Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-2755

Provide a way to perform custom validation of TLS client certificates

    XMLWordPrintable

Details

    • Documentation (Ref Guide, User Guide, etc.)
    • +
    • Hide
      In AMQ Broker 7.6, an administrator can specify an SSL TrustManagerFactory plugin in the broker configuration to associate with the SSL context. This option enables custom validation of TLS client certificates.
       
      Specifically, a new configuration parameter, `trustManagerFactoryPlugin` can now be specified on an acceptor or connector. The value of `trustManagerFactoryPlugin` defines the name of the class that implements the `org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin` interface. The single method in this interface returns a `TrustManagerFactory` value that is used when the underlying `javax.net.ssl.SSLContext` is initialized.

      The value of `trustManagerFactoryPlugin` takes precedence over all other SSL parameters that apply to the trust manager (that is, `trustAll`, `truststoreProvider`, `truststorePath`, `truststorePassword`, `crlPath`).
      Show
      In AMQ Broker 7.6, an administrator can specify an SSL TrustManagerFactory plugin in the broker configuration to associate with the SSL context. This option enables custom validation of TLS client certificates.   Specifically, a new configuration parameter, `trustManagerFactoryPlugin` can now be specified on an acceptor or connector. The value of `trustManagerFactoryPlugin` defines the name of the class that implements the `org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin` interface. The single method in this interface returns a `TrustManagerFactory` value that is used when the underlying `javax.net.ssl.SSLContext` is initialized. The value of `trustManagerFactoryPlugin` takes precedence over all other SSL parameters that apply to the trust manager (that is, `trustAll`, `truststoreProvider`, `truststorePath`, `truststorePassword`, `crlPath`).
    • Documented as Feature Request
    • Verified in a release

    Description

      ActiveMQ provided a way for the administrator to add a customer definition of an SSLContext to the server configuration. It was therefore possible to do custom validation of client certificates by, for example, associating a custom X509TrustManager to the SSLContext.

      Artemis provides no comparable way to do this. To provide a comparable facility, we need to allow plugins access to the Netty transport layer, or otherwise to allow similar, protocol-level configurability.

      Attachments

        Issue Links

          is cloned by

          Task - Represents a small unit of work that is not end-user facing. ENTMQBR-3278 Documentation: Provide a way to perform custom validation of TLS client certificates

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. ENTMQBR-2756 Provide a way for broker plugins to get access to clients' TLS certificate information

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              rhn-support-jbertram Justin Bertram
              rhn-support-kboone Kevin Boone
              Tiago Bueno Tiago Bueno
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: