[Freeipa-users] verified certificates both sides of a TLS channel
Dmitri Pal
dpal at redhat.com
Fri Mar 6 12:16:57 UTC 2015
On 03/06/2015 04:32 AM, Martin Kosek wrote:
> On 03/06/2015 09:34 AM, Andrew Holway wrote:
>> Hi,
>>
>> Were using rabbitmq to shunt bits of data around various systems to
>> provide
>> better security we would like all of our acmq connections to be
>> authenticated
>> and encrypted.
>>
>> I'm looking for appropriate documentation or some friendly guidance
>> of how
>> server to server SSL authentication is done with freeipa and if
>> indeed this is
>> the best way to ensure privacy in such scenarios.
>
> These are the best documentation sources I could find:
>
> Creating certs for FreeIPA hosts:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html
>
> Creating certs for FreeIPA hosts:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html
>
> With these certificates, you would need to manually configure
> SSL-based authentication with mod_ssl/mod_nss. Partially related user
> howto is
> http://www.freeipa.org/page/Apache_SNI_With_Kerberos
>
> I wonder if RabbitMQ has GSSAPI support, that would be more easy to
> configure with FreeIPA than SSL certs.
>
> Btw FreeIPA 4.2 plans to have much better support for different cert
> profiles or sub-CAs that you may later use for purposes like this one.
>
> Ticket:
> https://fedorahosted.org/freeipa/ticket/57
>
> CCing Fraser from Dogtag team for reference.
>
> Martin
>
What we still missing is the client side certs. So AFAIU we would be
able to provide certs for one way authentication not two way yet.
It is in works.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list