Chapter 7. Security
7.1. Securing connections with SSL/TLS
AMQ Python uses SSL/TLS to encrypt communication between clients and servers.
To connect to a remote server with SSL/TLS, use a connection URL with the
Example: Enabling SSL/TLS
7.2. Connecting with a user and password
AMQ Python can authenticate connections with a user and password.
To specify the credentials used for authentication, set the
password options on the
Example: Connecting with a user and password
container.connect("amqps://example.com", user="alice", password="secret")
7.3. Configuring SASL authentication
AMQ Python uses the SASL protocol to perform authentication. SASL can use a number of different authentication mechanisms. When two network peers connect, they exchange their allowed mechanisms, and the strongest mechanism allowed by both is selected.
The client uses Cyrus SASL to perform authentication. Cyrus SASL uses plug-ins to support specific SASL mechanisms. Before you can use a particular SASL mechanism, the relevant plug-in must be installed. For example, you need the
cyrus-sasl-plain plug-in in order to use SASL PLAIN authentication.
To see a list of Cyrus SASL plug-ins in Red Hat Enterprise Linux, use the
yum search cyrus-sasl command. To install a Cyrus SASL plug-in, use the
yum install PLUG-IN command.
By default, AMQ Python allows all of the mechanisms supported by the local SASL library configuration. To restrict the allowed mechanisms and thereby control what mechanisms can be negotiated, use the
allowed_mechs connection option. It takes a string containing a space-separated list of mechanism names.
Example: Configuring SASL authentication
This example forces the connection to authenticate using the
ANONYMOUS mechanism even if the server we connect to offers other options. Valid mechanisms include
AMQ Python enables SASL by default. To disable it, set the
sasl_enabled connection option to false.
Example: Disabling SASL
7.4. Authenticating using Kerberos
Kerberos is a network protocol for centrally managed authentication based on the exchange of encrypted tickets. See Using Kerberos for more information.
- Configure Kerberos in your operating system. See Configuring Kerberos to set up Kerberos on Red Hat Enterprise Linux.
GSSAPISASL mechanism in your client application.
kinitcommand to authenticate your user credentials and store the resulting Kerberos ticket.
$ kinit <user>@<realm>
- Run the client program.