3.3.9. Security Options
- Changes
- New for MRG 3.
Table 3.8. General Broker Options
| Security options for running the broker | |
|---|---|
--ssl-use-export-policy | Use NSS export policy |
--ssl-cert-password-file <PATH> | Required. Plain-text file containing password to use for accessing certificate database. |
--ssl-cert-name <NAME> | Name of the certificate to use. Default is localhost.localdomain. |
--ssl-cert-db <PATH> | Required. Path to directory containing certificate database. |
--ssl-port <NUMBER> | Port on which to listen for SSL connections. If no port is specified, port 5671 is used. If the SSL port chosen is the same as the port for non-SSL connections (i.e. if the --ssl-port and --port options are the same), both SSL encrypted and unencrypted connections can be established to the same port. However in this configuration there is no support for IPv6. |
--ssl-require-client-authentication |
Require SSL client authentication (i.e. verification of a client certificate) during the SSL handshake. This occurs before SASL authentication, and is independent of SASL.
This option enables the EXTERNAL SASL mechanism for SSL connections. If the client chooses the EXTERNAL mechanism, the client's identity is taken from the validated SSL certificate, using the CN, and appending any DC's to create the domain. For instance, if the certificate contains the properties
CN=bob, DC=acme, DC=com, the client's identity is bob@acme.com.
If the client chooses a different SASL mechanism, the identity take from the client certificate will be replaced by that negotiated during the SASL handshake.
|
--ssl-sasl-no-dict | Do not accept SASL mechanisms that can be compromised by dictionary attacks. This prevents a weaker mechanism being selected instead of EXTERNAL, which is not vulnerable to dictionary attacks. |
--require-encryption | This will cause qpidd to only accept encrypted connections. This means only clients with EXTERNAL SASL on the SSL-port, or with GSSAPI on the TCP port. |
--listen-disable PROTOCOL | Disable connections over the specified protocol. For example: --listen-disable tcp disables connections over TCP and forces the broker to only accept connections on the SSL-port. |
