MRG: At least one Trusted Certified Authority certificate needs to be loaded even when using Trusted Peer certificates

Solution Verified - Updated -

Environment

  • MRG Messaging (any version)
  • NSS libraries (any version)
  • Red Hat Enterprise Linux 5 or higher

Issue

  • using Trusted Peer certificates for the EXTERNAL (SSL) authentication to the broker
  • the peer certificates loaded, but no Trusted Certificate Authority (CA) certificate loaded into the database
  • authentication fails with notice no certificate authority is trusted; but we don't need a Trusted CA, being on a close system

Resolution

  • only the following workaround is available (until major extension of NSS library exists):
    • creating and importing a dummy CA and destroying the private key so it can never be used.
# mkdir dummy_ca_db  
# certutil -N -d dummy_ca_db/ -f password.file  
# certutil -S -n dummy -s "CN=dummy" -x -t "T,," -d dummy_ca_db/ -f password.file  
# certutil -L -n dummy -d dummy_ca_db/ -a -o server_db/dummy-ca.crt  
# certutil -A -n dummy -d server_db/ -i server_db/dummy-ca.crt -t 'T,,'  
# rm -rf dummy_ca_db/
  • make sure qpidd user can access server_db/dummy-ca.crt file
  • restart the broker and client program

Notice: Another workaround is to stand up a Dogtag or Red Hat Cluster Suite CA, load the CA certificate into the server's database with the 'T' (trusted) flag on and then issue client authentication certificates from their own CA.

Root Cause

  • The desired behavior (SSL authentication with no Trusted CA) is not possible, as trusted self-signed peers don't work in NSS currently.
  • The SSL protocol really needs a CA certificate to send to the client so that the client can tell which SSL client certificate it needs to send. Without that certificate, NSS cannot complete the connection. SSL client authentication protocol was designed assuming the relying party would issue client authenticate certificates to the users from the own CA.

Diagnostic Steps

  • create and initialize a certificate database for both client and server:
# mkdir server_db client_db
# certutil -N -d client_db/
# certutil -N -d server_db/
  • create password file (with the password entered in previous step), create self signed certificates for client and server:
# vi password.file
# certutil -S -n my-user -s "CN=my-user" -x -t "P,," -d client_db -f password.file
# certutil -S -n localhost -s "CN=localhost" -x -t "P,," -d server_db -f password.file
  • import public part of server certificate as Trusted peer into client's certificate database:
# certutil -L -n localhost -d server_db/ -a -o server_db/localhost.crt
# certutil -A -n localhost -d client_db/ -i server_db/localhost.crt -t 'P,,'
  • import public part of client certificate as Trusted peer into server's certificate database:
# certutil -L -n my-user -d client_db/ -a -o client_db/my-user.crt
# certutil -A -n my-user -d server_db/ -i client_db/my-user.crt -t 'P,,'
  • one can list the contents of each certificate directory:
# certutil -L -d client_db
my-user                                                      Pu,u,u
localhost                                                    P,,
# certutil -L -d server_db
localhost                                                    Pu,u,u
my-user                                                      P,,
#
  • ensure that qpidd user can access files in server_db directory and password.file file
  • now we can start qpidd using the server certificate database:
# /usr/sbin/qpidd --load-module /usr/lib64/qpid/daemon/ssl.so  --ssl-cert-db $(pwd)/server_db --ssl-cert-password-file password.file \
 --ssl-cert-name localhost --ssl-require-client-authentication  --ssl-sasl-no-dict --log-enable info+ --log-enable trace+:amqp_0_10
  • let run a client test program that will be authenticated using SSL:
# export QPID_LOAD_MODULE=/usr/lib64/qpid/client/sslconnector.so
# export QPID_SSL_CERT_DB=$(pwd)/client_db/
# export QPID_SSL_CERT_NAME=my-user
# export QPID_SSL_CERT_PASSWORD_FILE=$(pwd)/password.file
# qpid-perftest --count 10 --port 5671 --protocol ssl --broker localhost
  • broker rejects the authentication attempt while logging:
2011-07-06 11:50:46 error Error reading socket: NSS error [-12199]
  • in the client output one should see:
Failed: Encountered end of file [-5938] (qpid/sys/ssl/SslSocket.cpp:182)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments