You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by mrich <Ma...@qxlva.com> on 2013/10/03 17:03:23 UTC
Specifying SSL information in URL for AMQP 1.0
Hi,
I am having difficulties passing SSL (keystore/truststore) information into
the AMQP 1.0 java client libraries.
I am currently using the createFromURL method to generate the connection
from a URL that includes SSL parameters as defined here
<http://qpid.apache.org/releases/qpid-0.20/programming/book/QpidJNDI.html#section-jms-connection-url>
.
String connectionUrl =
"amqps://guest:guest@localhost/?brokerlist='tcp://localhost:5671?ssl='true'&key_store='C:/apache-activemq-5.8.0/conf/client.ks'&key_store_password='password'&trust_store='C:/apache-activemq-5.8.0/conf/client.ts'&trust_store_password='password'";
ConnectionFactoryImpl connectionFactory =
ConnectionFactoryImpl.createFromURL(connectionUrl);
However this fails during SSL handshake and after enabling ssl debugging I
notice that the keystore information doesnt appear to be picked up:
keyStore is :
trustStore is: C:\Program Files\Java\jdk1.7.0_17\jre\lib\security\cacerts
The parsing of the String and the ConnectionFactoryImpl does not appear to
be aware of the trust store information.
This is similar to an old post here
<http://qpid.2158936.n2.nabble.com/SSL-option-td7591508.html> , and I have
checked my example against the suggestions on that post.
For clarification, if I set the JVM options (e.g. -Djavax.net.ssl.keyStore)
then the SSL handshake works correctly (but I cannot use this method outside
of testing).
Any help in resolving this issue is appreciated.
--
View this message in context: http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Specifying SSL information in URL for AMQP 1.0
Posted by mrich <Ma...@qxlva.com>.
Hi Rob,
I have raised a JIRA for the SSL parameters:
https://issues.apache.org/jira/browse/QPIDJMS-7
Please feel free to 'tidy it up' as you see fit.
I agree with your sentiments regarding the failover, I was just wondering if
it was provided given its presence in the earlier version of the client. I
will find a solution to this outside of this Qpid library.
Thanks for your time in responding to this question.
Matt
--
View this message in context: http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974p7599110.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Specifying SSL information in URL for AMQP 1.0
Posted by Rob Godfrey <ro...@gmail.com>.
Hi Matthew,
adding the ssl parameters seems like a sensible addition to the JMS AMQP
1.0 client - can you raise a JIRA for that:
https://issues.apache.org/jira/secure/CreateIssue!default.jspa?selectedProjectId=10450and
we can look to include that for the next release.
As to failover, I think that is better handled at an application level
(either directly, or using a library or framework which provides such
behaviour). Since there is currently no special handling of failover in
AMQP, the functionality would be common with any JMS provider and as such
should be able to be built on top of the JMS client rather than within it.
Moreover our experience around failover is that depending on the
application use case the type of failover required can be very different
(transient topic subscriptions and transacted persistent point to point
generally (but not always) require different failover semantics for
example).
Hope this helps,
Rob
On 4 October 2013 18:21, Robbie Gemmell <ro...@gmail.com> wrote:
> The 1.0 client does not currently have any built in failover functionality.
>
> Robbie
>
> On 4 October 2013 16:44, Matthew Rich <Ma...@qxlva.com> wrote:
>
> > Hi Robbie,
> >
> > The scenario I am talking about was the second one, where I will be using
> > distinct client certificates for SSL client-auth to different
> connections.
> >
> > Basically, I would like to be able to provide an SSL context down through
> > to the connection in a similar way to how other APIs work or as the URL
> > parameters allowed in the client for the earlier protocols.
> >
> > I believe the failover params also used to be available through the
> > connection URL, is there an alternate mechanism for specifying these in
> the
> > AMQP 1.0 client library?
> >
> > Thanks for your responses.
> >
> >
> >
> > --
> > Matthew Rich
> >
> > -----Original Message-----
> > From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
> > Sent: 04 October 2013 15:51
> > To: users@qpid.apache.org
> > Subject: Re: Specifying SSL information in URL for AMQP 1.0
> >
> > Do you mean multiple brokers using distinct certificates, or multiple
> > connections (toone or many brokers) using distinct client certificates
> for
> > SSL client-auth purposes?
> >
> > The former would just require adding multiple entries to the configured
> > truststore, whereas the latter would obviously require either the ability
> > to set distinct keystores or ability to specify which key should be used
> > from multiple entries in a single store, which I don't believe the 1.0
> > client can currently do (mainly as its existance came primarily from
> > prototying work undertaken during creation of the AMQP 1.0 specification
> > itself).
> >
> > Robbie
> >
> > On 4 October 2013 13:59, mrich <Ma...@qxlva.com> wrote:
> >
> > > Hi Robbie,
> > >
> > > Thanks for the clarification, I thought as much (as posted in my
> 'edited'
> > > original post), I was just hoping there is some other way of dictating
> > > this, which presumably there is not (without creating my own factory I
> > > guess)
> > >
> > > The problem I have is if you think of a scenario where you need to
> > > send messages to multiple queues that are represented by different
> > > clients and therefore secured by different certificates meaning I
> > > cannot use the global
> > > (JVM) settings.
> > >
> > > Do you believe that the API should provide a way of customising the
> > > security information on a per connection/factory basis, which would
> > > warrant a jira issue being raised?
> > >
> > > Thanks for your patient response.
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > > http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-fo
> > > r-AMQP-1-0-tp7598974p7599000.html Sent from the Apache Qpid users
> > > mailing list archive at Nabble.com.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > > additional commands, e-mail: users-help@qpid.apache.org
> > >
> > >
> >
> >
> > ______________________________________________________________________
> > This email has been scanned by the Symantec Email Security.cloud service.
> > For more information please visit
> http://www.symanteccloud.com______________________________________________________________________
> >
> > ______________________________________________________________________
> >
> > The Company gives no warranty as to the accuracy or completeness of
> > electronic mail messages sent over the Internet and accepts no
> > responsibility for changes made after it was sent. Any opinion expressed
> in
> > this email may be personal to the author, may not necessarily reflect the
> > opinions of the Company or its affiliates and may be subject to change
> > without notice.
> >
> > The information contained in this communication is confidential and/or
> > proprietary business or technical data. If you are not the intended
> > recipient, you are hereby notified that any dissemination, copying or
> > distribution of this communication, or the taking of any action in
> reliance
> > on the contents of this communication, is strictly prohibited. If you
> have
> > received this communication in error, please immediately notify us
> > electronically by return message, and delete or destroy all copies of
> this
> > communication.
> >
> > Quicksilva Limited, Reg No 3860799, Incorporated at Companies House,
> > Cardiff.
> > Registered Office: Langley Gate, Swindon Road, Chippenham, Wiltshire,
> SN15
> > 5SE. Vat Reg No 762 8082 16.
> >
> > ______________________________________________________________________
> > This email has been scanned by the Symantec Email Security.cloud service.
> > For more information please visit http://www.symanteccloud.com
> > ______________________________________________________________________
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > For additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
Re: Specifying SSL information in URL for AMQP 1.0
Posted by Robbie Gemmell <ro...@gmail.com>.
The 1.0 client does not currently have any built in failover functionality.
Robbie
On 4 October 2013 16:44, Matthew Rich <Ma...@qxlva.com> wrote:
> Hi Robbie,
>
> The scenario I am talking about was the second one, where I will be using
> distinct client certificates for SSL client-auth to different connections.
>
> Basically, I would like to be able to provide an SSL context down through
> to the connection in a similar way to how other APIs work or as the URL
> parameters allowed in the client for the earlier protocols.
>
> I believe the failover params also used to be available through the
> connection URL, is there an alternate mechanism for specifying these in the
> AMQP 1.0 client library?
>
> Thanks for your responses.
>
>
>
> --
> Matthew Rich
>
> -----Original Message-----
> From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
> Sent: 04 October 2013 15:51
> To: users@qpid.apache.org
> Subject: Re: Specifying SSL information in URL for AMQP 1.0
>
> Do you mean multiple brokers using distinct certificates, or multiple
> connections (toone or many brokers) using distinct client certificates for
> SSL client-auth purposes?
>
> The former would just require adding multiple entries to the configured
> truststore, whereas the latter would obviously require either the ability
> to set distinct keystores or ability to specify which key should be used
> from multiple entries in a single store, which I don't believe the 1.0
> client can currently do (mainly as its existance came primarily from
> prototying work undertaken during creation of the AMQP 1.0 specification
> itself).
>
> Robbie
>
> On 4 October 2013 13:59, mrich <Ma...@qxlva.com> wrote:
>
> > Hi Robbie,
> >
> > Thanks for the clarification, I thought as much (as posted in my 'edited'
> > original post), I was just hoping there is some other way of dictating
> > this, which presumably there is not (without creating my own factory I
> > guess)
> >
> > The problem I have is if you think of a scenario where you need to
> > send messages to multiple queues that are represented by different
> > clients and therefore secured by different certificates meaning I
> > cannot use the global
> > (JVM) settings.
> >
> > Do you believe that the API should provide a way of customising the
> > security information on a per connection/factory basis, which would
> > warrant a jira issue being raised?
> >
> > Thanks for your patient response.
> >
> >
> >
> > --
> > View this message in context:
> > http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-fo
> > r-AMQP-1-0-tp7598974p7599000.html Sent from the Apache Qpid users
> > mailing list archive at Nabble.com.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> > additional commands, e-mail: users-help@qpid.apache.org
> >
> >
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com______________________________________________________________________
>
> ______________________________________________________________________
>
> The Company gives no warranty as to the accuracy or completeness of
> electronic mail messages sent over the Internet and accepts no
> responsibility for changes made after it was sent. Any opinion expressed in
> this email may be personal to the author, may not necessarily reflect the
> opinions of the Company or its affiliates and may be subject to change
> without notice.
>
> The information contained in this communication is confidential and/or
> proprietary business or technical data. If you are not the intended
> recipient, you are hereby notified that any dissemination, copying or
> distribution of this communication, or the taking of any action in reliance
> on the contents of this communication, is strictly prohibited. If you have
> received this communication in error, please immediately notify us
> electronically by return message, and delete or destroy all copies of this
> communication.
>
> Quicksilva Limited, Reg No 3860799, Incorporated at Companies House,
> Cardiff.
> Registered Office: Langley Gate, Swindon Road, Chippenham, Wiltshire, SN15
> 5SE. Vat Reg No 762 8082 16.
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
RE: Specifying SSL information in URL for AMQP 1.0
Posted by Matthew Rich <Ma...@qxlva.com>.
Hi Robbie,
The scenario I am talking about was the second one, where I will be using distinct client certificates for SSL client-auth to different connections.
Basically, I would like to be able to provide an SSL context down through to the connection in a similar way to how other APIs work or as the URL parameters allowed in the client for the earlier protocols.
I believe the failover params also used to be available through the connection URL, is there an alternate mechanism for specifying these in the AMQP 1.0 client library?
Thanks for your responses.
--
Matthew Rich
-----Original Message-----
From: Robbie Gemmell [mailto:robbie.gemmell@gmail.com]
Sent: 04 October 2013 15:51
To: users@qpid.apache.org
Subject: Re: Specifying SSL information in URL for AMQP 1.0
Do you mean multiple brokers using distinct certificates, or multiple connections (toone or many brokers) using distinct client certificates for SSL client-auth purposes?
The former would just require adding multiple entries to the configured truststore, whereas the latter would obviously require either the ability to set distinct keystores or ability to specify which key should be used from multiple entries in a single store, which I don't believe the 1.0 client can currently do (mainly as its existance came primarily from prototying work undertaken during creation of the AMQP 1.0 specification itself).
Robbie
On 4 October 2013 13:59, mrich <Ma...@qxlva.com> wrote:
> Hi Robbie,
>
> Thanks for the clarification, I thought as much (as posted in my 'edited'
> original post), I was just hoping there is some other way of dictating
> this, which presumably there is not (without creating my own factory I
> guess)
>
> The problem I have is if you think of a scenario where you need to
> send messages to multiple queues that are represented by different
> clients and therefore secured by different certificates meaning I
> cannot use the global
> (JVM) settings.
>
> Do you believe that the API should provide a way of customising the
> security information on a per connection/factory basis, which would
> warrant a jira issue being raised?
>
> Thanks for your patient response.
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-fo
> r-AMQP-1-0-tp7598974p7599000.html Sent from the Apache Qpid users
> mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For
> additional commands, e-mail: users-help@qpid.apache.org
>
>
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
______________________________________________________________________
The Company gives no warranty as to the accuracy or completeness of electronic mail messages sent over the Internet and accepts no responsibility for changes made after it was sent. Any opinion expressed in this email may be personal to the author, may not necessarily reflect the opinions of the Company or its affiliates and may be subject to change without notice.
The information contained in this communication is confidential and/or proprietary business or technical data. If you are not the intended recipient, you are hereby notified that any dissemination, copying or distribution of this communication, or the taking of any action in reliance on the contents of this communication, is strictly prohibited. If you have received this communication in error, please immediately notify us electronically by return message, and delete or destroy all copies of this communication.
Quicksilva Limited, Reg No 3860799, Incorporated at Companies House, Cardiff.
Registered Office: Langley Gate, Swindon Road, Chippenham, Wiltshire, SN15 5SE. Vat Reg No 762 8082 16.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Specifying SSL information in URL for AMQP 1.0
Posted by Robbie Gemmell <ro...@gmail.com>.
Do you mean multiple brokers using distinct certificates, or multiple
connections (toone or many brokers) using distinct client certificates for
SSL client-auth purposes?
The former would just require adding multiple entries to the configured
truststore, whereas the latter would obviously require either the ability
to set distinct keystores or ability to specify which key should be used
from multiple entries in a single store, which I don't believe the 1.0
client can currently do (mainly as its existance came primarily from
prototying work undertaken during creation of the AMQP 1.0 specification
itself).
Robbie
On 4 October 2013 13:59, mrich <Ma...@qxlva.com> wrote:
> Hi Robbie,
>
> Thanks for the clarification, I thought as much (as posted in my 'edited'
> original post), I was just hoping there is some other way of dictating
> this,
> which presumably there is not (without creating my own factory I guess)
>
> The problem I have is if you think of a scenario where you need to send
> messages to multiple queues that are represented by different clients and
> therefore secured by different certificates meaning I cannot use the global
> (JVM) settings.
>
> Do you believe that the API should provide a way of customising the
> security
> information on a per connection/factory basis, which would warrant a jira
> issue being raised?
>
> Thanks for your patient response.
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974p7599000.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: Specifying SSL information in URL for AMQP 1.0
Posted by mrich <Ma...@qxlva.com>.
Hi Robbie,
Thanks for the clarification, I thought as much (as posted in my 'edited'
original post), I was just hoping there is some other way of dictating this,
which presumably there is not (without creating my own factory I guess)
The problem I have is if you think of a scenario where you need to send
messages to multiple queues that are represented by different clients and
therefore secured by different certificates meaning I cannot use the global
(JVM) settings.
Do you believe that the API should provide a way of customising the security
information on a per connection/factory basis, which would warrant a jira
issue being raised?
Thanks for your patient response.
--
View this message in context: http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974p7599000.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Specifying SSL information in URL for AMQP 1.0
Posted by Robbie Gemmell <ro...@gmail.com>.
The 1.0 client is using the default SSL socket factory, so you can either
configure the JVM at startup using the javax.net.ssl.* system properties or
update the JVM default SSL stores.
Robbie
On 4 October 2013 12:36, mrich <Ma...@qxlva.com> wrote:
> Thanks, so if the url parameters are for the earlier version of the AMQP
> protocol how are you supposed to specify the SSL information for a AMQP 1.0
> based connections?
>
> Is it possible?
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974p7598998.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: Specifying SSL information in URL for AMQP 1.0
Posted by mrich <Ma...@qxlva.com>.
Thanks, so if the url parameters are for the earlier version of the AMQP
protocol how are you supposed to specify the SSL information for a AMQP 1.0
based connections?
Is it possible?
--
View this message in context: http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974p7598998.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Specifying SSL information in URL for AMQP 1.0
Posted by Robbie Gemmell <ro...@gmail.com>.
Hi Matthew,
The documentation you are referring to applies to the AMQP
0-8/0-9/0-9-1/0-10 JMS client, and not the distinct AMQP 1.0 JMS client you
are using.
The URL format for using SSL with the 1.0 client is:
amqps://<username>:<password>@<host>
Robbie
On 3 October 2013 16:03, mrich <Ma...@qxlva.com> wrote:
> Hi,
>
> I am having difficulties passing SSL (keystore/truststore) information
> into
> the AMQP 1.0 java client libraries.
>
> I am currently using the createFromURL method to generate the connection
> from a URL that includes SSL parameters as defined here
> <
> http://qpid.apache.org/releases/qpid-0.20/programming/book/QpidJNDI.html#section-jms-connection-url
> >
> .
>
> String connectionUrl =
> "amqps://guest:guest@localhost
> /?brokerlist='tcp://localhost:5671?ssl='true'&key_store='C:/apache-activemq-5.8.0/conf/client.ks'&key_store_password='password'&trust_store='C:/apache-activemq-5.8.0/conf/client.ts'&trust_store_password='password'";
> ConnectionFactoryImpl connectionFactory =
> ConnectionFactoryImpl.createFromURL(connectionUrl);
>
> However this fails during SSL handshake and after enabling ssl debugging I
> notice that the keystore information doesnt appear to be picked up:
> keyStore is :
> trustStore is: C:\Program Files\Java\jdk1.7.0_17\jre\lib\security\cacerts
>
> The parsing of the String and the ConnectionFactoryImpl does not appear to
> be aware of the trust store information.
>
> This is similar to an old post here
> <http://qpid.2158936.n2.nabble.com/SSL-option-td7591508.html> , and I
> have
> checked my example against the suggestions on that post.
>
> For clarification, if I set the JVM options (e.g. -Djavax.net.ssl.keyStore)
> then the SSL handshake works correctly (but I cannot use this method
> outside
> of testing).
>
> Any help in resolving this issue is appreciated.
>
>
>
> --
> View this message in context:
> http://qpid.2158936.n2.nabble.com/Specifying-SSL-information-in-URL-for-AMQP-1-0-tp7598974.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>