This page describes qpidd SSL configuration.
Here are some helpful links:
- http://www.mail-archive.com/qpid-commits@incubator.apache.org/msg06212.html
- http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
- http://rajith.2rlabs.com/2010/03/01/apache-qpid-securing-connections-with-ssl/
The SSL configuration for QPID is based on NSS. So, the certutil tool needs to be installed to manage the NSS certificate databases. Also, the qpidd-ssl package needs to be installed to enable SSL on the qpid broker.
Fedora:
- nss-tools - contains certutil used to manage NSS database for SSL.
- qpidd-ssl - contains ssl.so which enables SSL.
The easiest way to create the NSS DB and SSL certificates needed, is to run the nss-db-gen in <gofer.git>/tools.
[jortel@~]$ cd git/gofer/tools
[jortel@localhost tools]$ nss-db-gen
bash: nss-db-gen: command not found
[jortel@localhost tools]$ ./nss-db-gen
Working in: /tmp/tmp20823
Please specify a directory into which the created NSS database
and associated certificates will be installed.
Enter a directory [/tmp/redhat/qpid]:
/tmp/redhat/qpid
Enter NSS database password:
Please specify a CA. Generated if not specified.
Enter a path:
Password file created.
Database created.
Creating CA certificate:
Generating key. This may take a few moments...
CA created
Creating BROKER certificate:
Generating key. This may take a few moments...
Broker certificate created.
Creating CLIENT certificate:
Generating key. This may take a few moments...
Client certificate created.
Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
Enter Import Password:
MAC verified OK
Client key & certificate exported
Artifacts copied to: /tmp/redhat/qpid.
Please update /etc/qpidd.conf as follows:
....
auth=no
....
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=/tmp/redhat/qpid/nss
ssl-cert-password-file=/tmp/redhat/qpid/nss/password
ssl-cert-name=broker
ssl-port=5674
...
Please configure gofer as follows:
...
[messaging]
url=ssl://<host>:5674
cacert=/tmp/redhat/qpid/ca.crt
clientcert=/tmp/redhat/qpid/client.crtFiles generated by the script:
redhat/
redhat/qpid
redhat/qpid/broker.crt
redhat/qpid/client.crt
redhat/qpid/nss
redhat/qpid/nss/secmod.db
redhat/qpid/nss/password
redhat/qpid/nss/key3.db
redhat/qpid/nss/cert8.db
redhat/qpid/ca.crtNotes:
- The "Enter a directory [/tmp/redhat/qpid]:" can be defined as any directory.
- The passwords can be anything.
Edit /etc/qpidd.conf:
- auth
Require authentication. (value: no)
- require-encryption
Require all connections to use SSL. (value: yes)
- ssl-require-client-authentication
Require client SSL certificates for all SSL connections. (value: yes)
- ssl-cert-db
The fully qualified path to the NSS DB. (example: /tmp/redhat/qpid/nss)
- ssl-cert-password-file
The fully qualified path to the password file used to access the NSS DB. (example: /tmp/redhat/qpid/nss/password)
- ssl-cert-name
The name of the certificate in the NSS DB to be used by the qpid broker. (example: broker)
- ssl-port
The port to be use for SSL connections. (example: 5671)
Edit /etc/gofer/plugins/<yourplugin>.conf and under the [messaging] section:
- url
The URL to the qpid broker. Protocol choices: tcp=plain, ssl=SSL. (example: ssl://<host>:5671)
- cacert
The fully qualified path to the CA certificate used to validate the broker. (example: /tmp/redhat/qpid/ca.crt)
- clientcert
The fully qualified path a file containing both the client private key and certificate. (example: /tmp/redhat/qpid/client.crt)