From 3ba71456ec65fe69e351ec6ced57b69dd8f1d48e Mon Sep 17 00:00:00 2001 From: Alex Rudyy Date: Thu, 9 May 2013 15:04:59 +0000 Subject: QPID-4685: Update documentation to reflect changes to configuration git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1480672 13f79535-47bb-0310-9956-ffa450edef68 --- .../src/java-broker/Java-Broker-Security-SSL.xml | 107 ++++++++++----------- 1 file changed, 50 insertions(+), 57 deletions(-) (limited to 'qpid/doc/book/src/java-broker/Java-Broker-Security-SSL.xml') diff --git a/qpid/doc/book/src/java-broker/Java-Broker-Security-SSL.xml b/qpid/doc/book/src/java-broker/Java-Broker-Security-SSL.xml index e415065a84..0a5ec0ec97 100644 --- a/qpid/doc/book/src/java-broker/Java-Broker-Security-SSL.xml +++ b/qpid/doc/book/src/java-broker/Java-Broker-Security-SSL.xml @@ -25,45 +25,42 @@ -->
- SSL +SSL - This section will show how to use SSL to enable secure - connections between an AMQP message client and the broker. + This section guides through the details of configuration of Keystores and Trsustores + required for enabling of SSL transport and Client Certificate Authentication on Broker ports. + The details how to configure SSL on Broker ports are provided in . -
+ +
Keystore Configuration - The broker configuration file (config.xml) needs to be updated to include the required SSL keystore - configuration, an example of which can be found below. + A Keystore can be added/deleted/edited using + REST Management interfaces and + Web Management Console. Any number of Keystores can be configured on the Broker. + SSL ports can be configured with different Keystores. - - Configuring an SSL Keystore - - ... - - true - 5671 - false - /path/to/keystore.ks - keystorepass - alias - - ... -]]> - - - - The certAlias element is an optional way of specifying which certificate the broker should use - if the keystore contains multiple entries. + The following Keystore managing operations are available from + Web Management Console: + + A new Keystore can be added by clicking on "Add Key Store" button on the Broker tab. + Keystore details can be viewed on the Keystore tab which is displayed after clicking + on Keystore name in the Broker object tree or after clicking on Keystore row in Keystores grid on the Broker tab. + Editing of Keystore can be performed by clicking on "Edit" button on the Keystore tab. + Changing of Keystore name is unsupported at the moment. If changed Keystore is used by the Port + the changes on Port object will take effect after Broker restart. + An existing Keystore can be deleted by clicking on "Delete Key Store" button on Broker tab + or hitting "Delete" button on the Keystore tab. Only unused Keystores can be deleted. + The deletion of the Keystore configured on any Broker Port is not allowed. + - The sslOnly element controls whether the broker will only bind - the configured SSL port(s) or will also bind the non-SSL port(s). Setting sslOnly to true will - disable the non-SSL ports. + The "Keystore certificate alias" field is an optional way of specifying which certificate the broker should use + if the keystore contains multiple entries. Optionally "Key manager factory algorithm" and "Key store type" can + be specified on Keystore creation. @@ -80,39 +77,35 @@
Truststore / Client Certificate Authentication - The SSL trustore and related Client Certificate Authentication behaviour can be configured with - additional configuration as shown in the example below, in which the broker requires client - certificate authentication. + The SSL trustore and related Client Certificate Authentication behaviour can be configured + by adding a Trustore configured object and associating it with the SSL port. + A Truststore can be added/deleted/edited using + REST Management interfaces and + Web Management Console. Any number of Trustores can be configured on the Broker. + Multiple Trustores can be configured on Broker SSL Ports. - - Configuring an SSL Truststore and client auth - - ... - - ... - /path/to/truststore.ks - truststorepass - true - false - ... - - ... -]]> - + The following Truststore managing operations are available from + Web Management Console: + + A new Truststore can be added by clicking on "Add Trust Store" button on the Broker tab. + Truststore details can be viewed on the Truststore tab which is displayed after clicking + onto Truststore name in the Broker object tree or after clicking onto Truststore row in Truststores grid on the Broker tab. + Trustore can be edited by clicking onto "Edit" button on the Trustore tab. + Changing of Trustore name is unsupported at the moment. + An existing Trustore can be deleted by clicking onto "Delete Trust Store" button + on Broker tab or "Delete" button on the Truststore tab. Only unused Truststores can be deleted. + The deletion of the Truststore configured on any Broker Port is not allowed. + + - - The needClientAuth and wantClientAuth elements allow control of whether the client must present an - SSL certificate. Only one of these elements is needed but both may be used at the same time. - A socket's client authentication setting is one of three states: required (needClientAuth = true), - requested (wantClientAuth = true), or none desired (both false, the default). If both elements are - set to true, needClientAuth takes precedence. + When "Peers Only" option is selected for the Truststore it will allow logging in for the clients + with the certificate exactly matching the certificate loaded in the Truststore database, + thus, authenticating the connections with self signed certificates not nessesary signed by CA. - - When using Client Certificate Authentication it may be desirable to use the External Authentication - Manager, for details see + "Trust manager factory algorithm" and "Trust store type" can + be optionally specified for the Trustore.
-- cgit v1.2.1