On 03/06/2015 08:05 AM, Martin Kosek wrote:
On 03/06/2015 01:16 PM, Dmitri Pal wrote:
On 03/06/2015 04:32 AM, Martin Kosek wrote:
On 03/06/2015 09:34 AM, Andrew Holway wrote:
Hi,
Were using rabbitmq to shunt bits of data around various systems to
provide
better security we would like all of our acmq connections to be
authenticated
and encrypted.
I'm looking for appropriate documentation or some friendly guidance
of how
server to server SSL authentication is done with freeipa and if
indeed this is
the best way to ensure privacy in such scenarios.
These are the best documentation sources I could find:
Creating certs for FreeIPA hosts:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html
Creating certs for FreeIPA hosts:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html
With these certificates, you would need to manually configure SSL-based
authentication with mod_ssl/mod_nss. Partially related user howto is
http://www.freeipa.org/page/Apache_SNI_With_Kerberos
I wonder if RabbitMQ has GSSAPI support, that would be more easy to
configure
with FreeIPA than SSL certs.
Btw FreeIPA 4.2 plans to have much better support for different cert
profiles
or sub-CAs that you may later use for purposes like this one.
Ticket:
https://fedorahosted.org/freeipa/ticket/57
CCing Fraser from Dogtag team for reference.
Martin
What we still missing is the client side certs. So AFAIU we would be
able to
provide certs for one way authentication not two way yet.
It is in works.
Couldn't the authentication be provided with service certs and current
default certificate profile?
I do not think so. I added Rob to the thread. I think he explained one
time what is missing but I do not recall the details.
This is the ticket for the client certificate work, it was missing:
https://fedorahosted.org/freeipa/ticket/4938
Martin
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
