Jeffrey Bride wrote:
Hi,
I'm using the C++ QPid Broker from RHEL5.3 yum repository and the M5
java QPid client libraries to successfully communicate over two-way SSL
(ssl-require-client-authentication = true) . In addition to two-way
SSL, my military customer is also asking that the QPid broker only allow
a SSL connection from a configurable list of client certificates. As an
example, similar PKI certificate control lists are provided by both
mod_ssl and mod_nss when configuring the Apache httpd . In httpd.conf,
the following directive only allows an SSL connection to httpd from a
client using my certificate :
SSLRequire (%{SSL_CLIENT_S_DN_CN} eq
"BRIDE.JEFFREY.ALEXANDER.xxxxxxxxxxxxxxxx")
Since the C++ broker leverages the NSS libraries, is there an
equivalent in QPid ??
Nothing like that is directly supported by qpidd at present.
I believe you could arrange for the broker only to trust a specific set
of certificates, but certificate management is not something I have
significant experience of.
My customer would like to have very tight control
of
SSL connections between brokers in our AMQP federation
scenarios.
When configuring the C++ broker, could I somehow add something similar
to /etc/qpidd.conf to dictate which client certificates can make SSL
connections to that broker ??
thank you!
jeff
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
