Versions Compared

Old Version 2

changes.mady.by.user Rajith Attapattu

Saved on

compared with

New Version Current

changes.mady.by.user Carl Trieloff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

1. C++ broker (M4 and up)
2. Java Client
3. .Net Client

C++ broker (M4 and up)

  • You need to get a certificate signed by a CA, trusted by your client.

...

  • Setting up the certificates for testing.
    • For testing purposes you could use the
    [|http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html}
    • to setup your certificates.
    • In summary you need to create a root CA and import it to the brokers certificate data base.
    • Create a certificate for the broker, sign it using the root CA and then import it into the brokers
    certificated
    • certificate data base.
  • Load the acl module using --load-module or if loading more than one module, copy ssl.so to the location pointed by --module-dir
    Code Block
    
Ex if running from source. ./qpidd --load-module /libs/ssl.so
  • Specify the password file (a plain text file with the password), certificated certificate database and the server side database brokers certificate name using the following options
    Code Block
    
Ex ./qpidd ... --ssl-cert-password-file ~/pfile --ssl-cert-db ~/server_db/ --ssl-cert-name localhost.localdomain
  • If you require client authentication you need to add --ssl-require-client-authentication as a command line argument.

...

Code Block
./qpidd ./qpidd --load-module /libs/ssl.so --ssl-cert-password-file ~/pfile --ssl-cert-db ~/server_db/ --ssl-cert-name localhost.localdomain --ssl-require-client-authentication

Java Client (M4 and up)

  • This guide is for connecting with the Qpid c++ broker.
  • Setting up the certificates for testing. In summary,
    • You need to import the trusted CA in your trust store and keystore
    • Generate keys for the certificate in your key store
    • Create a certificate request using the generated keys
    • Create a certficate using the request, signed by the trusted CA.
    • Import the signed certificate into your keystore.
  • Pass the following JVM argumenet arguments to your client.
    Code Block
     
         -Djavax.net.ssl.keyStore=/home/bob/ssl_test/keystore.jks 
         -Djavax.net.ssl.keyStorePassword=password
         -Djavax.net.ssl.trustStore=/home/bob/ssl_test/certstore.jks 
         -Djavax.net.ssl.trustStorePassword=password

.Net Client (M4 and up)

  • If the Qpid broker requires client authentication then you need to get a certificate signed by a CA, trusted by your client.

Use the connectSSL instead of the standard connect method of the client interface.

connectSSL signature is as follows:

Code Block

public void connectSSL(String host, int port, String virtualHost, String username, String password, String serverName, String certPath, bool rejectUntrusted)

Where

  • host: Host name on which a Qpid broker is deployed
  • port: Qpid broker port
  • virtualHost: Qpid virtual host name
  • username: User Name
  • password: Password
  • serverName: Name of the SSL server
  • certPath: Path to the X509 certificate to be used when the broker requires client authentication
  • rejectUntrusted: If true connection will not be established if the broker is not trusted (the server certificate must be added in your truststore)

Python & Ruby Client (M4 and up)

Simply use amqps:// in the URL string as defined above