[Freeipa-users] verified certificates both sides of a TLS channel
Dmitri Pal
dpal at redhat.com
Fri Mar 6 15:11:34 UTC 2015
On 03/06/2015 08:05 AM, Martin Kosek wrote:
> On 03/06/2015 01:16 PM, Dmitri Pal wrote:
>> On 03/06/2015 04:32 AM, Martin Kosek wrote:
>>> On 03/06/2015 09:34 AM, Andrew Holway wrote:
>>>> Hi,
>>>>
>>>> Were using rabbitmq to shunt bits of data around various systems to
>>>> provide
>>>> better security we would like all of our acmq connections to be
>>>> authenticated
>>>> and encrypted.
>>>>
>>>> I'm looking for appropriate documentation or some friendly guidance
>>>> of how
>>>> server to server SSL authentication is done with freeipa and if
>>>> indeed this is
>>>> the best way to ensure privacy in such scenarios.
>>>
>>> These are the best documentation sources I could find:
>>>
>>> Creating certs for FreeIPA hosts:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html
>>>
>>>
>>>
>>> Creating certs for FreeIPA hosts:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html
>>>
>>>
>>>
>>> With these certificates, you would need to manually configure SSL-based
>>> authentication with mod_ssl/mod_nss. Partially related user howto is
>>> http://www.freeipa.org/page/Apache_SNI_With_Kerberos
>>>
>>> I wonder if RabbitMQ has GSSAPI support, that would be more easy to
>>> configure
>>> with FreeIPA than SSL certs.
>>>
>>> Btw FreeIPA 4.2 plans to have much better support for different cert
>>> profiles
>>> or sub-CAs that you may later use for purposes like this one.
>>>
>>> Ticket:
>>> https://fedorahosted.org/freeipa/ticket/57
>>>
>>> CCing Fraser from Dogtag team for reference.
>>>
>>> Martin
>>>
>> What we still missing is the client side certs. So AFAIU we would be
>> able to
>> provide certs for one way authentication not two way yet.
>> It is in works.
>
> Couldn't the authentication be provided with service certs and current
> default certificate profile?
I do not think so. I added Rob to the thread. I think he explained one
time what is missing but I do not recall the details.
>
> This is the ticket for the client certificate work, it was missing:
> https://fedorahosted.org/freeipa/ticket/4938
>
> Martin
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list