Menu Search

11.4. SSL

This section guides through the details of configuration of Keystores and Trsustores required for enabling of SSL transport and Client Certificate Authentication on Broker ports. The details how to configure SSL on Broker ports are provided in Chapter 6, Broker Ports.

11.4.1. Keystore Configuration

A Keystore can be added/deleted/edited using REST Management interfaces and Web Management Console. Any number of Keystores can be configured on the Broker. SSL ports can be configured with different Keystores.

The following Keystore managing operations are available from Web Management Console:

  • A new Keystore can be added by clicking on "Add Key Store" button on the Broker tab.

  • Keystore details can be viewed on the Keystore tab which is displayed after clicking on Keystore name in the Broker object tree or after clicking on Keystore row in Keystores grid on the Broker tab.

  • Editing of Keystore can be performed by clicking on "Edit" button on the Keystore tab. Changing of Keystore name is unsupported at the moment. If changed Keystore is used by the Port the changes on Port object will take effect after Broker restart.

  • An existing Keystore can be deleted by clicking on "Delete Key Store" button on Broker tab or hitting "Delete" button on the Keystore tab. Only unused Keystores can be deleted. The deletion of the Keystore configured on any Broker Port is not allowed.

The "Keystore certificate alias" field is an optional way of specifying which certificate the broker should use if the keystore contains multiple entries. Optionally "Key manager factory algorithm" and "Key store type" can be specified on Keystore creation.

Important

The password of the certificate used by the Broker must match the password of the keystore itself. This is a restriction of the Qpid Broker implementation. If using the keytool utility, note that this means the argument to the -keypass option must match the -storepass option.

11.4.2. Truststore / Client Certificate Authentication

The SSL trustore and related Client Certificate Authentication behaviour can be configured by adding a Trustore configured object and associating it with the SSL port. A Truststore can be added/deleted/edited using REST Management interfaces and Web Management Console. Any number of Trustores can be configured on the Broker. Multiple Trustores can be configured on Broker SSL Ports.

The following Truststore managing operations are available from Web Management Console:

  • A new Truststore can be added by clicking on "Add Trust Store" button on the Broker tab.

  • Truststore details can be viewed on the Truststore tab which is displayed after clicking onto Truststore name in the Broker object tree or after clicking onto Truststore row in Truststores grid on the Broker tab.

  • Trustore can be edited by clicking onto "Edit" button on the Trustore tab. Changing of Trustore name is unsupported at the moment.

  • An existing Trustore can be deleted by clicking onto "Delete Trust Store" button on Broker tab or "Delete" button on the Truststore tab. Only unused Truststores can be deleted. The deletion of the Truststore configured on any Broker Port is not allowed.

When "Peers Only" option is selected for the Truststore it will allow logging in for the clients with the certificate exactly matching the certificate loaded in the Truststore database, thus, authenticating the connections with self signed certificates not nessesary signed by CA.

"Trust manager factory algorithm" and "Trust store type" can be optionally specified for the Trustore.