Product SiteDocumentation Site

8.3. Encryption using SSL

Encryption and certificate management for qpidd is provided by Mozilla's Network Security Services Library (SSL), through the ssl.co module. This module is installed by default in MRG Messaging.
Enabling SSL for qpidd
  1. You will need a certificate that has been signed by a Certification Authority (CA). This certificate will also need to be trusted by your client. If you require client authentication, the client's certificate will also need to be signed by a CA and trusted by the broker.
    SSL is provided through the ssl.so module. This module is installed and loaded by default in MRG Messaging. To enable the module, you will need to specify the location of the database containing the certificate and key to use. This can be done using the ssl-cert-db option.
    The database is created and managed by the Mozilla Network Security Services (NSS) certutil tool. More information can be found on the Mozilla website, including tutorials on setting up and testing SSL connections.

    Note

    The certificate database will generally be password protected. The password can be specified at the command prompt when starting qpidd. Alternatively, create a file containing the password and direct qpidd at the file location using the ssl-cert-password-file option.
  2. Load the broker module: 
    $ qpidd --load-module /libs/ssl.so
  3. The available SSL options are:
    --ssl-use-export-policy
    Use NSS export policy
    ssl-cert-password-file PATH
    File containing password to use for accessing certificate database
    --ssl-cert-db PATH
    Path to directory containing certificate database
    --ssl-cert-name NAME
    Name of the certificate to use
    --ssl-port NAME
    Port on which to listen for SSL connections
    ssl-require-client-authentication
    Forces clients to authenticate in order to establish an SSL connection
    Also relevant is the --require-encryption broker option. This will cause qpidd to only accept encrypted connections.
Enabling SSL
C++ clients:
  1. SSL is provided through the sslconnector.so module. This module is installed and loaded by default in MRG Messaging. To enable the module, you will need to specify the location of the database containing the certificate and key to use. This can be done using the ssl-cert-db option in /etc/qpid/qpidc.conf or using the environment variable QPID_SSL_CERT_DB.
  2. If ssl-require-client-authentication is active on qpidd, the clients certificate will also need to be verified. To do this, use --ssl-cert-name and, if necessary, --ssl-cert-password-file.
  3. To open an SSL enabled connection, the application will need to specify ssl as the value for the protocol setting in the ConnectionSettings instance passed to Connection::open().
Java clients:
  1. For both server and client authentication, import the trusted CA to your trust store and keystore and generate keys for them. Create a certificate request using the generated keys and then create a certificate using the request. You can then import the signed certificate into your keystore. Pass the following arguments to the client: 
    -Djavax.net.ssl.keyStore=/home/bob/ssl_test/keystore.jks
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=/home/bob/ssl_test/certstore.jks
-Djavax.net.ssl.trustStorePassword=password
  2. For server side authentication only, import the trusted CA to your trust store and pass the following arguments to the client: 
    -Djavax.net.ssl.trustStore=/home/bob/ssl_test/certstore.jks
-Djavax.net.ssl.trustStorePassword=password
.Net clients:
  1. If the broker requires authentication, you will need a certificate signed by a CA, trusted by your client.
  2. Use the connectSSL method instead of the usual connect method for the client interface. The string for the connectSSL signature is: 
    public void connectSSL(String host, int port, 
String virtualHost, String username, String password, 
String serverName, String certPath,  bool rejectUntrusted)
    For these values:
    • host: Host name on which a Qpid broker is deployed
    • port: Qpid broker port
    • virtualHost: Qpid cirtual host name
    • username: Username
    • password: Password
    • serverName: Name of the SSL server
    • certPath: Path to the X509 certificate to be used when the broker requires client authentication
    • rejectUnstrusted: When true the connection will not be established if the broker is not trusted - the server certificate must be added in your truststore.
SSL Client Options for C++ clients
--ssl-use-export-policy Use NSS export policy
--ssl-cert-password-file PATH File containing password to use for accessing certificate database
--ssl-cert-db PATH Path to directory containing certificate database
--ssl-cert-name NAME Name of the certificate to use
Table 8.1. SSL Client Options for C++ clients