[Freeipa-users] verified certificates both sides of a TLS channel

Dmitri Pal dpal at redhat.com
Fri Mar 6 15:11:34 UTC 2015 

On 03/06/2015 08:05 AM, Martin Kosek wrote:
> On 03/06/2015 01:16 PM, Dmitri Pal wrote:
>> On 03/06/2015 04:32 AM, Martin Kosek wrote:
>>> On 03/06/2015 09:34 AM, Andrew Holway wrote:
>>>> Hi,
>>>>
>>>> Were using rabbitmq to shunt bits of data around various systems to 
>>>> provide
>>>> better security we would like all of our acmq connections to be 
>>>> authenticated
>>>> and encrypted.
>>>>
>>>> I'm looking for appropriate documentation or some friendly guidance 
>>>> of how
>>>> server to server SSL authentication is done with freeipa and if 
>>>> indeed this is
>>>> the best way to ensure privacy in such scenarios.
>>>
>>> These are the best documentation sources I could find:
>>>
>>> Creating certs for FreeIPA hosts:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/host-certificates.html 
>>>
>>>
>>>
>>> Creating certs for FreeIPA hosts:
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/service-certificates.html 
>>>
>>>
>>>
>>> With these certificates, you would need to manually configure SSL-based
>>> authentication with mod_ssl/mod_nss. Partially related user howto is
>>> http://www.freeipa.org/page/Apache_SNI_With_Kerberos
>>>
>>> I wonder if RabbitMQ has GSSAPI support, that would be more easy to 
>>> configure
>>> with FreeIPA than SSL certs.
>>>
>>> Btw FreeIPA 4.2 plans to have much better support for different cert 
>>> profiles
>>> or sub-CAs that you may later use for purposes like this one.
>>>
>>> Ticket:
>>> https://fedorahosted.org/freeipa/ticket/57
>>>
>>> CCing Fraser from Dogtag team for reference.
>>>
>>> Martin
>>>
>> What we still missing is the client side certs. So AFAIU we would be 
>> able to
>> provide certs for one way authentication not two way yet.
>> It is in works.
>
> Couldn't the authentication be provided with service certs and current 
> default certificate profile?

I do not think so. I added Rob to the thread. I think he explained one 
time what is missing but I do not recall the details.

>
> This is the ticket for the client certificate work, it was missing:
> https://fedorahosted.org/freeipa/ticket/4938
>
> Martin


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list