8.2.5. Enable SSL on Windows

The following set of procedures export the SSL certificate from the broker and install it on Windows machines to enable SSL connections between clients running on Windows and the broker.

Procedure 8.2. Create SSL certificates on the broker

  1. Execute the following commands on the broker to export a certificate: 
    # cd /var/lib/qpidd

# mkdir qpid_nss_db
# cd qpid_nss_db
# ls
# echo password > ssl_pw_file
# cat ssl_pw_file
password

# certutil -S -d . -n qrootCA -s "CN=qrootCA" -t "CT,," -x -m 1000 -v 120 -f ssl_pw_file
# certutil -S -n "fully-qualified-server-name.com" -s "CN="fully-qualified-server-name.com -c qrootCA -t ",," -m 1001 -v 120 -d . -f ssl_pw_file
# certutil -S -n client -s "CN=client" -t ",," -m 1005 -v 120 -c qrootCA -d . -f ssl_pw_file
# pk12util -d . -o client.p12 -n client
Enter Password or Pin for "NSS Certificate DB":
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
# openssl pkcs12 -in client.p12 -out client.pem -nodes -clcerts
Enter Import Password:
MAC verified OK
  2. Verify that the files exist: 
    # ls
cert8.db  client.p12  client.pem  key3.db  secmod.db  ssl_pw_file

Procedure 8.3. Copy the qpid_nss_db folder to other broker machines and set qpidd as its owner

  1. Execute the following commands on the other brokers to copy the files from the first broker: 
    # scp -r qpid_nss_db root@other-broker.com:/var/lib/qpidd
# chown -R qpidd:qpidd qpid_nss_db
  2. Verify the files and their permissions: 
    # ll
total 89896
-rw-r-----. 1 qpidd qpidd        0 Jul 16 06:27 lock
-rw-r--r--. 1 qpidd qpidd 91989014 Nov  1 06:52 qpidd.log
-rw-------. 1 qpidd qpidd    12288 Oct  7 05:32 qpidd.sasldb
drwxr-xr-x. 2 qpidd qpidd     4096 Nov  6 04:32 qpid_nss_db
-rw-r-----. 1 qpidd qpidd       37 Jul 16 06:27 systemId

Procedure 8.4. Modify broker configuration file

  • Edit the broker configuration file /etc/qpid/qpidd.conf: 
    ssl-require-client-authentication=no
log-to-file=/var/lib/qpidd/qpidd.log
ssl-port=5671
log-enable=info+
ssl-cert-password-file=/var/lib/qpidd/qpid_nss_db/ssl_pw_file
ssl-cert-name=fully-qualified-server-name.com
auth=no
ssl-cert-db=/var/lib/qpidd/qpid_nss_db

Procedure 8.5. Start the broker

  • Start the broker and verify that it is listening on the SSL port: 
    # service qpidd restart
Stopping Qpid AMQP daemon:             [  OK  ]
Starting Qpid AMQP daemon:             [  OK  ]

# netstat -nap | grep qpidd
tcp        0      0 0.0.0.0:5671                0.0.0.0:*                   LISTEN      25184/qpidd
tcp        0      0 0.0.0.0:5672                0.0.0.0:*                   LISTEN      25184/qpidd
tcp        0      0 :::5671                     :::*                        LISTEN      25184/qpidd
tcp        0      0 :::5672                     :::*                        LISTEN      25184/qpidd

Procedure 8.6. Create a folder to export onto Windows machines

  1. Execute the following instructions to:
    • Create a folder to export onto Windows machines
    • Create a new password file in .txt format
    • Export certification authority certificate to .cer format
    • Export client certificate to .pfx format 
    # mkdir windir
# echo password2 > windir/win_pw_file.txt
# cat windir/win_pw_file.txt
password2
# certutil -L -d qpid_nss_db -n qrootCA -f ssl_pw_file -a > windir/qrootCA.cer
# pk12util -d qpid_nss_db -n client  -k qpid_nss_db/ssl_pw_file -w windir/win_pw_file.txt -o windir/client.pfx
        pk12util: PKCS12 EXPORT SUCCESSFUL
  2. Verify that the files exist: 
    # ls windir
client.pfx  qrootCA.cer  win_pw_file.txt

Procedure 8.7. Copy files to Windows machine

  • Copy the windir folder onto the Windows machine.
Optional Pathway: GUI or Command-line

The following procedure, to install the Certificate on the Windows machine has two options - using the GUI, or using the command-line.

Procedure 8.8. Install Certification Authority - GUI

  1. On the Windows machine, run mmc
  2. Click File / Add/Remove Snap-in...
  3. Select Certificates -> Add -> Computer account -> Local computer -> Finish -> OK
  4. In the console unpack Certificates (Local Computer)
  5. Right click on Trusted Root Certification Authorities, and select All Tasks/Import...
  6. Set the path to the qrootCA.cer file, select Trusted Root Certification Authorities certificate store, confirm the action and save the console settings.

Procedure 8.9. Install Certification Authority - Command-line

  • Execute the following command to import the certificate at the command-line: 
    certmgr.exe -add -c C:\windir\qrootca.cer -s -r localMachine root

Procedure 8.10. Test connection

  • Execute the following at the command line to test the connection (no environment variables must be set): 
    C:\qpid_VS2008\bin\Release>spout.exe --broker broker-server.com:5671 --connection-options {transport:ssl} "amq.topic"
Optional Pathway - Certificate Installed or Specified via Environment

You can install the certificate in the Windows machine certificate store, or specify it via environment variables.

Procedure 8.11. Install Certificate in Windows Certificate Store

Follow these instructions to install the client certificate client.pfx into Current User/Personal certificate store:
  1. Run mmc
  2. Click File / Add/Remove Snap-in...
  3. Select Certificates -> Add> -> My user account -> Finish -> OK
  4. In the console unpack Certificates - Current User
  5. Right click on Personal.
  6. Select All Tasks / Import.
  7. Assign path to the client.pfx file
  8. Click on Next.
  9. Type a password from win_pw_file.txt (password2 in our case).
  10. Choose Certificate Store Personal and save the console settings.
  11. Modify broker configuration to require client authentication and restart it .
  12. Set up environment variables: 
    >set QPID_SSL_CERT_STORE=My
>set QPID_SSL_CERT_NAME=client
  13. Test it by sending a message: 
    >C:\qpid_VS2008\bin\Release>spout.exe --broker broker-server.com:5671 --connection-options {transport:ssl,sasl-mechanisms:EXTERNAL} amq.topic

Procedure 8.12. Specify Certificate via Environment

  1. Set up environmental variables on the Windows machine: 
    >set QPID_SSL_CERT_FILENAME=<path_to_the_client.pfx>
>set QPID_SSL_CERT_PASSWORD_FILE=<path_to_the_win_pw_file.txt>
>set QPID_SSL_CERT_NAME=client
    For example: 
    >C:\qpid_VS2008\bin\Release>set QPID_SSL_CERT_FILENAME=C:\windir\client.pfx

>C:\qpid_VS2008\bin\Release>set  QPID_SSL_CERT_PASSWORD_FILE=C:\windir\win_pw_fil
e.txt

>C:\qpid_VS2008\bin\Release>set QPID_SSL_CERT_NAME=client
  2. Test it by sending a message: 
    C:\qpid_VS2008\bin\Release>spout.exe --broker broker-server.com:5671 --connection-options {transport:ssl,sasl-mechanisms:EXTERNAL} amq.topic
Report a bug