[Freeipa-users] verified certificates both sides of a TLS channel
Martin Kosek
mkosek at redhat.com
Fri Mar 6 09:32:16 UTC 2015
On 03/06/2015 09:34 AM, Andrew Holway wrote:
> Hi,
>
> Were using rabbitmq to shunt bits of data around various systems to provide
> better security we would like all of our acmq connections to be authenticated
> and encrypted.
>
> I'm looking for appropriate documentation or some friendly guidance of how
> server to server SSL authentication is done with freeipa and if indeed this is
> the best way to ensure privacy in such scenarios.
These are the best documentation sources I could find:
Creating certs for FreeIPA hosts:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html
Creating certs for FreeIPA hosts:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html
With these certificates, you would need to manually configure SSL-based
authentication with mod_ssl/mod_nss. Partially related user howto is
http://www.freeipa.org/page/Apache_SNI_With_Kerberos
I wonder if RabbitMQ has GSSAPI support, that would be more easy to configure
with FreeIPA than SSL certs.
Btw FreeIPA 4.2 plans to have much better support for different cert profiles
or sub-CAs that you may later use for purposes like this one.
Ticket:
https://fedorahosted.org/freeipa/ticket/57
CCing Fraser from Dogtag team for reference.
Martin
More information about the Freeipa-users
mailing list