[jira] Updated: (QPID-1511) JMX Interface does not require authentication
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Gemmell updated QPID-1511: - Status: Ready To Review (was: In Progress) > JMX Interface does not require authentication > - > > Key: QPID-1511 > URL: https://issues.apache.org/jira/browse/QPID-1511 > Project: Qpid > Issue Type: Improvement > Components: Java Broker, Java Management : JMX Console >Reporter: Martin Ritchie >Assignee: Robert Gemmell > Fix For: Eclipse MC M5 > > Attachments: create_example_ssl_certstores.sh, > QPID-1511_29jan2009.patch > > > Summary: > JMX Interface uses the default RMI connector which has no authentication > mechanism. We should not be shipping a JMX interface that doesn't have > authentication. The interface has been disabled by default for M4 but this > should be modified based on the outcome of the discussion on qpid-dev to > authenticate all connections. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require authentication
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Gemmell updated QPID-1511: - Attachment: QPID-1511_29jan2009.patch create_example_ssl_certstores.sh I attach QPID-1511_29jan2009.patch to address this JIRA, and a script to produce an example keystore and truststore for users who dont have their own SSL certificate handy. I wasnt sure where to put that in the repository so its not in the patch. The JMXMP connector capabilities are left intact for now, but grouped for easy future removal (I think its a good idea to keep it all in for at least 1 revision before removing). 2 new files are added by the patch: qpid/java/broker/src/main/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticator.java qpid/java/broker/src/test/java/org/apache/qpid/server/security/auth/rmi/RMIPasswordAuthenticatorTest.java === Notes: === Adds authentication and SSL encryption to the JMX RMIConnectorServer, and updates the console and JMXConnectionFactory accordingly. Makes the RMI ConnectorServer use the custom MBeanServerForwarder invoker like the JMXMP connector has, thus enforcing the authorisation system. SSL is on by default in the config file but can be turned off in the config if desired, though the brokers config request defaults it to true so that need not be exposed if it isnt desired. The config.xml file is configured to use the test ssl certificate store in the java/test_resources/ssl directory created for the cpp.ssl test profile. The config file can be overidden by specifying the standard javax.net.ssl.* system properties normally available for this task. If the keystore or password are not set by one of these means, a configuration exception will be thrown and abort the broker startup. As a result of the above, to connect using the console/cli you will need to supply the relevant ssl trust store location and password if the certificates being used cant be verified by the default java trust stores. This can be done using the system properties javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword, either at the command line when launching qpidmc(.exe), or by altering the qpidmc.ini file using the examples now provided within it. The broker will use the defined management port (default 8999) for the RMI registry as before, but now uses the 'th next port (+100 just now, thus 9099 normally) to export the actual JMX RMIConnectorServer, whereas previously this port was chosen at random by the JMX Factory methods, making it rather firewall unfriendly. A custom RMIServerSocketFactory is included to address the security issues surrounding RMI registries (namely that anyone on that machine is free to modify the registry and thus can intercept the JMX connections by replacing the JMX Connector Server stub in the registry with their own), by crippling the hostname detection and making it impossible to bind objects to the registry using RMI locally or remotely, instead requiring you to hold the object reference to it. The authenticator has a local MD5 hashing function to convert the password for comparison, but ideally this will be removed through modification of the Base64MD5 PD to do its own hashing, and the authenticator will then make use of the PD's verifyPassword method instead. Finally, the patch makes the JMXManagedObjectRegistry use the specific principal database listed in the configuration as the jmx management PD, as happens to AMQUserManagementMBean. The PD selection method used previously in JMXManagedObjectRegistry made it possible for the 2 areas to (unwittingly or otherwise) use different databases, which the AMQUMMBean implementation does not appear to be able to support properly if thats what was originally intended (see http://mail-archives.apache.org/mod_mbox/qpid-dev/200812.mbox/%3c00e101c953ff$1f33bca0$5d9b35...@gla.ac.uk%3e for way more info than you could ever want :P) > JMX Interface does not require authentication > - > > Key: QPID-1511 > URL: https://issues.apache.org/jira/browse/QPID-1511 > Project: Qpid > Issue Type: Improvement > Components: Java Broker, Java Management : JMX Console >Reporter: Martin Ritchie > Fix For: Eclipse MC M5 > > Attachments: create_example_ssl_certstores.sh, > QPID-1511_29jan2009.patch > > > Summary: > JMX Interface uses the default RMI connector which has no authentication > mechanism. We should not be shipping a JMX interface that doesn't have > authentication. The interface has been disabled by default for M4 but this > should be modified based on the outcome of the discussion on qpid-dev to > authenticate all connections. -- This message is automatically generated by JIRA. - You can reply to this email to add a co
[jira] Updated: (QPID-1511) JMX Interface does not require authentication
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Gemmell updated QPID-1511: - Attachment: (was: QPID-1511_wip_8dec2008.patch) > JMX Interface does not require authentication > - > > Key: QPID-1511 > URL: https://issues.apache.org/jira/browse/QPID-1511 > Project: Qpid > Issue Type: Improvement > Components: Java Broker, Java Management : JMX Console >Reporter: Martin Ritchie > Fix For: Eclipse MC M5 > > > Summary: > JMX Interface uses the default RMI connector which has no authentication > mechanism. We should not be shipping a JMX interface that doesn't have > authentication. The interface has been disabled by default for M4 but this > should be modified based on the outcome of the discussion on qpid-dev to > authenticate all connections. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require authentication
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Gemmell updated QPID-1511: - Attachment: (was: QPID-1511_wip_19dec2008.patch) > JMX Interface does not require authentication > - > > Key: QPID-1511 > URL: https://issues.apache.org/jira/browse/QPID-1511 > Project: Qpid > Issue Type: Improvement > Components: Java Broker, Java Management : JMX Console >Reporter: Martin Ritchie > Fix For: Eclipse MC M5 > > > Summary: > JMX Interface uses the default RMI connector which has no authentication > mechanism. We should not be shipping a JMX interface that doesn't have > authentication. The interface has been disabled by default for M4 but this > should be modified based on the outcome of the discussion on qpid-dev to > authenticate all connections. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require authentication
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marnie McCormack updated QPID-1511: --- Fix Version/s: Eclipse MC M5 Affects Version/s: (was: M4) (was: M2.1) (was: M3) (was: M2) (was: M1) Sscoping items for early 2009 release of Java Eclipse Mgt Console > JMX Interface does not require authentication > - > > Key: QPID-1511 > URL: https://issues.apache.org/jira/browse/QPID-1511 > Project: Qpid > Issue Type: Improvement > Components: Java Broker, Java Management : JMX Console >Reporter: Martin Ritchie > Fix For: Eclipse MC M5 > > Attachments: QPID-1511_wip_19dec2008.patch, > QPID-1511_wip_8dec2008.patch > > > Summary: > JMX Interface uses the default RMI connector which has no authentication > mechanism. We should not be shipping a JMX interface that doesn't have > authentication. The interface has been disabled by default for M4 but this > should be modified based on the outcome of the discussion on qpid-dev to > authenticate all connections. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. - Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:dev-subscr...@qpid.apache.org
[jira] Updated: (QPID-1511) JMX Interface does not require authentication
[ https://issues.apache.org/jira/browse/QPID-1511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Gemmell updated QPID-1511: - Attachment: QPID-1511_wip_19dec2008.patch I have made a new patch of the progress on this, QPID-1511_wip_19dec2008.patch. It uses SSL and to encrypt the RMI based connections and performs user authentication. The RMI based connector server is now subject to the access rights system like the JMXMP based connector server is. The JMXMP capability is retained with the patch, but is all collected within a single if statement and so easily removed, as has been discussed (i think it would be good to have 1 revision where its there before removing it). I know Aidan is doing work in this area to combine common management functionality for the console and cli that will invalidate this version of the patch, but i thought it would be useful for clarity to put it up just now, i will roll another when thats done. This patch also incorporates/alters changes i posted in a patch to QPID-1532 which havent been commited yet. I actually wouldnt recommend adding this stuff until after the post-M4 release of the console anyway, and once the MBean compatibility issues have been discussed. These features will allow prevention of old management consoles connecting to new brokers which implement whatever compatibility solution is determined. > JMX Interface does not require authentication > - > > Key: QPID-1511 > URL: https://issues.apache.org/jira/browse/QPID-1511 > Project: Qpid > Issue Type: Improvement > Components: Java Broker, Java Management : JMX Console >Affects Versions: M1, M2, M2.1, M3, M4 >Reporter: Martin Ritchie > Attachments: QPID-1511_wip_19dec2008.patch, > QPID-1511_wip_8dec2008.patch > > > Summary: > JMX Interface uses the default RMI connector which has no authentication > mechanism. We should not be shipping a JMX interface that doesn't have > authentication. The interface has been disabled by default for M4 but this > should be modified based on the outcome of the discussion on qpid-dev to > authenticate all connections. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
