8.2.3. Enable SSL on the Broker
- Changes
- Updated April 2013.
- You will need a certificate that has been signed by a Certification Authority (CA). This certificate will also need to be trusted by your client. If you require client authentication in addition to server authentication, the clients certificate will also need to be signed by a CA and trusted by the broker.The certificate database is created and managed by the Mozilla Network Security Services (NSS)
certutil
tool. Information on this utility can be found on the Mozilla website, including tutorials on setting up and testing SSL connections. The certificate database will generally be password protected. The safest way to specify the password is to place it in a protected file, use the password file when creating the database, and specify the password file with thessl-cert-password-file
option when starting the broker.The following script shows how to create a certificate database using certutil:mkdir ${CERT_DIR} certutil -N -d ${CERT_DIR} -f ${CERT_PW_FILE} certutil -S -d ${CERT_DIR} -n ${NICKNAME} -s "CN=${NICKNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
When starting the broker, setssl-cert-password-file
to the value of ${CERT_PW_FILE}, setssl-cert-db
to the value of ${CERT_DIR}, and setssl-cert-name
to the value of ${NICKNAME}. - The following SSL options can be used when starting the broker:
--ssl-use-export-policy
- Use NSS export policy. When this option is specified, the server will conform with US export restrictions on encryption using the NSS export policy. When it is not specified, the server will use the domestic policy. Refer to the Mozilla SSL Export Policy Functions documentation for more details.
--ssl-cert-password-file PATH
- Required. Plain-text file containing password to use for accessing certificate database.
--ssl-cert-db PATH
- Required. Path to directory containing certificate database.
--ssl-cert-name NAME
- Name of the certificate to use. Default is
localhost.localdomain
. --ssl-port NUMBER
- Port on which to listen for SSL connections. If no port is specified, port 5671 is used.If the SSL port chosen is the same as the port for non-SSL connections (i.e. if the
--ssl-port
and--port
options are the same), both SSL encrypted and unencrypted connections can be established to the same port. However in this configuration there is no support for IPv6. --ssl-require-client-authentication
- Require SSL client authentication (i.e. verification of a client certificate) during the SSL handshake. This occurs before SASL authentication, and is independent of SASL.This option enables the
EXTERNAL
SASL mechanism for SSL connections. If the client chooses theEXTERNAL
mechanism, the client's identity is taken from the validated SSL certificate, using theCN
, and appending anyDC
's to create the domain. For instance, if the certificate contains the propertiesCN=bob
,DC=acme
,DC=com
, the client's identity isbob@acme.com
.If the client chooses a different SASL mechanism, the identity take from the client certificate will be replaced by that negotiated during the SASL handshake. --ssl-sasl-no-dict
- Do not accept SASL mechanisms that can be compromised by dictionary attacks. This prevents a weaker mechanism being selected instead of
EXTERNAL
, which is not vulnerable to dictionary attacks. --require-encryption
- This will cause
qpidd
to only accept encrypted connections. This means only clients with EXTERNAL SASL on the SSL-port, or with GSSAPI on the TCP port.