qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Jansen (Interop Systems Inc)" <v-clj...@microsoft.com>
Subject RE: Status of Windows SSL / ACL ?
Date Thu, 04 Feb 2010 08:21:09 GMT
Hi Kerry,

By coincidence, I have gone through the certificate learning curve in
the last few days.

The Windows broker currently supports registry based (as opposed to
file based) certificates that are in a certificate store that is
scoped to the local machine (not the current user).  I am not up to
speed on mixing OpenSSL data files with Windows registry stores.  You
can try the following (with Administrator privilege) to create a new
self signed cert:

  makecert -ss qpidstore -n "CN=myserver" -r -sr localmachine myserver.cer

Where qpidstore is an arbitrary store name to place your qpid related
cert(s) and myserver is the name the clients expect your server's
common name to be.  This registry entry contains the private and
public keys of the certificate.

myserver.cer contains the public key.  You must import this into the
trusted roots on Windows via certmgr for each client that needs to
connect to the server.  You can examine it from OpenSSL via
  openssl x509 -in myserver.cer -inform DER -text

To run the server, again as Administrator:

  qpidd --ssl-cert-name myserver --ssl-cert-store qpidstore --other-args

I am not aware that anyone is currently working on QPID-1842.  If you
have time to donate here, it would be greatly appreciated.  But note:

> [...] I need secure broker (with clustering) on the Windows platform working
> in the next few months for my project here.

Clustering support has not yet been ported to Windows.  I am not aware
that it has even been seriously scoped in terms of effort.  Steve
Huston would be the best source of information on this.


-----Original Message-----
From: Kerry Bonin [mailto:kerrybonin@gmail.com] 
Sent: Wednesday, February 03, 2010 12:43 PM
To: qpid-dev
Subject: Status of Windows SSL / ACL ?

Hello!  I had a few questions regarding the state of broker security for
Windows platforms.

On the SSL front, I see QPID-1403 has been resolved, and I can now build w/
BUILD_SSL enabled.  What I haven't been able to get working yet is to get my
broker to actually load a certificate - ::CertFindCertificateInStore fails.
On this issue, do we have a known good set of instructions to generate a
working system?  The windows error ("Cannot find object or property") is so
vague I'm not sure why it isn't loading my cert.  I'm generating a
self-signed cert w/ openssl, loading as trusted root cert, generating a
client cert w/ the CN of my node, converting to pkcs12 along w/ password
free private key and importing to the personal store w/ friendly name of
node, not sure what else I need to do...

On the ACL front, QPID-1842 is still keeping Windows link from working.  Any
idea when this will be fixed?

On a related note, I have time to help fix these, as I need secure broker
(with clustering) on the Windows platform working in the next few months for
my project here.

Appreciate any pointers, and please let me know if there is anything I can
do to help...

Kerry Bonin
Sr. Systems Architect
GE Security

Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

View raw message