QPID Configuration

This page describes qpidd SSL configuration.

LINKS

Here are some helpful links:

• http://www.mail-archive.com/qpid-commits@incubator.apache.org/msg06212.html
• http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html
• http://rajith.2rlabs.com/2010/03/01/apache-qpid-securing-connections-with-ssl/

RPMS

The SSL configuration for QPID is based on NSS. So, the certutil tool needs to be installed to manage the NSS certificate databases. Also, the qpidd-ssl package needs to be installed to enable SSL on the qpid broker.

Fedora:

• nss-tools - contains certutil used to manage NSS database for SSL.
• qpidd-ssl - contains ssl.so which enables SSL.

Certificates

The easiest way to create the NSS DB and SSL certificates needed, is to run the nss-db-gen in <gofer.git>/tools.

[jortel@~]$ cd git/gofer/tools
[jortel@localhost tools]$ nss-db-gen
bash: nss-db-gen: command not found
[jortel@localhost tools]$ ./nss-db-gen

Working in: /tmp/tmp20823


Please specify a directory into which the created NSS database
and associated certificates will be installed.

Enter a directory [/tmp/redhat/qpid]:
/tmp/redhat/qpid

Enter NSS database password:

Please specify a CA.  Generated if not specified.

Enter a path:

Password file created.

Database created.

Creating CA certificate:


Generating key.  This may take a few moments...

CA created

Creating BROKER certificate:


Generating key.  This may take a few moments...

Broker certificate created.

Creating CLIENT certificate:


Generating key.  This may take a few moments...

Client certificate created.
Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
Enter Import Password:
MAC verified OK
Client key & certificate exported

Artifacts copied to: /tmp/redhat/qpid.

Please update /etc/qpidd.conf as follows:

....
auth=no
....
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=/tmp/redhat/qpid/nss
ssl-cert-password-file=/tmp/redhat/qpid/nss/password
ssl-cert-name=broker
ssl-port=5674
...


Please configure gofer as follows:

...
[messaging]
url=ssl://<host>:5674
cacert=/tmp/redhat/qpid/ca.crt
clientcert=/tmp/redhat/qpid/client.crt

Files generated by the script:

redhat/
redhat/qpid
redhat/qpid/broker.crt
redhat/qpid/client.crt
redhat/qpid/nss
redhat/qpid/nss/secmod.db
redhat/qpid/nss/password
redhat/qpid/nss/key3.db
redhat/qpid/nss/cert8.db
redhat/qpid/ca.crt

Notes:

• The “Enter a directory [/tmp/redhat/qpid]:” can be defined as any directory.
• The passwords can be anything.

Configuration

QPID

Edit /etc/qpidd.conf:

auth

Require authentication. (value: no)

require-encryption

Require all connections to use SSL. (value: yes)

ssl-require-client-authentication

Require client SSL certificates for all SSL connections. (value: yes)

ssl-cert-db

The fully qualified path to the NSS DB. (example: /tmp/redhat/qpid/nss)

ssl-cert-password-file

The fully qualified path to the password file used to access the NSS DB. (example: /tmp/redhat/qpid/nss/password)

ssl-cert-name

The name of the certificate in the NSS DB to be used by the qpid broker. (example: broker)

ssl-port

The port to be use for SSL connections. (example: 5671)

Gofer Agent

Edit /etc/gofer/plugins/<yourplugin>.conf and under the [messaging] section:

url

The URL to the qpid broker. Protocol choices: tcp=plain, ssl=SSL. (example: ssl://<host>:5671)

cacert

The fully qualified path to the CA certificate used to validate the broker. (example: /tmp/redhat/qpid/ca.crt)

clientcert

The fully qualified path a file containing both the client private key and certificate. (example: /tmp/redhat/qpid/client.crt)