do to help...

Give it a go with the ACL stuff... If you have time to translate the
cpp/src/tests/run_acl_test to Powershell that would be great too. Please
attach any changes, fixes, improvements, etc. to a new jira and assign
to Apache.

Thanks,
-Steve


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org