Product SiteDocumentation Site

Chapter 8. Authentication

8.1. User Authentication
8.2. Authorization
8.3. Encryption using SSL
In MRG Messaging, authentication is provided by a Simple Authentication and Security Layer (SASL) and authorization is managed by an Access Control List (ACL). Mozilla's Network Security Services Library (SSL) provides encryption for secure password management.

8.1. User Authentication

MRG Messaging uses Simple Authentication and Security Layer (SASL) for identifying and authorizing incoming connections to the broker, as mandated in the AMQP specification. SASL provides a variety of authentication methods. While MRG Messaging clients primarily implement the PLAIN method, the broker uses the Cyrus SASL library to allow for a full SASL implementation.

Important

The PLAIN authentication method sends passwords in cleartext. For complete security, it is advised that SSL (Secure Socket Layer) is also used. See Section 8.3, “Encryption using SSL”
Enabling and Using SASL Plain Authentication
To use the default SASL PLAIN authentication mechanism implemented by the MRG Messaging client libraries, either use the default username and password of guest, which are included in the database at /var/lib/qpidd/qpidd.sasldb on installation, or add your own accounts.
  1. Add new users to the database by using the saslpasswd2 command. The User ID for authentication and ACL authorization uses the form user-id@domain..
    Ensure that the correct realm has been set for the broker. This can be done by editing the configuration file or using the -u option. The default realm for the broker is QPID. 
    # saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u QPID new_user_name
  2. Existing user accounts can be listed by using the -f option: 
    # sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb

    Note

    The user database at /var/lib/qpidd/qpidd.sasldb is readable only by the qpidd user. If you start the broker from a user other than the qpidd user, you will need to either modify the configuration file, or turn authentication off.
  3. To switch authentication on or off, use the auth yes|no option when you start the broker: 
    # /usr/sbin/qpidd --auth yes
		
# /usr/sbin/qpidd --auth no
    You can also set authentication to be on or off by adding the appropriate line to to the /etc/qpidd.conf configuration file: 
    auth=no

auth=yes
  4. The SASL configuration file is in /etc/sasl2/qpidd.conf for Red Hat Enterprise Linux 5 and /usr/lib/sasl2/qpidd.conf for Red Hat Enterprise Linux 4.
    For information on using a different configuration, use your web browser to view the Cyrus SASL documentation at /usr/share/doc/cyrus-sasl-lib-2.1.22/index.html for Red Hat Enterprise Linux 5 or /usr/share/doc/cyrus-sasl-2.1.19/index.html for Red Hat Enterprise Linux 4.