Queries on Qpid setup

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Queries on Qpid setup

Malyala, Kirankumar
Hi Team,

We have been doing some POC on Qpid. While working on the configuration, we came across multiple blockers which we have mentioned below.


  *   How to use a specific version of TLS encryption for Qpid if we deploy on VM.
  *   We understood from the Qpid documentation that we have to deploy broker on multiple VM's to create a group and introduce master/replica nodes. Any SOP on this part ?
  *   How to apply SSL/TLS encryption to replicas in the group consists of master and replica nodes using SSH tunnel/IPsec.
  *   How can we fetch file in Apache

Please let us know if some one from your team can guide us on these points.

Regards,
Kirankumar Malyala

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
Reply | Threaded
Open this post in threaded view
|

Re: Queries on Qpid setup

Oleksandr Rudyy
Hi Kirankumar,
Could you please clarify what exactly Qpid broker are you trying to use?
There are two brokers in Qpid project: c++ broker and broker-j (for java).

Are you using Qpid Broker-J?

Kind regards,
Alex

On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Team,
>
> We have been doing some POC on Qpid. While working on the configuration,
> we came across multiple blockers which we have mentioned below.
>
>
>   *   How to use a specific version of TLS encryption for Qpid if we
> deploy on VM.
>   *   We understood from the Qpid documentation that we have to deploy
> broker on multiple VM's to create a group and introduce master/replica
> nodes. Any SOP on this part ?
>   *   How to apply SSL/TLS encryption to replicas in the group consists of
> master and replica nodes using SSH tunnel/IPsec.
>   *   How can we fetch file in Apache
>
> Please let us know if some one from your team can guide us on these points.
>
> Regards,
> Kirankumar Malyala
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
Reply | Threaded
Open this post in threaded view
|

RE: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
Hi Alex,

We are using broker-j (for java). As of now, we are exploring on version 7.
Please do let us know if you want any other information.

Regards,
Kirankumar Malyala

-----Original Message-----
From: Oleksandr Rudyy <[hidden email]>
Sent: Friday, November 6, 2020 5:44 AM
To: [hidden email]
Subject: [External] Re: Queries on Qpid setup

This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with links and attachments.

Hi Kirankumar,
Could you please clarify what exactly Qpid broker are you trying to use?
There are two brokers in Qpid project: c++ broker and broker-j (for java).

Are you using Qpid Broker-J?

Kind regards,
Alex

On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar <[hidden email]> wrote:

> Hi Team,
>
> We have been doing some POC on Qpid. While working on the
> configuration, we came across multiple blockers which we have mentioned below.
>
>
>   *   How to use a specific version of TLS encryption for Qpid if we
> deploy on VM.
>   *   We understood from the Qpid documentation that we have to deploy
> broker on multiple VM's to create a group and introduce master/replica
> nodes. Any SOP on this part ?
>   *   How to apply SSL/TLS encryption to replicas in the group consists of
> master and replica nodes using SSH tunnel/IPsec.
>   *   How can we fetch file in Apache
>
> Please let us know if some one from your team can guide us on these points.
>
> Regards,
> Kirankumar Malyala
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________
> ________________
>
> www.accenture.com
>

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Oleksandr Rudyy
Hi Kirankumar,
The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
transports.

In order to enable TLS on broker HTTP or/and AMQP ports Keystore configured
object(s) needs to be configured.
The keystore object should contain a private key and certificates
(including intermediates if required).

A number of Keystore types is supported on the broker:
* FileKeyStore - in this type of Keystore a java keystore is used
underneath to hold the private key and certificates
* NonJavaKeyStore - used to configure private key and certificates directly
in PEM or DER formats

The Broker allows users to quickly create a self-signed certificate with a
special type of Keystore called "AutoGeneratedSelfSigned" (with Oracle JDK
or OpenJDK).

The TLS protocols and TLS cipher suites can be customised (if required)
using special context variables:
* qpid.security.tls.protocolAllowList
* qpid.security.tls.protocolDenyList
* qpid.security.tls.cipherSuiteAllowList
* qpid.security.tls.cipherSuiteDenyList
or
* qpid.security.tls.protocolWhiteList
* qpid.security.tls.protocolBlackList
* qpid.security.tls.cipherSuiteWhiteList
* qpid.security.tls.cipherSuiteBlackList

Before 7.1.9 only "white/black" list terminology was supported. Starting
from version 7.1.9 the alternative names "allow/deny" lists can be used. In
version 9.0 the "allow/deny" lists completely replace "white/black" list
terminology.

For example, you can allow only TLSv1.3 with JDK11 by setting context
variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can specify
the allowed or denied values using regular expressions represented as JSON
stringified lists.
For example, you can limit allowed cipher suites to only some of them by
setting qpid.security.tls.cipherSuiteAllowList to
"[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
The same applies to deny lists.

The context variable can be set in multiple ways:
* as JVM settings
* as command line arguments (for example, ./bin/qpid-server -prop
qpid.security.tls.protocolAllowList=TLSv1.3 )
* in a properties file system.properties (it needs to be in broker
classpath)
* as configured object context variables (for example, context variable set
on the Broker object using REST API)


The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB JE
does not support TLS transport. The data replication is unencrypted.
Potentially, you can use SSH tunnels, but that requires configuring tunes
between each of HA nodes, as the nodes  communicate with each other. I
believe that it should be possible to configure SSH tunnels, though I
cannot give you any useful advice on how to do that.

You can download Qpid Broker distribution files from Qpid Download page at
http://qpid.apache.org/download.html .

KInd Regards,
Alex


On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
> We are using broker-j (for java). As of now, we are exploring on version 7.
> Please do let us know if you want any other information.
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Friday, November 6, 2020 5:44 AM
> To: [hidden email]
> Subject: [External] Re: Queries on Qpid setup
>
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly with
> links and attachments.
>
> Hi Kirankumar,
> Could you please clarify what exactly Qpid broker are you trying to use?
> There are two brokers in Qpid project: c++ broker and broker-j (for java).
>
> Are you using Qpid Broker-J?
>
> Kind regards,
> Alex
>
> On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Team,
> >
> > We have been doing some POC on Qpid. While working on the
> > configuration, we came across multiple blockers which we have mentioned
> below.
> >
> >
> >   *   How to use a specific version of TLS encryption for Qpid if we
> > deploy on VM.
> >   *   We understood from the Qpid documentation that we have to deploy
> > broker on multiple VM's to create a group and introduce master/replica
> > nodes. Any SOP on this part ?
> >   *   How to apply SSL/TLS encryption to replicas in the group consists
> of
> > master and replica nodes using SSH tunnel/IPsec.
> >   *   How can we fetch file in Apache
> >
> > Please let us know if some one from your team can guide us on these
> points.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________
> > ________________
> >
> > www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
Reply | Threaded
Open this post in threaded view
|

RE: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
Hi Alex,

Thank you for your help. This is useful to look into the areas where we wanted clarity.
I want to clear a few things from the points which you have mentioned.

As you mentioned, the TLS version can set in multiple ways through context variable. Could you explain how we can set in
JVM settings
config.json

Please share the code if you have it.

Also, related to ssh tunnel configuration, could you share with us any existing references which have used ssh tunneling and master/replica concept. Then, it would be easier for us to mold it as per our requirement.

Regards,
Kirankumar Malyala


-----Original Message-----
From: Oleksandr Rudyy <[hidden email]>
Sent: Tuesday, November 10, 2020 5:24 AM
To: [hidden email]
Subject: Re: [External] Re: Queries on Qpid setup

Hi Kirankumar,
The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP transports.

In order to enable TLS on broker HTTP or/and AMQP ports Keystore configured
object(s) needs to be configured.
The keystore object should contain a private key and certificates (including intermediates if required).

A number of Keystore types is supported on the broker:
* FileKeyStore - in this type of Keystore a java keystore is used underneath to hold the private key and certificates
* NonJavaKeyStore - used to configure private key and certificates directly in PEM or DER formats

The Broker allows users to quickly create a self-signed certificate with a special type of Keystore called "AutoGeneratedSelfSigned" (with Oracle JDK or OpenJDK).

The TLS protocols and TLS cipher suites can be customised (if required) using special context variables:
* qpid.security.tls.protocolAllowList
* qpid.security.tls.protocolDenyList
* qpid.security.tls.cipherSuiteAllowList
* qpid.security.tls.cipherSuiteDenyList
or
* qpid.security.tls.protocolWhiteList
* qpid.security.tls.protocolBlackList
* qpid.security.tls.cipherSuiteWhiteList
* qpid.security.tls.cipherSuiteBlackList

Before 7.1.9 only "white/black" list terminology was supported. Starting from version 7.1.9 the alternative names "allow/deny" lists can be used. In version 9.0 the "allow/deny" lists completely replace "white/black" list terminology.

For example, you can allow only TLSv1.3 with JDK11 by setting context variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can specify the allowed or denied values using regular expressions represented as JSON stringified lists.
For example, you can limit allowed cipher suites to only some of them by setting qpid.security.tls.cipherSuiteAllowList to "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
The same applies to deny lists.

The context variable can be set in multiple ways:
* as JVM settings
* as command line arguments (for example, ./bin/qpid-server -prop
qpid.security.tls.protocolAllowList=TLSv1.3 )
* in a properties file system.properties (it needs to be in broker
classpath)
* as configured object context variables (for example, context variable set on the Broker object using REST API)


The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB JE does not support TLS transport. The data replication is unencrypted.
Potentially, you can use SSH tunnels, but that requires configuring tunes between each of HA nodes, as the nodes  communicate with each other. I believe that it should be possible to configure SSH tunnels, though I cannot give you any useful advice on how to do that.

You can download Qpid Broker distribution files from Qpid Download page at https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_download.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEpWV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=  .

KInd Regards,
Alex


On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar <[hidden email]> wrote:

> Hi Alex,
>
> We are using broker-j (for java). As of now, we are exploring on version 7.
> Please do let us know if you want any other information.
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Friday, November 6, 2020 5:44 AM
> To: [hidden email]
> Subject: [External] Re: Queries on Qpid setup
>
> This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly
> with links and attachments.
>
> Hi Kirankumar,
> Could you please clarify what exactly Qpid broker are you trying to use?
> There are two brokers in Qpid project: c++ broker and broker-j (for java).
>
> Are you using Qpid Broker-J?
>
> Kind regards,
> Alex
>
> On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Team,
> >
> > We have been doing some POC on Qpid. While working on the
> > configuration, we came across multiple blockers which we have
> > mentioned
> below.
> >
> >
> >   *   How to use a specific version of TLS encryption for Qpid if we
> > deploy on VM.
> >   *   We understood from the Qpid documentation that we have to deploy
> > broker on multiple VM's to create a group and introduce
> > master/replica nodes. Any SOP on this part ?
> >   *   How to apply SSL/TLS encryption to replicas in the group consists
> of
> > master and replica nodes using SSH tunnel/IPsec.
> >   *   How can we fetch file in Apache
> >
> > Please let us know if some one from your team can guide us on these
> points.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If
> > you have received it in error, please notify the sender immediately
> > and delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging
> > (including content), may be scanned by our systems for the purposes
> > of information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ____________________________________________________________________
> > __
> > ________________
> >
> > http://www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________
> ________________
>
> http://www.accenture.com
>

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Oleksandr Rudyy
Hi Kirankumar,

The context variable can be set on any configured object. For example, you
can set context variables in the attribute "context" of Broker configured
object or/and Port configured object.
The children configured objects inherit context settings from their
parents. Thus, the Port configured object inherits all context settings
from the Broker as Broker is a parent of the Port.
The context settings can be overridden on the child configured object if
required. For example, you can set the context variable
"qpid.security.tls.protocolAllowList" on the Broker to
"[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and override
it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the port
connections to TLSv1.3. Another port object without overridden context
variable "qpid.security.tls.protocolAllowList" would inherit the support of
TLSv1.2 and TLSv1.3 from the broker.

As mentioned above, the context variables are kept in the attributes
"context" as a "map "of string keys and values. You can create your initial
configuration and define the context variables in the "context" attribute
as illustrated in the example below:

{
  "name" : "${broker.name}",
  "modelVersion" : "7.1",
  "context": {
    "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
    "qpid.security.tls.cipherSuiteAllowList":
"[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
  },

  ...
  "ports": [{
    "name" : "AMQP",
    "port" : "${qpid.amqp_port}",
    "context": {
      "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
    },
   ...
   },
   ...
  ]
}

In the example above, the context variables
"qpid.security.tls.protocolAllowList" and
"qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
The port "AMQP" has its own "context" attribute where
"qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
will have "qpid.security.tls.protocolAllowList" defined on the port and
"qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.

I hope that the example above helps you to understand the context variable
settings.

You can update the context variables using REST API. Though, the TLS needs
to be configured first on the HTTP port in order to use REST API.


Kind Regards,
Alex




On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
> Thank you for your help. This is useful to look into the areas where we
> wanted clarity.
> I want to clear a few things from the points which you have mentioned.
>
> As you mentioned, the TLS version can set in multiple ways through context
> variable. Could you explain how we can set in
> JVM settings
> config.json
>
> Please share the code if you have it.
>
> Also, related to ssh tunnel configuration, could you share with us any
> existing references which have used ssh tunneling and master/replica
> concept. Then, it would be easier for us to mold it as per our requirement.
>
> Regards,
> Kirankumar Malyala
>
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Tuesday, November 10, 2020 5:24 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> transports.
>
> In order to enable TLS on broker HTTP or/and AMQP ports Keystore configured
> object(s) needs to be configured.
> The keystore object should contain a private key and certificates
> (including intermediates if required).
>
> A number of Keystore types is supported on the broker:
> * FileKeyStore - in this type of Keystore a java keystore is used
> underneath to hold the private key and certificates
> * NonJavaKeyStore - used to configure private key and certificates
> directly in PEM or DER formats
>
> The Broker allows users to quickly create a self-signed certificate with a
> special type of Keystore called "AutoGeneratedSelfSigned" (with Oracle JDK
> or OpenJDK).
>
> The TLS protocols and TLS cipher suites can be customised (if required)
> using special context variables:
> * qpid.security.tls.protocolAllowList
> * qpid.security.tls.protocolDenyList
> * qpid.security.tls.cipherSuiteAllowList
> * qpid.security.tls.cipherSuiteDenyList
> or
> * qpid.security.tls.protocolWhiteList
> * qpid.security.tls.protocolBlackList
> * qpid.security.tls.cipherSuiteWhiteList
> * qpid.security.tls.cipherSuiteBlackList
>
> Before 7.1.9 only "white/black" list terminology was supported. Starting
> from version 7.1.9 the alternative names "allow/deny" lists can be used. In
> version 9.0 the "allow/deny" lists completely replace "white/black" list
> terminology.
>
> For example, you can allow only TLSv1.3 with JDK11 by setting context
> variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can specify
> the allowed or denied values using regular expressions represented as JSON
> stringified lists.
> For example, you can limit allowed cipher suites to only some of them by
> setting qpid.security.tls.cipherSuiteAllowList to
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> The same applies to deny lists.
>
> The context variable can be set in multiple ways:
> * as JVM settings
> * as command line arguments (for example, ./bin/qpid-server -prop
> qpid.security.tls.protocolAllowList=TLSv1.3 )
> * in a properties file system.properties (it needs to be in broker
> classpath)
> * as configured object context variables (for example, context variable
> set on the Broker object using REST API)
>
>
> The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB JE
> does not support TLS transport. The data replication is unencrypted.
> Potentially, you can use SSH tunnels, but that requires configuring tunes
> between each of HA nodes, as the nodes  communicate with each other. I
> believe that it should be possible to configure SSH tunnels, though I
> cannot give you any useful advice on how to do that.
>
> You can download Qpid Broker distribution files from Qpid Download page at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_download.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEpWV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> .
>
> KInd Regards,
> Alex
>
>
> On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > We are using broker-j (for java). As of now, we are exploring on version
> 7.
> > Please do let us know if you want any other information.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Friday, November 6, 2020 5:44 AM
> > To: [hidden email]
> > Subject: [External] Re: Queries on Qpid setup
> >
> > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly
> > with links and attachments.
> >
> > Hi Kirankumar,
> > Could you please clarify what exactly Qpid broker are you trying to use?
> > There are two brokers in Qpid project: c++ broker and broker-j (for
> java).
> >
> > Are you using Qpid Broker-J?
> >
> > Kind regards,
> > Alex
> >
> > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Team,
> > >
> > > We have been doing some POC on Qpid. While working on the
> > > configuration, we came across multiple blockers which we have
> > > mentioned
> > below.
> > >
> > >
> > >   *   How to use a specific version of TLS encryption for Qpid if we
> > > deploy on VM.
> > >   *   We understood from the Qpid documentation that we have to deploy
> > > broker on multiple VM's to create a group and introduce
> > > master/replica nodes. Any SOP on this part ?
> > >   *   How to apply SSL/TLS encryption to replicas in the group consists
> > of
> > > master and replica nodes using SSH tunnel/IPsec.
> > >   *   How can we fetch file in Apache
> > >
> > > Please let us know if some one from your team can guide us on these
> > points.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender immediately
> > > and delete the original. Any other use of the e-mail by you is
> prohibited.
> > > Where allowed by local law, electronic communications with Accenture
> > > and its affiliates, including e-mail and instant messaging
> > > (including content), may be scanned by our systems for the purposes
> > > of information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture processes
> > > your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > ____________________________________________________________________
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________
> > ________________
> >
> > http://www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
Reply | Threaded
Open this post in threaded view
|

RE: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
Hi Alex,

Thank you for a detailed explanation of TLS version setting.
Also, could you please provide us information related to replication and master, replica set up in Qpid.
It would be great if we can connect over call and discuss this.

Regards,
Kirankumar Malyala

-----Original Message-----
From: Oleksandr Rudyy <[hidden email]>
Sent: Wednesday, November 11, 2020 12:03 AM
To: [hidden email]
Subject: Re: [External] Re: Queries on Qpid setup

Hi Kirankumar,

The context variable can be set on any configured object. For example, you can set context variables in the attribute "context" of Broker configured object or/and Port configured object.
The children configured objects inherit context settings from their parents. Thus, the Port configured object inherits all context settings from the Broker as Broker is a parent of the Port.
The context settings can be overridden on the child configured object if required. For example, you can set the context variable "qpid.security.tls.protocolAllowList" on the Broker to "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the port connections to TLSv1.3. Another port object without overridden context variable "qpid.security.tls.protocolAllowList" would inherit the support of
TLSv1.2 and TLSv1.3 from the broker.

As mentioned above, the context variables are kept in the attributes "context" as a "map "of string keys and values. You can create your initial configuration and define the context variables in the "context" attribute as illustrated in the example below:

{
  "name" : "${broker.name}",
  "modelVersion" : "7.1",
  "context": {
    "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
    "qpid.security.tls.cipherSuiteAllowList":
"[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
  },

  ...
  "ports": [{
    "name" : "AMQP",
    "port" : "${qpid.amqp_port}",
    "context": {
      "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
    },
   ...
   },
   ...
  ]
}

In the example above, the context variables "qpid.security.tls.protocolAllowList" and "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
The port "AMQP" has its own "context" attribute where "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
will have "qpid.security.tls.protocolAllowList" defined on the port and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.

I hope that the example above helps you to understand the context variable settings.

You can update the context variables using REST API. Though, the TLS needs to be configured first on the HTTP port in order to use REST API.


Kind Regards,
Alex




On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar <[hidden email]> wrote:

> Hi Alex,
>
> Thank you for your help. This is useful to look into the areas where
> we wanted clarity.
> I want to clear a few things from the points which you have mentioned.
>
> As you mentioned, the TLS version can set in multiple ways through
> context variable. Could you explain how we can set in JVM settings
> config.json
>
> Please share the code if you have it.
>
> Also, related to ssh tunnel configuration, could you share with us any
> existing references which have used ssh tunneling and master/replica
> concept. Then, it would be easier for us to mold it as per our requirement.
>
> Regards,
> Kirankumar Malyala
>
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Tuesday, November 10, 2020 5:24 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> transports.
>
> In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> configured
> object(s) needs to be configured.
> The keystore object should contain a private key and certificates
> (including intermediates if required).
>
> A number of Keystore types is supported on the broker:
> * FileKeyStore - in this type of Keystore a java keystore is used
> underneath to hold the private key and certificates
> * NonJavaKeyStore - used to configure private key and certificates
> directly in PEM or DER formats
>
> The Broker allows users to quickly create a self-signed certificate
> with a special type of Keystore called "AutoGeneratedSelfSigned" (with
> Oracle JDK or OpenJDK).
>
> The TLS protocols and TLS cipher suites can be customised (if
> required) using special context variables:
> * qpid.security.tls.protocolAllowList
> * qpid.security.tls.protocolDenyList
> * qpid.security.tls.cipherSuiteAllowList
> * qpid.security.tls.cipherSuiteDenyList
> or
> * qpid.security.tls.protocolWhiteList
> * qpid.security.tls.protocolBlackList
> * qpid.security.tls.cipherSuiteWhiteList
> * qpid.security.tls.cipherSuiteBlackList
>
> Before 7.1.9 only "white/black" list terminology was supported.
> Starting from version 7.1.9 the alternative names "allow/deny" lists
> can be used. In version 9.0 the "allow/deny" lists completely replace
> "white/black" list terminology.
>
> For example, you can allow only TLSv1.3 with JDK11 by setting context
> variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can
> specify the allowed or denied values using regular expressions
> represented as JSON stringified lists.
> For example, you can limit allowed cipher suites to only some of them
> by setting qpid.security.tls.cipherSuiteAllowList to
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> The same applies to deny lists.
>
> The context variable can be set in multiple ways:
> * as JVM settings
> * as command line arguments (for example, ./bin/qpid-server -prop
> qpid.security.tls.protocolAllowList=TLSv1.3 )
> * in a properties file system.properties (it needs to be in broker
> classpath)
> * as configured object context variables (for example, context
> variable set on the Broker object using REST API)
>
>
> The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> JE does not support TLS transport. The data replication is unencrypted.
> Potentially, you can use SSH tunnels, but that requires configuring
> tunes between each of HA nodes, as the nodes  communicate with each
> other. I believe that it should be possible to configure SSH tunnels,
> though I cannot give you any useful advice on how to do that.
>
> You can download Qpid Broker distribution files from Qpid Download
> page at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_do
> wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=Y
> dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEp
> WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> .
>
> KInd Regards,
> Alex
>
>
> On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > We are using broker-j (for java). As of now, we are exploring on
> > version
> 7.
> > Please do let us know if you want any other information.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Friday, November 6, 2020 5:44 AM
> > To: [hidden email]
> > Subject: [External] Re: Queries on Qpid setup
> >
> > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly
> > with links and attachments.
> >
> > Hi Kirankumar,
> > Could you please clarify what exactly Qpid broker are you trying to use?
> > There are two brokers in Qpid project: c++ broker and broker-j (for
> java).
> >
> > Are you using Qpid Broker-J?
> >
> > Kind regards,
> > Alex
> >
> > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Team,
> > >
> > > We have been doing some POC on Qpid. While working on the
> > > configuration, we came across multiple blockers which we have
> > > mentioned
> > below.
> > >
> > >
> > >   *   How to use a specific version of TLS encryption for Qpid if we
> > > deploy on VM.
> > >   *   We understood from the Qpid documentation that we have to deploy
> > > broker on multiple VM's to create a group and introduce
> > > master/replica nodes. Any SOP on this part ?
> > >   *   How to apply SSL/TLS encryption to replicas in the group consists
> > of
> > > master and replica nodes using SSH tunnel/IPsec.
> > >   *   How can we fetch file in Apache
> > >
> > > Please let us know if some one from your team can guide us on
> > > these
> > points.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender
> > > immediately and delete the original. Any other use of the e-mail
> > > by you is
> prohibited.
> > > Where allowed by local law, electronic communications with
> > > Accenture and its affiliates, including e-mail and instant
> > > messaging (including content), may be scanned by our systems for
> > > the purposes of information security and assessment of internal
> > > compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture
> > > processes your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > __________________________________________________________________
> > > __
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If
> > you have received it in error, please notify the sender immediately
> > and delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging
> > (including content), may be scanned by our systems for the purposes
> > of information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ____________________________________________________________________
> > __
> > ________________
> >
> > http://www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________
> ________________
>
> www.accenture.com
>

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
In reply to this post by Oleksandr Rudyy
Hi Alex,

1)We are using Qpid 7.1.6 version. When we add below context in our Port map getting SSL handshake error, working fine only for "qpid.security.tls.protocolWhiteList": "TLSv1.2".

 "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
"qpid.security.tls.cipherSuiteWhiteList": "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"  --------> NOT WORKING

2)Also, please let us know which approach would be best for encrypting replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share it's configuration documentation/procedure.

Regards,
Kirankumar Malyala

-----Original Message-----
From: Oleksandr Rudyy <[hidden email]>
Sent: Wednesday, November 11, 2020 12:03 AM
To: [hidden email]
Subject: Re: [External] Re: Queries on Qpid setup

Hi Kirankumar,

The context variable can be set on any configured object. For example, you can set context variables in the attribute "context" of Broker configured object or/and Port configured object.
The children configured objects inherit context settings from their parents. Thus, the Port configured object inherits all context settings from the Broker as Broker is a parent of the Port.
The context settings can be overridden on the child configured object if required. For example, you can set the context variable "qpid.security.tls.protocolAllowList" on the Broker to "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the port connections to TLSv1.3. Another port object without overridden context variable "qpid.security.tls.protocolAllowList" would inherit the support of
TLSv1.2 and TLSv1.3 from the broker.

As mentioned above, the context variables are kept in the attributes "context" as a "map "of string keys and values. You can create your initial configuration and define the context variables in the "context" attribute as illustrated in the example below:

{
  "name" : "${broker.name}",
  "modelVersion" : "7.1",
  "context": {
    "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
    "qpid.security.tls.cipherSuiteAllowList":
"[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
  },

  ...
  "ports": [{
    "name" : "AMQP",
    "port" : "${qpid.amqp_port}",
    "context": {
      "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
    },
   ...
   },
   ...
  ]
}

In the example above, the context variables "qpid.security.tls.protocolAllowList" and "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
The port "AMQP" has its own "context" attribute where "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
will have "qpid.security.tls.protocolAllowList" defined on the port and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.

I hope that the example above helps you to understand the context variable settings.

You can update the context variables using REST API. Though, the TLS needs to be configured first on the HTTP port in order to use REST API.


Kind Regards,
Alex




On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar <[hidden email]> wrote:

> Hi Alex,
>
> Thank you for your help. This is useful to look into the areas where
> we wanted clarity.
> I want to clear a few things from the points which you have mentioned.
>
> As you mentioned, the TLS version can set in multiple ways through
> context variable. Could you explain how we can set in JVM settings
> config.json
>
> Please share the code if you have it.
>
> Also, related to ssh tunnel configuration, could you share with us any
> existing references which have used ssh tunneling and master/replica
> concept. Then, it would be easier for us to mold it as per our requirement.
>
> Regards,
> Kirankumar Malyala
>
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Tuesday, November 10, 2020 5:24 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> transports.
>
> In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> configured
> object(s) needs to be configured.
> The keystore object should contain a private key and certificates
> (including intermediates if required).
>
> A number of Keystore types is supported on the broker:
> * FileKeyStore - in this type of Keystore a java keystore is used
> underneath to hold the private key and certificates
> * NonJavaKeyStore - used to configure private key and certificates
> directly in PEM or DER formats
>
> The Broker allows users to quickly create a self-signed certificate
> with a special type of Keystore called "AutoGeneratedSelfSigned" (with
> Oracle JDK or OpenJDK).
>
> The TLS protocols and TLS cipher suites can be customised (if
> required) using special context variables:
> * qpid.security.tls.protocolAllowList
> * qpid.security.tls.protocolDenyList
> * qpid.security.tls.cipherSuiteAllowList
> * qpid.security.tls.cipherSuiteDenyList
> or
> * qpid.security.tls.protocolWhiteList
> * qpid.security.tls.protocolBlackList
> * qpid.security.tls.cipherSuiteWhiteList
> * qpid.security.tls.cipherSuiteBlackList
>
> Before 7.1.9 only "white/black" list terminology was supported.
> Starting from version 7.1.9 the alternative names "allow/deny" lists
> can be used. In version 9.0 the "allow/deny" lists completely replace
> "white/black" list terminology.
>
> For example, you can allow only TLSv1.3 with JDK11 by setting context
> variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can
> specify the allowed or denied values using regular expressions
> represented as JSON stringified lists.
> For example, you can limit allowed cipher suites to only some of them
> by setting qpid.security.tls.cipherSuiteAllowList to
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> The same applies to deny lists.
>
> The context variable can be set in multiple ways:
> * as JVM settings
> * as command line arguments (for example, ./bin/qpid-server -prop
> qpid.security.tls.protocolAllowList=TLSv1.3 )
> * in a properties file system.properties (it needs to be in broker
> classpath)
> * as configured object context variables (for example, context
> variable set on the Broker object using REST API)
>
>
> The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> JE does not support TLS transport. The data replication is unencrypted.
> Potentially, you can use SSH tunnels, but that requires configuring
> tunes between each of HA nodes, as the nodes  communicate with each
> other. I believe that it should be possible to configure SSH tunnels,
> though I cannot give you any useful advice on how to do that.
>
> You can download Qpid Broker distribution files from Qpid Download
> page at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_do
> wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=Y
> dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEp
> WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> .
>
> KInd Regards,
> Alex
>
>
> On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > We are using broker-j (for java). As of now, we are exploring on
> > version
> 7.
> > Please do let us know if you want any other information.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Friday, November 6, 2020 5:44 AM
> > To: [hidden email]
> > Subject: [External] Re: Queries on Qpid setup
> >
> > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly
> > with links and attachments.
> >
> > Hi Kirankumar,
> > Could you please clarify what exactly Qpid broker are you trying to use?
> > There are two brokers in Qpid project: c++ broker and broker-j (for
> java).
> >
> > Are you using Qpid Broker-J?
> >
> > Kind regards,
> > Alex
> >
> > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Team,
> > >
> > > We have been doing some POC on Qpid. While working on the
> > > configuration, we came across multiple blockers which we have
> > > mentioned
> > below.
> > >
> > >
> > >   *   How to use a specific version of TLS encryption for Qpid if we
> > > deploy on VM.
> > >   *   We understood from the Qpid documentation that we have to deploy
> > > broker on multiple VM's to create a group and introduce
> > > master/replica nodes. Any SOP on this part ?
> > >   *   How to apply SSL/TLS encryption to replicas in the group consists
> > of
> > > master and replica nodes using SSH tunnel/IPsec.
> > >   *   How can we fetch file in Apache
> > >
> > > Please let us know if some one from your team can guide us on
> > > these
> > points.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender
> > > immediately and delete the original. Any other use of the e-mail
> > > by you is
> prohibited.
> > > Where allowed by local law, electronic communications with
> > > Accenture and its affiliates, including e-mail and instant
> > > messaging (including content), may be scanned by our systems for
> > > the purposes of information security and assessment of internal
> > > compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture
> > > processes your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > __________________________________________________________________
> > > __
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If
> > you have received it in error, please notify the sender immediately
> > and delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging
> > (including content), may be scanned by our systems for the purposes
> > of information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ____________________________________________________________________
> > __
> > ________________
> >
> > http://www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________
> ________________
>
> www.accenture.com
>

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Oleksandr Rudyy
Hi Kirankumar,
There is a typo in cipher suite names: the GSM is used instead of GCM.
Thus, the correct cipherSuiteWhiteList would be:

"qpid.security.tls.cipherSuiteWhiteList":
"[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"


Please note that cipher suites TLS_AES_128_GCM_SHA256 and
TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

Regarding encryption of replication traffic I do not have any
documentation/recommendation on how to set-up  the ssh tunnels.

KInd Regards,
Alex

On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
> 1)We are using Qpid 7.1.6 version. When we add below context in our Port
> map getting SSL handshake error, working fine only for
> "qpid.security.tls.protocolWhiteList": "TLSv1.2".
>
>  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> "qpid.security.tls.cipherSuiteWhiteList":
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> --------> NOT WORKING
>
> 2)Also, please let us know which approach would be best for encrypting
> replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share it's
> configuration documentation/procedure.
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Wednesday, November 11, 2020 12:03 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
>
> The context variable can be set on any configured object. For example, you
> can set context variables in the attribute "context" of Broker configured
> object or/and Port configured object.
> The children configured objects inherit context settings from their
> parents. Thus, the Port configured object inherits all context settings
> from the Broker as Broker is a parent of the Port.
> The context settings can be overridden on the child configured object if
> required. For example, you can set the context variable
> "qpid.security.tls.protocolAllowList" on the Broker to
> "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and override
> it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the port
> connections to TLSv1.3. Another port object without overridden context
> variable "qpid.security.tls.protocolAllowList" would inherit the support of
> TLSv1.2 and TLSv1.3 from the broker.
>
> As mentioned above, the context variables are kept in the attributes
> "context" as a "map "of string keys and values. You can create your initial
> configuration and define the context variables in the "context" attribute
> as illustrated in the example below:
>
> {
>   "name" : "${broker.name}",
>   "modelVersion" : "7.1",
>   "context": {
>     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
>     "qpid.security.tls.cipherSuiteAllowList":
>
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
>   },
>
>   ...
>   "ports": [{
>     "name" : "AMQP",
>     "port" : "${qpid.amqp_port}",
>     "context": {
>       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
>     },
>    ...
>    },
>    ...
>   ]
> }
>
> In the example above, the context variables
> "qpid.security.tls.protocolAllowList" and
> "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
> The port "AMQP" has its own "context" attribute where
> "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
> will have "qpid.security.tls.protocolAllowList" defined on the port and
> "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
>
> I hope that the example above helps you to understand the context variable
> settings.
>
> You can update the context variables using REST API. Though, the TLS needs
> to be configured first on the HTTP port in order to use REST API.
>
>
> Kind Regards,
> Alex
>
>
>
>
> On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > Thank you for your help. This is useful to look into the areas where
> > we wanted clarity.
> > I want to clear a few things from the points which you have mentioned.
> >
> > As you mentioned, the TLS version can set in multiple ways through
> > context variable. Could you explain how we can set in JVM settings
> > config.json
> >
> > Please share the code if you have it.
> >
> > Also, related to ssh tunnel configuration, could you share with us any
> > existing references which have used ssh tunneling and master/replica
> > concept. Then, it would be easier for us to mold it as per our
> requirement.
> >
> > Regards,
> > Kirankumar Malyala
> >
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Tuesday, November 10, 2020 5:24 AM
> > To: [hidden email]
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > transports.
> >
> > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > configured
> > object(s) needs to be configured.
> > The keystore object should contain a private key and certificates
> > (including intermediates if required).
> >
> > A number of Keystore types is supported on the broker:
> > * FileKeyStore - in this type of Keystore a java keystore is used
> > underneath to hold the private key and certificates
> > * NonJavaKeyStore - used to configure private key and certificates
> > directly in PEM or DER formats
> >
> > The Broker allows users to quickly create a self-signed certificate
> > with a special type of Keystore called "AutoGeneratedSelfSigned" (with
> > Oracle JDK or OpenJDK).
> >
> > The TLS protocols and TLS cipher suites can be customised (if
> > required) using special context variables:
> > * qpid.security.tls.protocolAllowList
> > * qpid.security.tls.protocolDenyList
> > * qpid.security.tls.cipherSuiteAllowList
> > * qpid.security.tls.cipherSuiteDenyList
> > or
> > * qpid.security.tls.protocolWhiteList
> > * qpid.security.tls.protocolBlackList
> > * qpid.security.tls.cipherSuiteWhiteList
> > * qpid.security.tls.cipherSuiteBlackList
> >
> > Before 7.1.9 only "white/black" list terminology was supported.
> > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > can be used. In version 9.0 the "allow/deny" lists completely replace
> > "white/black" list terminology.
> >
> > For example, you can allow only TLSv1.3 with JDK11 by setting context
> > variable qpid.security.tls.protocolAllowList to "TLSv1.3". You can
> > specify the allowed or denied values using regular expressions
> > represented as JSON stringified lists.
> > For example, you can limit allowed cipher suites to only some of them
> > by setting qpid.security.tls.cipherSuiteAllowList to
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > The same applies to deny lists.
> >
> > The context variable can be set in multiple ways:
> > * as JVM settings
> > * as command line arguments (for example, ./bin/qpid-server -prop
> > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > * in a properties file system.properties (it needs to be in broker
> > classpath)
> > * as configured object context variables (for example, context
> > variable set on the Broker object using REST API)
> >
> >
> > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> > JE does not support TLS transport. The data replication is unencrypted.
> > Potentially, you can use SSH tunnels, but that requires configuring
> > tunes between each of HA nodes, as the nodes  communicate with each
> > other. I believe that it should be possible to configure SSH tunnels,
> > though I cannot give you any useful advice on how to do that.
> >
> > You can download Qpid Broker distribution files from Qpid Download
> > page at
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_do
> > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=Y
> > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJvEp
> > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > .
> >
> > KInd Regards,
> > Alex
> >
> >
> > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Alex,
> > >
> > > We are using broker-j (for java). As of now, we are exploring on
> > > version
> > 7.
> > > Please do let us know if you want any other information.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <[hidden email]>
> > > Sent: Friday, November 6, 2020 5:44 AM
> > > To: [hidden email]
> > > Subject: [External] Re: Queries on Qpid setup
> > >
> > > This message is from an EXTERNAL SENDER - be CAUTIOUS, particularly
> > > with links and attachments.
> > >
> > > Hi Kirankumar,
> > > Could you please clarify what exactly Qpid broker are you trying to
> use?
> > > There are two brokers in Qpid project: c++ broker and broker-j (for
> > java).
> > >
> > > Are you using Qpid Broker-J?
> > >
> > > Kind regards,
> > > Alex
> > >
> > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > <[hidden email]> wrote:
> > >
> > > > Hi Team,
> > > >
> > > > We have been doing some POC on Qpid. While working on the
> > > > configuration, we came across multiple blockers which we have
> > > > mentioned
> > > below.
> > > >
> > > >
> > > >   *   How to use a specific version of TLS encryption for Qpid if we
> > > > deploy on VM.
> > > >   *   We understood from the Qpid documentation that we have to
> deploy
> > > > broker on multiple VM's to create a group and introduce
> > > > master/replica nodes. Any SOP on this part ?
> > > >   *   How to apply SSL/TLS encryption to replicas in the group
> consists
> > > of
> > > > master and replica nodes using SSH tunnel/IPsec.
> > > >   *   How can we fetch file in Apache
> > > >
> > > > Please let us know if some one from your team can guide us on
> > > > these
> > > points.
> > > >
> > > > Regards,
> > > > Kirankumar Malyala
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may contain
> > > > privileged, proprietary, or otherwise confidential information. If
> > > > you have received it in error, please notify the sender
> > > > immediately and delete the original. Any other use of the e-mail
> > > > by you is
> > prohibited.
> > > > Where allowed by local law, electronic communications with
> > > > Accenture and its affiliates, including e-mail and instant
> > > > messaging (including content), may be scanned by our systems for
> > > > the purposes of information security and assessment of internal
> > > > compliance with
> > > Accenture policy. Your privacy is important to us.
> > > > Accenture uses your personal data only in compliance with data
> > > > protection laws. For further information on how Accenture
> > > > processes your personal data, please see our privacy statement at
> > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > __________________________________________________________________
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender immediately
> > > and delete the original. Any other use of the e-mail by you is
> prohibited.
> > > Where allowed by local law, electronic communications with Accenture
> > > and its affiliates, including e-mail and instant messaging
> > > (including content), may be scanned by our systems for the purposes
> > > of information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture processes
> > > your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > ____________________________________________________________________
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________
> > ________________
> >
> > www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

RE: [External] Re: Queries on Qpid setup

Malyala, Kirankumar

Hi Alex,

 

1)           Could you provide us details how we can configure TLS 1.2 for our JMS client in JmsConnectionFactory bean using XML file.

2)           When we try to set up BDB_HA, we are getting the following error.

 

 

Please let me know if we are missing something.

 

Regards,

Kirankumar Malyala

 

-----Original Message-----
From: Oleksandr Rudyy <[hidden email]>
Sent: Tuesday, November 17, 2020 4:02 AM
To: [hidden email]
Subject: Re: [External] Re: Queries on Qpid setup

 

Hi Kirankumar,

There is a typo in cipher suite names: the GSM is used instead of GCM.

Thus, the correct cipherSuiteWhiteList would be:

 

"qpid.security.tls.cipherSuiteWhiteList":

"[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"

 

 

Please note that cipher suites TLS_AES_128_GCM_SHA256 and

TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

 

Regarding encryption of replication traffic I do not have any documentation/recommendation on how to set-up  the ssh tunnels.

 

KInd Regards,

Alex

 

On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <[hidden email]> wrote:

 

> Hi Alex,

> 

> 1)We are using Qpid 7.1.6 version. When we add below context in our

> Port map getting SSL handshake error, working fine only for

> "qpid.security.tls.protocolWhiteList": "TLSv1.2".

> 

>  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING

> "qpid.security.tls.cipherSuiteWhiteList":

> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"

> --------> NOT WORKING

> 

> 2)Also, please let us know which approach would be best for encrypting

> replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share

> it's configuration documentation/procedure.

> 

> Regards,

> Kirankumar Malyala

> 

> -----Original Message-----

> From: Oleksandr Rudyy <[hidden email]>

> Sent: Wednesday, November 11, 2020 12:03 AM

> To: [hidden email]

> Subject: Re: [External] Re: Queries on Qpid setup

> 

> Hi Kirankumar,

> 

> The context variable can be set on any configured object. For example,

> you can set context variables in the attribute "context" of Broker

> configured object or/and Port configured object.

> The children configured objects inherit context settings from their

> parents. Thus, the Port configured object inherits all context

> settings from the Broker as Broker is a parent of the Port.

> The context settings can be overridden on the child configured object

> if required. For example, you can set the context variable

> "qpid.security.tls.protocolAllowList" on the Broker to

> "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and

> override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the

> port connections to TLSv1.3. Another port object without overridden

> context variable "qpid.security.tls.protocolAllowList" would inherit

> the support of

> TLSv1.2 and TLSv1.3 from the broker.

> 

> As mentioned above, the context variables are kept in the attributes

> "context" as a "map "of string keys and values. You can create your

> initial configuration and define the context variables in the

> "context" attribute as illustrated in the example below:

> 

> {

>   "name" : "${broker.name}",

>   "modelVersion" : "7.1",

>   "context": {

>     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",

>     "qpid.security.tls.cipherSuiteAllowList":

> 

> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"

>   },

> 

>   ...

>   "ports": [{

>     "name" : "AMQP",

>     "port" : "${qpid.amqp_port}",

>     "context": {

>       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",

>     },

>    ...

>    },

>    ...

>   ]

> }

> 

> In the example above, the context variables

> "qpid.security.tls.protocolAllowList" and

> "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.

> The port "AMQP" has its own "context" attribute where

> "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"

> will have "qpid.security.tls.protocolAllowList" defined on the port

> and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.

> 

> I hope that the example above helps you to understand the context

> variable settings.

> 

> You can update the context variables using REST API. Though, the TLS

> needs to be configured first on the HTTP port in order to use REST API.

> 

> 

> Kind Regards,

> Alex

> 

> 

> 

> 

> On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar

> <[hidden email]> wrote:

> 

> > Hi Alex,

> >

> > Thank you for your help. This is useful to look into the areas where

> > we wanted clarity.

> > I want to clear a few things from the points which you have mentioned.

> >

> > As you mentioned, the TLS version can set in multiple ways through

> > context variable. Could you explain how we can set in JVM settings

> > config.json

> >

> > Please share the code if you have it.

> >

> > Also, related to ssh tunnel configuration, could you share with us

> > any existing references which have used ssh tunneling and

> > master/replica concept. Then, it would be easier for us to mold it

> > as per our

> requirement.

> >

> > Regards,

> > Kirankumar Malyala

> >

> >

> > -----Original Message-----

> > From: Oleksandr Rudyy <[hidden email]>

> > Sent: Tuesday, November 10, 2020 5:24 AM

> > To: [hidden email]

> > Subject: Re: [External] Re: Queries on Qpid setup

> >

> > Hi Kirankumar,

> > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP

> > transports.

> >

> > In order to enable TLS on broker HTTP or/and AMQP ports Keystore

> > configured

> > object(s) needs to be configured.

> > The keystore object should contain a private key and certificates

> > (including intermediates if required).

> >

> > A number of Keystore types is supported on the broker:

> > * FileKeyStore - in this type of Keystore a java keystore is used

> > underneath to hold the private key and certificates

> > * NonJavaKeyStore - used to configure private key and certificates

> > directly in PEM or DER formats

> >

> > The Broker allows users to quickly create a self-signed certificate

> > with a special type of Keystore called "AutoGeneratedSelfSigned"

> > (with Oracle JDK or OpenJDK).

> >

> > The TLS protocols and TLS cipher suites can be customised (if

> > required) using special context variables:

> > * qpid.security.tls.protocolAllowList

> > * qpid.security.tls.protocolDenyList

> > * qpid.security.tls.cipherSuiteAllowList

> > * qpid.security.tls.cipherSuiteDenyList

> > or

> > * qpid.security.tls.protocolWhiteList

> > * qpid.security.tls.protocolBlackList

> > * qpid.security.tls.cipherSuiteWhiteList

> > * qpid.security.tls.cipherSuiteBlackList

> >

> > Before 7.1.9 only "white/black" list terminology was supported.

> > Starting from version 7.1.9 the alternative names "allow/deny" lists

> > can be used. In version 9.0 the "allow/deny" lists completely

> > replace "white/black" list terminology.

> >

> > For example, you can allow only TLSv1.3 with JDK11 by setting

> > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".

> > You can specify the allowed or denied values using regular

> > expressions represented as JSON stringified lists.

> > For example, you can limit allowed cipher suites to only some of

> > them by setting qpid.security.tls.cipherSuiteAllowList to

> >

> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".

> > The same applies to deny lists.

> >

> > The context variable can be set in multiple ways:

> > * as JVM settings

> > * as command line arguments (for example, ./bin/qpid-server -prop

> > qpid.security.tls.protocolAllowList=TLSv1.3 )

> > * in a properties file system.properties (it needs to be in broker

> > classpath)

> > * as configured object context variables (for example, context

> > variable set on the Broker object using REST API)

> >

> >

> > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB

> > JE does not support TLS transport. The data replication is unencrypted.

> > Potentially, you can use SSH tunnels, but that requires configuring

> > tunes between each of HA nodes, as the nodes  communicate with each

> > other. I believe that it should be possible to configure SSH

> > tunnels, though I cannot give you any useful advice on how to do that.

> >

> > You can download Qpid Broker distribution files from Qpid Download

> > page at

> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_

> > do

> > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r

> > =Y

> > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv

> > Ep

> > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=

> > .

> >

> > KInd Regards,

> > Alex

> >

> >

> > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar

> > <[hidden email]> wrote:

> >

> > > Hi Alex,

> > >

> > > We are using broker-j (for java). As of now, we are exploring on

> > > version

> > 7.

> > > Please do let us know if you want any other information.

> > >

> > > Regards,

> > > Kirankumar Malyala

> > >

> > > -----Original Message-----

> > > From: Oleksandr Rudyy <[hidden email]>

> > > Sent: Friday, November 6, 2020 5:44 AM

> > > To: [hidden email]

> > > Subject: [External] Re: Queries on Qpid setup

> > >

> > > This message is from an EXTERNAL SENDER - be CAUTIOUS,

> > > particularly with links and attachments.

> > >

> > > Hi Kirankumar,

> > > Could you please clarify what exactly Qpid broker are you trying

> > > to

> use?

> > > There are two brokers in Qpid project: c++ broker and broker-j

> > > (for

> > java).

> > >

> > > Are you using Qpid Broker-J?

> > >

> > > Kind regards,

> > > Alex

> > >

> > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar

> > > <[hidden email]> wrote:

> > >

> > > > Hi Team,

> > > >

> > > > We have been doing some POC on Qpid. While working on the

> > > > configuration, we came across multiple blockers which we have

> > > > mentioned

> > > below.

> > > >

> > > >

> > > >   *   How to use a specific version of TLS encryption for Qpid if we

> > > > deploy on VM.

> > > >   *   We understood from the Qpid documentation that we have to

> deploy

> > > > broker on multiple VM's to create a group and introduce

> > > > master/replica nodes. Any SOP on this part ?

> > > >   *   How to apply SSL/TLS encryption to replicas in the group

> consists

> > > of

> > > > master and replica nodes using SSH tunnel/IPsec.

> > > >   *   How can we fetch file in Apache

> > > >

> > > > Please let us know if some one from your team can guide us on

> > > > these

> > > points.

> > > >

> > > > Regards,

> > > > Kirankumar Malyala

> > > >

> > > > ________________________________

> > > >

> > > > This message is for the designated recipient only and may

> > > > contain privileged, proprietary, or otherwise confidential

> > > > information. If you have received it in error, please notify the

> > > > sender immediately and delete the original. Any other use of the

> > > > e-mail by you is

> > prohibited.

> > > > Where allowed by local law, electronic communications with

> > > > Accenture and its affiliates, including e-mail and instant

> > > > messaging (including content), may be scanned by our systems for

> > > > the purposes of information security and assessment of internal

> > > > compliance with

> > > Accenture policy. Your privacy is important to us.

> > > > Accenture uses your personal data only in compliance with data

> > > > protection laws. For further information on how Accenture

> > > > processes your personal data, please see our privacy statement

> > > > at https://www.accenture.com/us-en/privacy-policy.

> > > >

> > > > ________________________________________________________________

> > > > __

> > > > __

> > > > __

> > > > ________________

> > > >

> > > > http://www.accenture.com

> > > >

> > >

> > > ________________________________

> > >

> > > This message is for the designated recipient only and may contain

> > > privileged, proprietary, or otherwise confidential information. If

> > > you have received it in error, please notify the sender

> > > immediately and delete the original. Any other use of the e-mail

> > > by you is

> prohibited.

> > > Where allowed by local law, electronic communications with

> > > Accenture and its affiliates, including e-mail and instant

> > > messaging (including content), may be scanned by our systems for

> > > the purposes of information security and assessment of internal

> > > compliance with

> > Accenture policy. Your privacy is important to us.

> > > Accenture uses your personal data only in compliance with data

> > > protection laws. For further information on how Accenture

> > > processes your personal data, please see our privacy statement at

> > > https://www.accenture.com/us-en/privacy-policy.

> > >

> > > __________________________________________________________________

> > > __

> > > __

> > > ________________

> > >

> > > http://www.accenture.com

> > >

> >

> > ________________________________

> >

> > This message is for the designated recipient only and may contain

> > privileged, proprietary, or otherwise confidential information. If

> > you have received it in error, please notify the sender immediately

> > and delete the original. Any other use of the e-mail by you is prohibited.

> > Where allowed by local law, electronic communications with Accenture

> > and its affiliates, including e-mail and instant messaging

> > (including content), may be scanned by our systems for the purposes

> > of information security and assessment of internal compliance with

> Accenture policy. Your privacy is important to us.

> > Accenture uses your personal data only in compliance with data

> > protection laws. For further information on how Accenture processes

> > your personal data, please see our privacy statement at

> > https://www.accenture.com/us-en/privacy-policy.

> >

> > ____________________________________________________________________

> > __

> > ________________

> >

> > www.accenture.com

> >

> 

> ________________________________

> 

> This message is for the designated recipient only and may contain

> privileged, proprietary, or otherwise confidential information. If you

> have received it in error, please notify the sender immediately and

> delete the original. Any other use of the e-mail by you is prohibited.

> Where allowed by local law, electronic communications with Accenture

> and its affiliates, including e-mail and instant messaging (including

> content), may be scanned by our systems for the purposes of

> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.

> Accenture uses your personal data only in compliance with data

> protection laws. For further information on how Accenture processes

> your personal data, please see our privacy statement at

> https://www.accenture.com/us-en/privacy-policy.

> 

> ______________________________________________________________________

> ________________

> 

> www.accenture.com

> 

> ---------------------------------------------------------------------

> To unsubscribe, e-mail: [hidden email] For

> additional commands, e-mail: [hidden email]

> 

> 




This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Oleksandr Rudyy
Hi Kirankumar,
If the broker port is configured with TLSv1.2, it will not accept
connection using any other TLS protocol. Thus, it is really not required to
provide any specific TLSv1.2 settings on the client side. Though, the JMS
client for AMQP 1.0 supports connection options to enable and/or disable
specific TLS protocols and cipher suites. You can use them to restrict the
TLS protocols and cipher suites to the required ones. Here are the
corresponding option descriptions from the client documentation [1]:

* transport.enabledCipherSuites The cipher suites to enable, comma
separated. No default, meaning the context default ciphers are used. Any
disabled ciphers are removed from this.
* transport.disabledCipherSuites The cipher suites to disable, comma
separated. Ciphers listed here are removed from the enabled ciphers. No
default.
* transport.enabledProtocols The protocols to enable, comma separated. No
default, meaning the context default protocols are used. Any disabled
protocols are removed from this.
* transport.disabledProtocols The protocols to disable, comma separated.
Protocols listed here are removed from the enabled protocols. Default is
"SSLv2Hello,SSLv3".

In general, you  need to configure TLS transport on a client connection URL
by simply setting protocol part of URL to amqps as in an example below

amqps://myhost.mydomain:5671

If a self-signed certificate is used, you need to provide a trustore with
all required certificates including intermediate ones.
You can utilize connection URL options transport.trustStoreLocation and
transport.trustStorePassword to set a path to the java keystore file with
the certificates and keystore password respectively. For example,

amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport


An example of connection URL with enabled TLSv1.2 is provided below

amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2

For more information about connection options please check client
documentation at [1].

I guess that you are asking about an example of how to configure a
connection factory spring bean using spring xml. Please, correct me if I am
wrong here.

There are multiple ways you can configure the connection factory bean in
spring framework. Please refer spring documentation [2] for more details.

Here is just an example illustrating the approach when jndi properties file
(jndi.properties) with connection factory settings is used to define the
connection URL:

You can declare bean PropertiesFactoryBean to load Qpid client JNDI
configuration from a file in classpath as below

<bean id="jndiConfiguration"
class="org.springframework.beans.factory.config.PropertiesFactoryBean">
  <property name="location" value="classpath:jndi.properties"/>
</bean>

Alternatively it can be done as below

<util:properties id="jndiConfiguration"
location="classpath:jndi.properties"/>

Than, you can create a JNDI template bean referencing the jndiConfiguration
bean

<bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
  <property name="environment" ref="jndiConfiguration"/>
</bean>

The connection factory bean can be created using spring
JndiObjectFactoryBean

<bean id="jmsConnectionFactory"
class="org.springframework.jndi.JndiObjectFactoryBean"
depends-on="jndiTemplate">
    <property name="jndiTemplate" ref="jndiTemplate"/>
    <property name="jndiName">
        <value>${qpid.connection.factory.jndi.name}</value>
    </property>
</bean>

I hope the above should help you with your client set-up.

As for the BDB HA error, the  image was stripped from the email. Please
resend the stack trace of the problem.

Kind Regards,
Alex

[1]
http://qpid.apache.org/releases/qpid-jms-0.54.0/docs/index.html#ssl-transport-configuration-options
[2] https://docs.spring.io/spring-framework/docs/2.5.x/reference/jms.html


On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
>
>
> 1)           Could you provide us details how we can configure TLS 1.2 for
> our JMS client in JmsConnectionFactory bean using XML file.
>
> 2)           When we try to set up BDB_HA, we are getting the following
> error.
>
>
>
>
>
> Please let me know if we are missing something.
>
>
>
> Regards,
>
> Kirankumar Malyala
>
>
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Tuesday, November 17, 2020 4:02 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
>
>
> Hi Kirankumar,
>
> There is a typo in cipher suite names: the GSM is used instead of GCM.
>
> Thus, the correct cipherSuiteWhiteList would be:
>
>
>
> "qpid.security.tls.cipherSuiteWhiteList":
>
>
> "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
>
>
>
>
>
> Please note that cipher suites TLS_AES_128_GCM_SHA256 and
>
> TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
>
>
>
> Regarding encryption of replication traffic I do not have any
> documentation/recommendation on how to set-up  the ssh tunnels.
>
>
>
> KInd Regards,
>
> Alex
>
>
>
> On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> [hidden email]> wrote:
>
>
>
> > Hi Alex,
>
> >
>
> > 1)We are using Qpid 7.1.6 version. When we add below context in our
>
> > Port map getting SSL handshake error, working fine only for
>
> > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
>
> >
>
> >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
>
> > "qpid.security.tls.cipherSuiteWhiteList":
>
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
>
> > --------> NOT WORKING
>
> >
>
> > 2)Also, please let us know which approach would be best for encrypting
>
> > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
>
> > it's configuration documentation/procedure.
>
> >
>
> > Regards,
>
> > Kirankumar Malyala
>
> >
>
> > -----Original Message-----
>
> > From: Oleksandr Rudyy <[hidden email]>
>
> > Sent: Wednesday, November 11, 2020 12:03 AM
>
> > To: [hidden email]
>
> > Subject: Re: [External] Re: Queries on Qpid setup
>
> >
>
> > Hi Kirankumar,
>
> >
>
> > The context variable can be set on any configured object. For example,
>
> > you can set context variables in the attribute "context" of Broker
>
> > configured object or/and Port configured object.
>
> > The children configured objects inherit context settings from their
>
> > parents. Thus, the Port configured object inherits all context
>
> > settings from the Broker as Broker is a parent of the Port.
>
> > The context settings can be overridden on the child configured object
>
> > if required. For example, you can set the context variable
>
> > "qpid.security.tls.protocolAllowList" on the Broker to
>
> > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
>
> > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
>
> > port connections to TLSv1.3. Another port object without overridden
>
> > context variable "qpid.security.tls.protocolAllowList" would inherit
>
> > the support of
>
> > TLSv1.2 and TLSv1.3 from the broker.
>
> >
>
> > As mentioned above, the context variables are kept in the attributes
>
> > "context" as a "map "of string keys and values. You can create your
>
> > initial configuration and define the context variables in the
>
> > "context" attribute as illustrated in the example below:
>
> >
>
> > {
>
> >   "name" : "${broker.name}",
>
> >   "modelVersion" : "7.1",
>
> >   "context": {
>
> >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
>
> >     "qpid.security.tls.cipherSuiteAllowList":
>
> >
>
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
>
> >   },
>
> >
>
> >   ...
>
> >   "ports": [{
>
> >     "name" : "AMQP",
>
> >     "port" : "${qpid.amqp_port}",
>
> >     "context": {
>
> >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
>
> >     },
>
> >    ...
>
> >    },
>
> >    ...
>
> >   ]
>
> > }
>
> >
>
> > In the example above, the context variables
>
> > "qpid.security.tls.protocolAllowList" and
>
> > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
>
> > The port "AMQP" has its own "context" attribute where
>
> > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> "AMQP"
>
> > will have "qpid.security.tls.protocolAllowList" defined on the port
>
> > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
>
> >
>
> > I hope that the example above helps you to understand the context
>
> > variable settings.
>
> >
>
> > You can update the context variables using REST API. Though, the TLS
>
> > needs to be configured first on the HTTP port in order to use REST API.
>
> >
>
> >
>
> > Kind Regards,
>
> > Alex
>
> >
>
> >
>
> >
>
> >
>
> > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
>
> > <[hidden email]> wrote:
>
> >
>
> > > Hi Alex,
>
> > >
>
> > > Thank you for your help. This is useful to look into the areas where
>
> > > we wanted clarity.
>
> > > I want to clear a few things from the points which you have mentioned.
>
> > >
>
> > > As you mentioned, the TLS version can set in multiple ways through
>
> > > context variable. Could you explain how we can set in JVM settings
>
> > > config.json
>
> > >
>
> > > Please share the code if you have it.
>
> > >
>
> > > Also, related to ssh tunnel configuration, could you share with us
>
> > > any existing references which have used ssh tunneling and
>
> > > master/replica concept. Then, it would be easier for us to mold it
>
> > > as per our
>
> > requirement.
>
> > >
>
> > > Regards,
>
> > > Kirankumar Malyala
>
> > >
>
> > >
>
> > > -----Original Message-----
>
> > > From: Oleksandr Rudyy <[hidden email]>
>
> > > Sent: Tuesday, November 10, 2020 5:24 AM
>
> > > To: [hidden email]
>
> > > Subject: Re: [External] Re: Queries on Qpid setup
>
> > >
>
> > > Hi Kirankumar,
>
> > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
>
> > > transports.
>
> > >
>
> > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
>
> > > configured
>
> > > object(s) needs to be configured.
>
> > > The keystore object should contain a private key and certificates
>
> > > (including intermediates if required).
>
> > >
>
> > > A number of Keystore types is supported on the broker:
>
> > > * FileKeyStore - in this type of Keystore a java keystore is used
>
> > > underneath to hold the private key and certificates
>
> > > * NonJavaKeyStore - used to configure private key and certificates
>
> > > directly in PEM or DER formats
>
> > >
>
> > > The Broker allows users to quickly create a self-signed certificate
>
> > > with a special type of Keystore called "AutoGeneratedSelfSigned"
>
> > > (with Oracle JDK or OpenJDK).
>
> > >
>
> > > The TLS protocols and TLS cipher suites can be customised (if
>
> > > required) using special context variables:
>
> > > * qpid.security.tls.protocolAllowList
>
> > > * qpid.security.tls.protocolDenyList
>
> > > * qpid.security.tls.cipherSuiteAllowList
>
> > > * qpid.security.tls.cipherSuiteDenyList
>
> > > or
>
> > > * qpid.security.tls.protocolWhiteList
>
> > > * qpid.security.tls.protocolBlackList
>
> > > * qpid.security.tls.cipherSuiteWhiteList
>
> > > * qpid.security.tls.cipherSuiteBlackList
>
> > >
>
> > > Before 7.1.9 only "white/black" list terminology was supported.
>
> > > Starting from version 7.1.9 the alternative names "allow/deny" lists
>
> > > can be used. In version 9.0 the "allow/deny" lists completely
>
> > > replace "white/black" list terminology.
>
> > >
>
> > > For example, you can allow only TLSv1.3 with JDK11 by setting
>
> > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
>
> > > You can specify the allowed or denied values using regular
>
> > > expressions represented as JSON stringified lists.
>
> > > For example, you can limit allowed cipher suites to only some of
>
> > > them by setting qpid.security.tls.cipherSuiteAllowList to
>
> > >
>
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
>
> > > The same applies to deny lists.
>
> > >
>
> > > The context variable can be set in multiple ways:
>
> > > * as JVM settings
>
> > > * as command line arguments (for example, ./bin/qpid-server -prop
>
> > > qpid.security.tls.protocolAllowList=TLSv1.3 )
>
> > > * in a properties file system.properties (it needs to be in broker
>
> > > classpath)
>
> > > * as configured object context variables (for example, context
>
> > > variable set on the Broker object using REST API)
>
> > >
>
> > >
>
> > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
>
> > > JE does not support TLS transport. The data replication is unencrypted.
>
> > > Potentially, you can use SSH tunnels, but that requires configuring
>
> > > tunes between each of HA nodes, as the nodes  communicate with each
>
> > > other. I believe that it should be possible to configure SSH
>
> > > tunnels, though I cannot give you any useful advice on how to do that.
>
> > >
>
> > > You can download Qpid Broker distribution files from Qpid Download
>
> > > page at
>
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
>
> > > do
>
> > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
>
> > > =Y
>
> > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
>
> > > Ep
>
> > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
>
> > > .
>
> > >
>
> > > KInd Regards,
>
> > > Alex
>
> > >
>
> > >
>
> > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
>
> > > <[hidden email]> wrote:
>
> > >
>
> > > > Hi Alex,
>
> > > >
>
> > > > We are using broker-j (for java). As of now, we are exploring on
>
> > > > version
>
> > > 7.
>
> > > > Please do let us know if you want any other information.
>
> > > >
>
> > > > Regards,
>
> > > > Kirankumar Malyala
>
> > > >
>
> > > > -----Original Message-----
>
> > > > From: Oleksandr Rudyy <[hidden email]>
>
> > > > Sent: Friday, November 6, 2020 5:44 AM
>
> > > > To: [hidden email]
>
> > > > Subject: [External] Re: Queries on Qpid setup
>
> > > >
>
> > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
>
> > > > particularly with links and attachments.
>
> > > >
>
> > > > Hi Kirankumar,
>
> > > > Could you please clarify what exactly Qpid broker are you trying
>
> > > > to
>
> > use?
>
> > > > There are two brokers in Qpid project: c++ broker and broker-j
>
> > > > (for
>
> > > java).
>
> > > >
>
> > > > Are you using Qpid Broker-J?
>
> > > >
>
> > > > Kind regards,
>
> > > > Alex
>
> > > >
>
> > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
>
> > > > <[hidden email]> wrote:
>
> > > >
>
> > > > > Hi Team,
>
> > > > >
>
> > > > > We have been doing some POC on Qpid. While working on the
>
> > > > > configuration, we came across multiple blockers which we have
>
> > > > > mentioned
>
> > > > below.
>
> > > > >
>
> > > > >
>
> > > > >   *   How to use a specific version of TLS encryption for Qpid if
> we
>
> > > > > deploy on VM.
>
> > > > >   *   We understood from the Qpid documentation that we have to
>
> > deploy
>
> > > > > broker on multiple VM's to create a group and introduce
>
> > > > > master/replica nodes. Any SOP on this part ?
>
> > > > >   *   How to apply SSL/TLS encryption to replicas in the group
>
> > consists
>
> > > > of
>
> > > > > master and replica nodes using SSH tunnel/IPsec.
>
> > > > >   *   How can we fetch file in Apache
>
> > > > >
>
> > > > > Please let us know if some one from your team can guide us on
>
> > > > > these
>
> > > > points.
>
> > > > >
>
> > > > > Regards,
>
> > > > > Kirankumar Malyala
>
> > > > >
>
> > > > > ________________________________
>
> > > > >
>
> > > > > This message is for the designated recipient only and may
>
> > > > > contain privileged, proprietary, or otherwise confidential
>
> > > > > information. If you have received it in error, please notify the
>
> > > > > sender immediately and delete the original. Any other use of the
>
> > > > > e-mail by you is
>
> > > prohibited.
>
> > > > > Where allowed by local law, electronic communications with
>
> > > > > Accenture and its affiliates, including e-mail and instant
>
> > > > > messaging (including content), may be scanned by our systems for
>
> > > > > the purposes of information security and assessment of internal
>
> > > > > compliance with
>
> > > > Accenture policy. Your privacy is important to us.
>
> > > > > Accenture uses your personal data only in compliance with data
>
> > > > > protection laws. For further information on how Accenture
>
> > > > > processes your personal data, please see our privacy statement
>
> > > > > at https://www.accenture.com/us-en/privacy-policy.
>
> > > > >
>
> > > > > ________________________________________________________________
>
> > > > > __
>
> > > > > __
>
> > > > > __
>
> > > > > ________________
>
> > > > >
>
> > > > > http://www.accenture.com
>
> > > > >
>
> > > >
>
> > > > ________________________________
>
> > > >
>
> > > > This message is for the designated recipient only and may contain
>
> > > > privileged, proprietary, or otherwise confidential information. If
>
> > > > you have received it in error, please notify the sender
>
> > > > immediately and delete the original. Any other use of the e-mail
>
> > > > by you is
>
> > prohibited.
>
> > > > Where allowed by local law, electronic communications with
>
> > > > Accenture and its affiliates, including e-mail and instant
>
> > > > messaging (including content), may be scanned by our systems for
>
> > > > the purposes of information security and assessment of internal
>
> > > > compliance with
>
> > > Accenture policy. Your privacy is important to us.
>
> > > > Accenture uses your personal data only in compliance with data
>
> > > > protection laws. For further information on how Accenture
>
> > > > processes your personal data, please see our privacy statement at
>
> > > > https://www.accenture.com/us-en/privacy-policy.
>
> > > >
>
> > > > __________________________________________________________________
>
> > > > __
>
> > > > __
>
> > > > ________________
>
> > > >
>
> > > > http://www.accenture.com
>
> > > >
>
> > >
>
> > > ________________________________
>
> > >
>
> > > This message is for the designated recipient only and may contain
>
> > > privileged, proprietary, or otherwise confidential information. If
>
> > > you have received it in error, please notify the sender immediately
>
> > > and delete the original. Any other use of the e-mail by you is
> prohibited.
>
> > > Where allowed by local law, electronic communications with Accenture
>
> > > and its affiliates, including e-mail and instant messaging
>
> > > (including content), may be scanned by our systems for the purposes
>
> > > of information security and assessment of internal compliance with
>
> > Accenture policy. Your privacy is important to us.
>
> > > Accenture uses your personal data only in compliance with data
>
> > > protection laws. For further information on how Accenture processes
>
> > > your personal data, please see our privacy statement at
>
> > > https://www.accenture.com/us-en/privacy-policy.
>
> > >
>
> > > ____________________________________________________________________
>
> > > __
>
> > > ________________
>
> > >
>
> > > www.accenture.com
>
> > >
>
> >
>
> > ________________________________
>
> >
>
> > This message is for the designated recipient only and may contain
>
> > privileged, proprietary, or otherwise confidential information. If you
>
> > have received it in error, please notify the sender immediately and
>
> > delete the original. Any other use of the e-mail by you is prohibited.
>
> > Where allowed by local law, electronic communications with Accenture
>
> > and its affiliates, including e-mail and instant messaging (including
>
> > content), may be scanned by our systems for the purposes of
>
> > information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
>
> > Accenture uses your personal data only in compliance with data
>
> > protection laws. For further information on how Accenture processes
>
> > your personal data, please see our privacy statement at
>
> > https://www.accenture.com/us-en/privacy-policy.
>
> >
>
> > ______________________________________________________________________
>
> > ________________
>
> >
>
> > www.accenture.com
>
> >
>
> > ---------------------------------------------------------------------
>
> > To unsubscribe, e-mail: [hidden email] For
>
> > additional commands, e-mail: [hidden email]
>
> >
>
> >
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
Hi Alex,

When we are trying for Qpid HA setup, we are getting the below error.
Please guide us the steps for configuring HA in between multiple servers.





Regards,
Kirankumar Malyala

From: Oleksandr Rudyy <[hidden email]>
Sent: 18 November 2020 16:41
To: [hidden email] <[hidden email]>
Subject: Re: [External] Re: Queries on Qpid setup
 
Hi Kirankumar,
If the broker port is configured with TLSv1.2, it will not accept
connection using any other TLS protocol. Thus, it is really not required to
provide any specific TLSv1.2 settings on the client side. Though, the JMS
client for AMQP 1.0 supports connection options to enable and/or disable
specific TLS protocols and cipher suites. You can use them to restrict the
TLS protocols and cipher suites to the required ones. Here are the
corresponding option descriptions from the client documentation [1]:

* transport.enabledCipherSuites The cipher suites to enable, comma
separated. No default, meaning the context default ciphers are used. Any
disabled ciphers are removed from this.
* transport.disabledCipherSuites The cipher suites to disable, comma
separated. Ciphers listed here are removed from the enabled ciphers. No
default.
* transport.enabledProtocols The protocols to enable, comma separated. No
default, meaning the context default protocols are used. Any disabled
protocols are removed from this.
* transport.disabledProtocols The protocols to disable, comma separated.
Protocols listed here are removed from the enabled protocols. Default is
"SSLv2Hello,SSLv3".

In general, you  need to configure TLS transport on a client connection URL
by simply setting protocol part of URL to amqps as in an example below

amqps://myhost.mydomain:5671

If a self-signed certificate is used, you need to provide a trustore with
all required certificates including intermediate ones.
You can utilize connection URL options transport.trustStoreLocation and
transport.trustStorePassword to set a path to the java keystore file with
the certificates and keystore password respectively. For example,

amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport


An example of connection URL with enabled TLSv1.2 is provided below

amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2

For more information about connection options please check client
documentation at [1].

I guess that you are asking about an example of how to configure a
connection factory spring bean using spring xml. Please, correct me if I am
wrong here.

There are multiple ways you can configure the connection factory bean in
spring framework. Please refer spring documentation [2] for more details.

Here is just an example illustrating the approach when jndi properties file
(jndi.properties) with connection factory settings is used to define the
connection URL:

You can declare bean PropertiesFactoryBean to load Qpid client JNDI
configuration from a file in classpath as below

<bean id="jndiConfiguration"
class="org.springframework.beans.factory.config.PropertiesFactoryBean">
  <property name="location" value="classpath:jndi.properties"/>
</bean>

Alternatively it can be done as below

<util:properties id="jndiConfiguration"
location="classpath:jndi.properties"/>

Than, you can create a JNDI template bean referencing the jndiConfiguration
bean

<bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
  <property name="environment" ref="jndiConfiguration"/>
</bean>

The connection factory bean can be created using spring
JndiObjectFactoryBean

<bean id="jmsConnectionFactory"
class="org.springframework.jndi.JndiObjectFactoryBean"
depends-on="jndiTemplate">
    <property name="jndiTemplate" ref="jndiTemplate"/>
    <property name="jndiName">
        <value>${qpid.connection.factory.jndi.name}</value>
    </property>
</bean>

I hope the above should help you with your client set-up.

As for the BDB HA error, the  image was stripped from the email. Please
resend the stack trace of the problem.

Kind Regards,
Alex

[1]
https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Djms-2D0.54.0_docs_index.html-23ssl-2Dtransport-2Dconfiguration-2Doptions&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=TDbT4B4bfkwU6GsuwabjKohMUTLVlQkexWDfb-Axssg&e=
[2] https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dframework_docs_2.5.x_reference_jms.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=iJKAuFeXBL0Pm2nORr9eUtBUwtOPLisdCtDFWYZSNNI&e=


On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
>
>
> 1)           Could you provide us details how we can configure TLS 1.2 for
> our JMS client in JmsConnectionFactory bean using XML file.
>
> 2)           When we try to set up BDB_HA, we are getting the following
> error.
>
>
>
>
>
> Please let me know if we are missing something.
>
>
>
> Regards,
>
> Kirankumar Malyala
>
>
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Tuesday, November 17, 2020 4:02 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
>
>
> Hi Kirankumar,
>
> There is a typo in cipher suite names: the GSM is used instead of GCM.
>
> Thus, the correct cipherSuiteWhiteList would be:
>
>
>
> "qpid.security.tls.cipherSuiteWhiteList":
>
>
> "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
>
>
>
>
>
> Please note that cipher suites TLS_AES_128_GCM_SHA256 and
>
> TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
>
>
>
> Regarding encryption of replication traffic I do not have any
> documentation/recommendation on how to set-up  the ssh tunnels.
>
>
>
> KInd Regards,
>
> Alex
>
>
>
> On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> [hidden email]> wrote:
>
>
>
> > Hi Alex,
>
> >
>
> > 1)We are using Qpid 7.1.6 version. When we add below context in our
>
> > Port map getting SSL handshake error, working fine only for
>
> > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
>
> >
>
> >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
>
> > "qpid.security.tls.cipherSuiteWhiteList":
>
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
>
> > --------> NOT WORKING
>
> >
>
> > 2)Also, please let us know which approach would be best for encrypting
>
> > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
>
> > it's configuration documentation/procedure.
>
> >
>
> > Regards,
>
> > Kirankumar Malyala
>
> >
>
> > -----Original Message-----
>
> > From: Oleksandr Rudyy <[hidden email]>
>
> > Sent: Wednesday, November 11, 2020 12:03 AM
>
> > To: [hidden email]
>
> > Subject: Re: [External] Re: Queries on Qpid setup
>
> >
>
> > Hi Kirankumar,
>
> >
>
> > The context variable can be set on any configured object. For example,
>
> > you can set context variables in the attribute "context" of Broker
>
> > configured object or/and Port configured object.
>
> > The children configured objects inherit context settings from their
>
> > parents. Thus, the Port configured object inherits all context
>
> > settings from the Broker as Broker is a parent of the Port.
>
> > The context settings can be overridden on the child configured object
>
> > if required. For example, you can set the context variable
>
> > "qpid.security.tls.protocolAllowList" on the Broker to
>
> > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
>
> > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
>
> > port connections to TLSv1.3. Another port object without overridden
>
> > context variable "qpid.security.tls.protocolAllowList" would inherit
>
> > the support of
>
> > TLSv1.2 and TLSv1.3 from the broker.
>
> >
>
> > As mentioned above, the context variables are kept in the attributes
>
> > "context" as a "map "of string keys and values. You can create your
>
> > initial configuration and define the context variables in the
>
> > "context" attribute as illustrated in the example below:
>
> >
>
> > {
>
> >   "name" : "${broker.name}",
>
> >   "modelVersion" : "7.1",
>
> >   "context": {
>
> >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
>
> >     "qpid.security.tls.cipherSuiteAllowList":
>
> >
>
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
>
> >   },
>
> >
>
> >   ...
>
> >   "ports": [{
>
> >     "name" : "AMQP",
>
> >     "port" : "${qpid.amqp_port}",
>
> >     "context": {
>
> >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
>
> >     },
>
> >    ...
>
> >    },
>
> >    ...
>
> >   ]
>
> > }
>
> >
>
> > In the example above, the context variables
>
> > "qpid.security.tls.protocolAllowList" and
>
> > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
>
> > The port "AMQP" has its own "context" attribute where
>
> > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> "AMQP"
>
> > will have "qpid.security.tls.protocolAllowList" defined on the port
>
> > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
>
> >
>
> > I hope that the example above helps you to understand the context
>
> > variable settings.
>
> >
>
> > You can update the context variables using REST API. Though, the TLS
>
> > needs to be configured first on the HTTP port in order to use REST API.
>
> >
>
> >
>
> > Kind Regards,
>
> > Alex
>
> >
>
> >
>
> >
>
> >
>
> > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
>
> > <[hidden email]> wrote:
>
> >
>
> > > Hi Alex,
>
> > >
>
> > > Thank you for your help. This is useful to look into the areas where
>
> > > we wanted clarity.
>
> > > I want to clear a few things from the points which you have mentioned.
>
> > >
>
> > > As you mentioned, the TLS version can set in multiple ways through
>
> > > context variable. Could you explain how we can set in JVM settings
>
> > > config.json
>
> > >
>
> > > Please share the code if you have it.
>
> > >
>
> > > Also, related to ssh tunnel configuration, could you share with us
>
> > > any existing references which have used ssh tunneling and
>
> > > master/replica concept. Then, it would be easier for us to mold it
>
> > > as per our
>
> > requirement.
>
> > >
>
> > > Regards,
>
> > > Kirankumar Malyala
>
> > >
>
> > >
>
> > > -----Original Message-----
>
> > > From: Oleksandr Rudyy <[hidden email]>
>
> > > Sent: Tuesday, November 10, 2020 5:24 AM
>
> > > To: [hidden email]
>
> > > Subject: Re: [External] Re: Queries on Qpid setup
>
> > >
>
> > > Hi Kirankumar,
>
> > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
>
> > > transports.
>
> > >
>
> > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
>
> > > configured
>
> > > object(s) needs to be configured.
>
> > > The keystore object should contain a private key and certificates
>
> > > (including intermediates if required).
>
> > >
>
> > > A number of Keystore types is supported on the broker:
>
> > > * FileKeyStore - in this type of Keystore a java keystore is used
>
> > > underneath to hold the private key and certificates
>
> > > * NonJavaKeyStore - used to configure private key and certificates
>
> > > directly in PEM or DER formats
>
> > >
>
> > > The Broker allows users to quickly create a self-signed certificate
>
> > > with a special type of Keystore called "AutoGeneratedSelfSigned"
>
> > > (with Oracle JDK or OpenJDK).
>
> > >
>
> > > The TLS protocols and TLS cipher suites can be customised (if
>
> > > required) using special context variables:
>
> > > * qpid.security.tls.protocolAllowList
>
> > > * qpid.security.tls.protocolDenyList
>
> > > * qpid.security.tls.cipherSuiteAllowList
>
> > > * qpid.security.tls.cipherSuiteDenyList
>
> > > or
>
> > > * qpid.security.tls.protocolWhiteList
>
> > > * qpid.security.tls.protocolBlackList
>
> > > * qpid.security.tls.cipherSuiteWhiteList
>
> > > * qpid.security.tls.cipherSuiteBlackList
>
> > >
>
> > > Before 7.1.9 only "white/black" list terminology was supported.
>
> > > Starting from version 7.1.9 the alternative names "allow/deny" lists
>
> > > can be used. In version 9.0 the "allow/deny" lists completely
>
> > > replace "white/black" list terminology.
>
> > >
>
> > > For example, you can allow only TLSv1.3 with JDK11 by setting
>
> > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
>
> > > You can specify the allowed or denied values using regular
>
> > > expressions represented as JSON stringified lists.
>
> > > For example, you can limit allowed cipher suites to only some of
>
> > > them by setting qpid.security.tls.cipherSuiteAllowList to
>
> > >
>
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
>
> > > The same applies to deny lists.
>
> > >
>
> > > The context variable can be set in multiple ways:
>
> > > * as JVM settings
>
> > > * as command line arguments (for example, ./bin/qpid-server -prop
>
> > > qpid.security.tls.protocolAllowList=TLSv1.3 )
>
> > > * in a properties file system.properties (it needs to be in broker
>
> > > classpath)
>
> > > * as configured object context variables (for example, context
>
> > > variable set on the Broker object using REST API)
>
> > >
>
> > >
>
> > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
>
> > > JE does not support TLS transport. The data replication is unencrypted.
>
> > > Potentially, you can use SSH tunnels, but that requires configuring
>
> > > tunes between each of HA nodes, as the nodes  communicate with each
>
> > > other. I believe that it should be possible to configure SSH
>
> > > tunnels, though I cannot give you any useful advice on how to do that.
>
> > >
>
> > > You can download Qpid Broker distribution files from Qpid Download
>
> > > page at
>
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
>
> > > do
>
> > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
>
> > > =Y
>
> > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
>
> > > Ep
>
> > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
>
> > > .
>
> > >
>
> > > KInd Regards,
>
> > > Alex
>
> > >
>
> > >
>
> > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
>
> > > <[hidden email]> wrote:
>
> > >
>
> > > > Hi Alex,
>
> > > >
>
> > > > We are using broker-j (for java). As of now, we are exploring on
>
> > > > version
>
> > > 7.
>
> > > > Please do let us know if you want any other information.
>
> > > >
>
> > > > Regards,
>
> > > > Kirankumar Malyala
>
> > > >
>
> > > > -----Original Message-----
>
> > > > From: Oleksandr Rudyy <[hidden email]>
>
> > > > Sent: Friday, November 6, 2020 5:44 AM
>
> > > > To: [hidden email]
>
> > > > Subject: [External] Re: Queries on Qpid setup
>
> > > >
>
> > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
>
> > > > particularly with links and attachments.
>
> > > >
>
> > > > Hi Kirankumar,
>
> > > > Could you please clarify what exactly Qpid broker are you trying
>
> > > > to
>
> > use?
>
> > > > There are two brokers in Qpid project: c++ broker and broker-j
>
> > > > (for
>
> > > java).
>
> > > >
>
> > > > Are you using Qpid Broker-J?
>
> > > >
>
> > > > Kind regards,
>
> > > > Alex
>
> > > >
>
> > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
>
> > > > <[hidden email]> wrote:
>
> > > >
>
> > > > > Hi Team,
>
> > > > >
>
> > > > > We have been doing some POC on Qpid. While working on the
>
> > > > > configuration, we came across multiple blockers which we have
>
> > > > > mentioned
>
> > > > below.
>
> > > > >
>
> > > > >
>
> > > > >   *   How to use a specific version of TLS encryption for Qpid if
> we
>
> > > > > deploy on VM.
>
> > > > >   *   We understood from the Qpid documentation that we have to
>
> > deploy
>
> > > > > broker on multiple VM's to create a group and introduce
>
> > > > > master/replica nodes. Any SOP on this part ?
>
> > > > >   *   How to apply SSL/TLS encryption to replicas in the group
>
> > consists
>
> > > > of
>
> > > > > master and replica nodes using SSH tunnel/IPsec.
>
> > > > >   *   How can we fetch file in Apache
>
> > > > >
>
> > > > > Please let us know if some one from your team can guide us on
>
> > > > > these
>
> > > > points.
>
> > > > >
>
> > > > > Regards,
>
> > > > > Kirankumar Malyala
>
> > > > >
>
> > > > > ________________________________
>
> > > > >
>
> > > > > This message is for the designated recipient only and may
>
> > > > > contain privileged, proprietary, or otherwise confidential
>
> > > > > information. If you have received it in error, please notify the
>
> > > > > sender immediately and delete the original. Any other use of the
>
> > > > > e-mail by you is
>
> > > prohibited.
>
> > > > > Where allowed by local law, electronic communications with
>
> > > > > Accenture and its affiliates, including e-mail and instant
>
> > > > > messaging (including content), may be scanned by our systems for
>
> > > > > the purposes of information security and assessment of internal
>
> > > > > compliance with
>
> > > > Accenture policy. Your privacy is important to us.
>
> > > > > Accenture uses your personal data only in compliance with data
>
> > > > > protection laws. For further information on how Accenture
>
> > > > > processes your personal data, please see our privacy statement
>
> > > > > at https://www.accenture.com/us-en/privacy-policy.
>
> > > > >
>
> > > > > ________________________________________________________________
>
> > > > > __
>
> > > > > __
>
> > > > > __
>
> > > > > ________________
>
> > > > >
>
> > > > > http://www.accenture.com
>
> > > > >
>
> > > >
>
> > > > ________________________________
>
> > > >
>
> > > > This message is for the designated recipient only and may contain
>
> > > > privileged, proprietary, or otherwise confidential information. If
>
> > > > you have received it in error, please notify the sender
>
> > > > immediately and delete the original. Any other use of the e-mail
>
> > > > by you is
>
> > prohibited.
>
> > > > Where allowed by local law, electronic communications with
>
> > > > Accenture and its affiliates, including e-mail and instant
>
> > > > messaging (including content), may be scanned by our systems for
>
> > > > the purposes of information security and assessment of internal
>
> > > > compliance with
>
> > > Accenture policy. Your privacy is important to us.
>
> > > > Accenture uses your personal data only in compliance with data
>
> > > > protection laws. For further information on how Accenture
>
> > > > processes your personal data, please see our privacy statement at
>
> > > > https://www.accenture.com/us-en/privacy-policy.
>
> > > >
>
> > > > __________________________________________________________________
>
> > > > __
>
> > > > __
>
> > > > ________________
>
> > > >
>
> > > > http://www.accenture.com
>
> > > >
>
> > >
>
> > > ________________________________
>
> > >
>
> > > This message is for the designated recipient only and may contain
>
> > > privileged, proprietary, or otherwise confidential information. If
>
> > > you have received it in error, please notify the sender immediately
>
> > > and delete the original. Any other use of the e-mail by you is
> prohibited.
>
> > > Where allowed by local law, electronic communications with Accenture
>
> > > and its affiliates, including e-mail and instant messaging
>
> > > (including content), may be scanned by our systems for the purposes
>
> > > of information security and assessment of internal compliance with
>
> > Accenture policy. Your privacy is important to us.
>
> > > Accenture uses your personal data only in compliance with data
>
> > > protection laws. For further information on how Accenture processes
>
> > > your personal data, please see our privacy statement at
>
> > > https://www.accenture.com/us-en/privacy-policy.
>
> > >
>
> > > ____________________________________________________________________
>
> > > __
>
> > > ________________
>
> > >
>
> > > http://www.accenture.com
>
> > >
>
> >
>
> > ________________________________
>
> >
>
> > This message is for the designated recipient only and may contain
>
> > privileged, proprietary, or otherwise confidential information. If you
>
> > have received it in error, please notify the sender immediately and
>
> > delete the original. Any other use of the e-mail by you is prohibited.
>
> > Where allowed by local law, electronic communications with Accenture
>
> > and its affiliates, including e-mail and instant messaging (including
>
> > content), may be scanned by our systems for the purposes of
>
> > information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
>
> > Accenture uses your personal data only in compliance with data
>
> > protection laws. For further information on how Accenture processes
>
> > your personal data, please see our privacy statement at
>
> > https://www.accenture.com/us-en/privacy-policy.
>
> >
>
> > ______________________________________________________________________
>
> > ________________
>
> >
>
> > http://www.accenture.com
>
> >
>
> > ---------------------------------------------------------------------
>
> > To unsubscribe, e-mail: [hidden email] For
>
> > additional commands, e-mail: [hidden email]
>
> >
>
> >
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> http://www.accenture.com
>



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Robbie Gemmell
Administrator
The mailing list strips all but the most trivial of attachments/insertions
so your images did not make it, as with the previous time when Alex asked
you to resend the information that hadnt made it. For images, you'll need
to link to them somewhere. If you have text to send, such as an error or
stacktrace, just send the text.

The documentation around creating an HA group is at
http://qpid.apache.org/releases/qpid-broker-j-8.0.2/book/Java-Broker-High-Availability-CreatingGroup.html

On Thu, 3 Dec 2020 at 15:08, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
> When we are trying for Qpid HA setup, we are getting the below error.
> Please guide us the steps for configuring HA in between multiple servers.
>
>
>
>
>
> Regards,
> Kirankumar Malyala
> ------------------------------
> *From:* Oleksandr Rudyy <[hidden email]>
> *Sent:* 18 November 2020 16:41
> *To:* [hidden email] <[hidden email]>
> *Subject:* Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> If the broker port is configured with TLSv1.2, it will not accept
> connection using any other TLS protocol. Thus, it is really not required to
> provide any specific TLSv1.2 settings on the client side. Though, the JMS
> client for AMQP 1.0 supports connection options to enable and/or disable
> specific TLS protocols and cipher suites. You can use them to restrict the
> TLS protocols and cipher suites to the required ones. Here are the
> corresponding option descriptions from the client documentation [1]:
>
> * transport.enabledCipherSuites The cipher suites to enable, comma
> separated. No default, meaning the context default ciphers are used. Any
> disabled ciphers are removed from this.
> * transport.disabledCipherSuites The cipher suites to disable, comma
> separated. Ciphers listed here are removed from the enabled ciphers. No
> default.
> * transport.enabledProtocols The protocols to enable, comma separated. No
> default, meaning the context default protocols are used. Any disabled
> protocols are removed from this.
> * transport.disabledProtocols The protocols to disable, comma separated.
> Protocols listed here are removed from the enabled protocols. Default is
> "SSLv2Hello,SSLv3".
>
> In general, you  need to configure TLS transport on a client connection URL
> by simply setting protocol part of URL to amqps as in an example below
>
> amqps://myhost.mydomain:5671
>
> If a self-signed certificate is used, you need to provide a trustore with
> all required certificates including intermediate ones.
> You can utilize connection URL options transport.trustStoreLocation and
> transport.trustStorePassword to set a path to the java keystore file with
> the certificates and keystore password respectively. For example,
>
>
> amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport
>
>
> An example of connection URL with enabled TLSv1.2 is provided below
>
>
> amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2
>
> For more information about connection options please check client
> documentation at [1].
>
> I guess that you are asking about an example of how to configure a
> connection factory spring bean using spring xml. Please, correct me if I am
> wrong here.
>
> There are multiple ways you can configure the connection factory bean in
> spring framework. Please refer spring documentation [2] for more details.
>
> Here is just an example illustrating the approach when jndi properties file
> (jndi.properties) with connection factory settings is used to define the
> connection URL:
>
> You can declare bean PropertiesFactoryBean to load Qpid client JNDI
> configuration from a file in classpath as below
>
> <bean id="jndiConfiguration"
> class="org.springframework.beans.factory.config.PropertiesFactoryBean">
>   <property name="location" value="classpath:jndi.properties"/>
> </bean>
>
> Alternatively it can be done as below
>
> <util:properties id="jndiConfiguration"
> location="classpath:jndi.properties"/>
>
> Than, you can create a JNDI template bean referencing the jndiConfiguration
> bean
>
> <bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
>   <property name="environment" ref="jndiConfiguration"/>
> </bean>
>
> The connection factory bean can be created using spring
> JndiObjectFactoryBean
>
> <bean id="jmsConnectionFactory"
> class="org.springframework.jndi.JndiObjectFactoryBean"
> depends-on="jndiTemplate">
>     <property name="jndiTemplate" ref="jndiTemplate"/>
>     <property name="jndiName">
>         <value>${qpid.connection.factory.jndi.name}</value>
>     </property>
> </bean>
>
> I hope the above should help you with your client set-up.
>
> As for the BDB HA error, the  image was stripped from the email. Please
> resend the stack trace of the problem.
>
> Kind Regards,
> Alex
>
> [1]
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Djms-2D0.54.0_docs_index.html-23ssl-2Dtransport-2Dconfiguration-2Doptions&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=TDbT4B4bfkwU6GsuwabjKohMUTLVlQkexWDfb-Axssg&e=
> [2]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dframework_docs_2.5.x_reference_jms.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=iJKAuFeXBL0Pm2nORr9eUtBUwtOPLisdCtDFWYZSNNI&e=
>
>
> On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> >
> >
> > 1)           Could you provide us details how we can configure TLS 1.2
> for
> > our JMS client in JmsConnectionFactory bean using XML file.
> >
> > 2)           When we try to set up BDB_HA, we are getting the following
> > error.
> >
> >
> >
> >
> >
> > Please let me know if we are missing something.
> >
> >
> >
> > Regards,
> >
> > Kirankumar Malyala
> >
> >
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Tuesday, November 17, 2020 4:02 AM
> > To: [hidden email]
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> >
> >
> > Hi Kirankumar,
> >
> > There is a typo in cipher suite names: the GSM is used instead of GCM.
> >
> > Thus, the correct cipherSuiteWhiteList would be:
> >
> >
> >
> > "qpid.security.tls.cipherSuiteWhiteList":
> >
> >
> >
> "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
> >
> >
> >
> >
> >
> > Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> >
> > TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> > cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
> >
> >
> >
> > Regarding encryption of replication traffic I do not have any
> > documentation/recommendation on how to set-up  the ssh tunnels.
> >
> >
> >
> > KInd Regards,
> >
> > Alex
> >
> >
> >
> > On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> > [hidden email]> wrote:
> >
> >
> >
> > > Hi Alex,
> >
> > >
> >
> > > 1)We are using Qpid 7.1.6 version. When we add below context in our
> >
> > > Port map getting SSL handshake error, working fine only for
> >
> > > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> >
> > >
> >
> > >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> >
> > > "qpid.security.tls.cipherSuiteWhiteList":
> >
> > >
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> >
> > > --------> NOT WORKING
> >
> > >
> >
> > > 2)Also, please let us know which approach would be best for encrypting
> >
> > > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> >
> > > it's configuration documentation/procedure.
> >
> > >
> >
> > > Regards,
> >
> > > Kirankumar Malyala
> >
> > >
> >
> > > -----Original Message-----
> >
> > > From: Oleksandr Rudyy <[hidden email]>
> >
> > > Sent: Wednesday, November 11, 2020 12:03 AM
> >
> > > To: [hidden email]
> >
> > > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > >
> >
> > > Hi Kirankumar,
> >
> > >
> >
> > > The context variable can be set on any configured object. For example,
> >
> > > you can set context variables in the attribute "context" of Broker
> >
> > > configured object or/and Port configured object.
> >
> > > The children configured objects inherit context settings from their
> >
> > > parents. Thus, the Port configured object inherits all context
> >
> > > settings from the Broker as Broker is a parent of the Port.
> >
> > > The context settings can be overridden on the child configured object
> >
> > > if required. For example, you can set the context variable
> >
> > > "qpid.security.tls.protocolAllowList" on the Broker to
> >
> > > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> >
> > > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> >
> > > port connections to TLSv1.3. Another port object without overridden
> >
> > > context variable "qpid.security.tls.protocolAllowList" would inherit
> >
> > > the support of
> >
> > > TLSv1.2 and TLSv1.3 from the broker.
> >
> > >
> >
> > > As mentioned above, the context variables are kept in the attributes
> >
> > > "context" as a "map "of string keys and values. You can create your
> >
> > > initial configuration and define the context variables in the
> >
> > > "context" attribute as illustrated in the example below:
> >
> > >
> >
> > > {
> >
> > >   "name" : "${broker.name}",
> >
> > >   "modelVersion" : "7.1",
> >
> > >   "context": {
> >
> > >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> >
> > >     "qpid.security.tls.cipherSuiteAllowList":
> >
> > >
> >
> > >
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> >
> > >   },
> >
> > >
> >
> > >   ...
> >
> > >   "ports": [{
> >
> > >     "name" : "AMQP",
> >
> > >     "port" : "${qpid.amqp_port}",
> >
> > >     "context": {
> >
> > >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> >
> > >     },
> >
> > >    ...
> >
> > >    },
> >
> > >    ...
> >
> > >   ]
> >
> > > }
> >
> > >
> >
> > > In the example above, the context variables
> >
> > > "qpid.security.tls.protocolAllowList" and
> >
> > > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker
> level.
> >
> > > The port "AMQP" has its own "context" attribute where
> >
> > > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> > "AMQP"
> >
> > > will have "qpid.security.tls.protocolAllowList" defined on the port
> >
> > > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> >
> > >
> >
> > > I hope that the example above helps you to understand the context
> >
> > > variable settings.
> >
> > >
> >
> > > You can update the context variables using REST API. Though, the TLS
> >
> > > needs to be configured first on the HTTP port in order to use REST API.
> >
> > >
> >
> > >
> >
> > > Kind Regards,
> >
> > > Alex
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> >
> > > <[hidden email]> wrote:
> >
> > >
> >
> > > > Hi Alex,
> >
> > > >
> >
> > > > Thank you for your help. This is useful to look into the areas where
> >
> > > > we wanted clarity.
> >
> > > > I want to clear a few things from the points which you have
> mentioned.
> >
> > > >
> >
> > > > As you mentioned, the TLS version can set in multiple ways through
> >
> > > > context variable. Could you explain how we can set in JVM settings
> >
> > > > config.json
> >
> > > >
> >
> > > > Please share the code if you have it.
> >
> > > >
> >
> > > > Also, related to ssh tunnel configuration, could you share with us
> >
> > > > any existing references which have used ssh tunneling and
> >
> > > > master/replica concept. Then, it would be easier for us to mold it
> >
> > > > as per our
> >
> > > requirement.
> >
> > > >
> >
> > > > Regards,
> >
> > > > Kirankumar Malyala
> >
> > > >
> >
> > > >
> >
> > > > -----Original Message-----
> >
> > > > From: Oleksandr Rudyy <[hidden email]>
> >
> > > > Sent: Tuesday, November 10, 2020 5:24 AM
> >
> > > > To: [hidden email]
> >
> > > > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > > >
> >
> > > > Hi Kirankumar,
> >
> > > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> >
> > > > transports.
> >
> > > >
> >
> > > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> >
> > > > configured
> >
> > > > object(s) needs to be configured.
> >
> > > > The keystore object should contain a private key and certificates
> >
> > > > (including intermediates if required).
> >
> > > >
> >
> > > > A number of Keystore types is supported on the broker:
> >
> > > > * FileKeyStore - in this type of Keystore a java keystore is used
> >
> > > > underneath to hold the private key and certificates
> >
> > > > * NonJavaKeyStore - used to configure private key and certificates
> >
> > > > directly in PEM or DER formats
> >
> > > >
> >
> > > > The Broker allows users to quickly create a self-signed certificate
> >
> > > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> >
> > > > (with Oracle JDK or OpenJDK).
> >
> > > >
> >
> > > > The TLS protocols and TLS cipher suites can be customised (if
> >
> > > > required) using special context variables:
> >
> > > > * qpid.security.tls.protocolAllowList
> >
> > > > * qpid.security.tls.protocolDenyList
> >
> > > > * qpid.security.tls.cipherSuiteAllowList
> >
> > > > * qpid.security.tls.cipherSuiteDenyList
> >
> > > > or
> >
> > > > * qpid.security.tls.protocolWhiteList
> >
> > > > * qpid.security.tls.protocolBlackList
> >
> > > > * qpid.security.tls.cipherSuiteWhiteList
> >
> > > > * qpid.security.tls.cipherSuiteBlackList
> >
> > > >
> >
> > > > Before 7.1.9 only "white/black" list terminology was supported.
> >
> > > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> >
> > > > can be used. In version 9.0 the "allow/deny" lists completely
> >
> > > > replace "white/black" list terminology.
> >
> > > >
> >
> > > > For example, you can allow only TLSv1.3 with JDK11 by setting
> >
> > > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> >
> > > > You can specify the allowed or denied values using regular
> >
> > > > expressions represented as JSON stringified lists.
> >
> > > > For example, you can limit allowed cipher suites to only some of
> >
> > > > them by setting qpid.security.tls.cipherSuiteAllowList to
> >
> > > >
> >
> > >
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> >
> > > > The same applies to deny lists.
> >
> > > >
> >
> > > > The context variable can be set in multiple ways:
> >
> > > > * as JVM settings
> >
> > > > * as command line arguments (for example, ./bin/qpid-server -prop
> >
> > > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> >
> > > > * in a properties file system.properties (it needs to be in broker
> >
> > > > classpath)
> >
> > > > * as configured object context variables (for example, context
> >
> > > > variable set on the Broker object using REST API)
> >
> > > >
> >
> > > >
> >
> > > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> >
> > > > JE does not support TLS transport. The data replication is
> unencrypted.
> >
> > > > Potentially, you can use SSH tunnels, but that requires configuring
> >
> > > > tunes between each of HA nodes, as the nodes  communicate with each
> >
> > > > other. I believe that it should be possible to configure SSH
> >
> > > > tunnels, though I cannot give you any useful advice on how to do
> that.
> >
> > > >
> >
> > > > You can download Qpid Broker distribution files from Qpid Download
> >
> > > > page at
> >
> > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> >
> > > > do
> >
> > > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> >
> > > > =Y
> >
> > > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> >
> > > > Ep
> >
> > > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> >
> > > > .
> >
> > > >
> >
> > > > KInd Regards,
> >
> > > > Alex
> >
> > > >
> >
> > > >
> >
> > > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> >
> > > > <[hidden email]> wrote:
> >
> > > >
> >
> > > > > Hi Alex,
> >
> > > > >
> >
> > > > > We are using broker-j (for java). As of now, we are exploring on
> >
> > > > > version
> >
> > > > 7.
> >
> > > > > Please do let us know if you want any other information.
> >
> > > > >
> >
> > > > > Regards,
> >
> > > > > Kirankumar Malyala
> >
> > > > >
> >
> > > > > -----Original Message-----
> >
> > > > > From: Oleksandr Rudyy <[hidden email]>
> >
> > > > > Sent: Friday, November 6, 2020 5:44 AM
> >
> > > > > To: [hidden email]
> >
> > > > > Subject: [External] Re: Queries on Qpid setup
> >
> > > > >
> >
> > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> >
> > > > > particularly with links and attachments.
> >
> > > > >
> >
> > > > > Hi Kirankumar,
> >
> > > > > Could you please clarify what exactly Qpid broker are you trying
> >
> > > > > to
> >
> > > use?
> >
> > > > > There are two brokers in Qpid project: c++ broker and broker-j
> >
> > > > > (for
> >
> > > > java).
> >
> > > > >
> >
> > > > > Are you using Qpid Broker-J?
> >
> > > > >
> >
> > > > > Kind regards,
> >
> > > > > Alex
> >
> > > > >
> >
> > > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> >
> > > > > <[hidden email]> wrote:
> >
> > > > >
> >
> > > > > > Hi Team,
> >
> > > > > >
> >
> > > > > > We have been doing some POC on Qpid. While working on the
> >
> > > > > > configuration, we came across multiple blockers which we have
> >
> > > > > > mentioned
> >
> > > > > below.
> >
> > > > > >
> >
> > > > > >
> >
> > > > > >   *   How to use a specific version of TLS encryption for Qpid if
> > we
> >
> > > > > > deploy on VM.
> >
> > > > > >   *   We understood from the Qpid documentation that we have to
> >
> > > deploy
> >
> > > > > > broker on multiple VM's to create a group and introduce
> >
> > > > > > master/replica nodes. Any SOP on this part ?
> >
> > > > > >   *   How to apply SSL/TLS encryption to replicas in the group
> >
> > > consists
> >
> > > > > of
> >
> > > > > > master and replica nodes using SSH tunnel/IPsec.
> >
> > > > > >   *   How can we fetch file in Apache
> >
> > > > > >
> >
> > > > > > Please let us know if some one from your team can guide us on
> >
> > > > > > these
> >
> > > > > points.
> >
> > > > > >
> >
> > > > > > Regards,
> >
> > > > > > Kirankumar Malyala
> >
> > > > > >
> >
> > > > > > ________________________________
> >
> > > > > >
> >
> > > > > > This message is for the designated recipient only and may
> >
> > > > > > contain privileged, proprietary, or otherwise confidential
> >
> > > > > > information. If you have received it in error, please notify the
> >
> > > > > > sender immediately and delete the original. Any other use of the
> >
> > > > > > e-mail by you is
> >
> > > > prohibited.
> >
> > > > > > Where allowed by local law, electronic communications with
> >
> > > > > > Accenture and its affiliates, including e-mail and instant
> >
> > > > > > messaging (including content), may be scanned by our systems for
> >
> > > > > > the purposes of information security and assessment of internal
> >
> > > > > > compliance with
> >
> > > > > Accenture policy. Your privacy is important to us.
> >
> > > > > > Accenture uses your personal data only in compliance with data
> >
> > > > > > protection laws. For further information on how Accenture
> >
> > > > > > processes your personal data, please see our privacy statement
> >
> > > > > > at https://www.accenture.com/us-en/privacy-policy.
> >
> > > > > >
> >
> > > > > > ________________________________________________________________
> >
> > > > > > __
> >
> > > > > > __
> >
> > > > > > __
> >
> > > > > > ________________
> >
> > > > > >
> >
> > > > > > http://www.accenture.com
> >
> > > > > >
> >
> > > > >
> >
> > > > > ________________________________
> >
> > > > >
> >
> > > > > This message is for the designated recipient only and may contain
> >
> > > > > privileged, proprietary, or otherwise confidential information. If
> >
> > > > > you have received it in error, please notify the sender
> >
> > > > > immediately and delete the original. Any other use of the e-mail
> >
> > > > > by you is
> >
> > > prohibited.
> >
> > > > > Where allowed by local law, electronic communications with
> >
> > > > > Accenture and its affiliates, including e-mail and instant
> >
> > > > > messaging (including content), may be scanned by our systems for
> >
> > > > > the purposes of information security and assessment of internal
> >
> > > > > compliance with
> >
> > > > Accenture policy. Your privacy is important to us.
> >
> > > > > Accenture uses your personal data only in compliance with data
> >
> > > > > protection laws. For further information on how Accenture
> >
> > > > > processes your personal data, please see our privacy statement at
> >
> > > > > https://www.accenture.com/us-en/privacy-policy.
> >
> > > > >
> >
> > > > > __________________________________________________________________
> >
> > > > > __
> >
> > > > > __
> >
> > > > > ________________
> >
> > > > >
> >
> > > > > http://www.accenture.com
> >
> > > > >
> >
> > > >
> >
> > > > ________________________________
> >
> > > >
> >
> > > > This message is for the designated recipient only and may contain
> >
> > > > privileged, proprietary, or otherwise confidential information. If
> >
> > > > you have received it in error, please notify the sender immediately
> >
> > > > and delete the original. Any other use of the e-mail by you is
> > prohibited.
> >
> > > > Where allowed by local law, electronic communications with Accenture
> >
> > > > and its affiliates, including e-mail and instant messaging
> >
> > > > (including content), may be scanned by our systems for the purposes
> >
> > > > of information security and assessment of internal compliance with
> >
> > > Accenture policy. Your privacy is important to us.
> >
> > > > Accenture uses your personal data only in compliance with data
> >
> > > > protection laws. For further information on how Accenture processes
> >
> > > > your personal data, please see our privacy statement at
> >
> > > > https://www.accenture.com/us-en/privacy-policy.
> >
> > > >
> >
> > > > ____________________________________________________________________
> >
> > > > __
> >
> > > > ________________
> >
> > > >
> >
> > > > http://www.accenture.com
> >
> > > >
> >
> > >
> >
> > > ________________________________
> >
> > >
> >
> > > This message is for the designated recipient only and may contain
> >
> > > privileged, proprietary, or otherwise confidential information. If you
> >
> > > have received it in error, please notify the sender immediately and
> >
> > > delete the original. Any other use of the e-mail by you is prohibited.
> >
> > > Where allowed by local law, electronic communications with Accenture
> >
> > > and its affiliates, including e-mail and instant messaging (including
> >
> > > content), may be scanned by our systems for the purposes of
> >
> > > information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> >
> > > Accenture uses your personal data only in compliance with data
> >
> > > protection laws. For further information on how Accenture processes
> >
> > > your personal data, please see our privacy statement at
> >
> > > https://www.accenture.com/us-en/privacy-policy.
> >
> > >
> >
> > > ______________________________________________________________________
> >
> > > ________________
> >
> > >
> >
> > > http://www.accenture.com
> >
> > >
> >
> > > ---------------------------------------------------------------------
> >
> > > To unsubscribe, e-mail: [hidden email] For
> >
> > > additional commands, e-mail: [hidden email]
> >
> > >
> >
> > >
> >
> > ------------------------------
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> have
> > received it in error, please notify the sender immediately and delete the
> > original. Any other use of the e-mail by you is prohibited. Where allowed
> > by local law, electronic communications with Accenture and its
> affiliates,
> > including e-mail and instant messaging (including content), may be
> scanned
> > by our systems for the purposes of information security and assessment of
> > internal compliance with Accenture policy. Your privacy is important to
> us.
> > Accenture uses your personal data only in compliance with data protection
> > laws. For further information on how Accenture processes your personal
> > data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> >
> ______________________________________________________________________________________
> >
> > http://www.accenture.com
> >
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
Hi,

I have launched 2 ubuntu VMs and installed Qpid on them. To create HA for Qpid replication, I am trying to create a virtual host node in one of the VM's Qpid as attached (1) and getting an error (2).

Please suggest me if I need to folllow any pre requisites or am going in a wrong way.

Regards,
Kirankumar Malyala


From: Robbie Gemmell <[hidden email]>
Sent: 03 December 2020 22:17
To: users <[hidden email]>
Subject: Re: [External] Re: Queries on Qpid setup
 
The mailing list strips all but the most trivial of attachments/insertions
so your images did not make it, as with the previous time when Alex asked
you to resend the information that hadnt made it. For images, you'll need
to link to them somewhere. If you have text to send, such as an error or
stacktrace, just send the text.

The documentation around creating an HA group is at
https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Dbroker-2Dj-2D8.0.2_book_Java-2DBroker-2DHigh-2DAvailability-2DCreatingGroup.html&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=4wi1VX9jruNPNl5TuQ2yTZZmpR96Ce5z33ZqfMpGteM&s=RZJcR73PTn_8mbCMS_HkNqDQYngaGouwRdKE4QrW_l4&e=

On Thu, 3 Dec 2020 at 15:08, Malyala, Kirankumar
<[hidden email]> wrote:

> Hi Alex,
>
> When we are trying for Qpid HA setup, we are getting the below error.
> Please guide us the steps for configuring HA in between multiple servers.
>
>
>
>
>
> Regards,
> Kirankumar Malyala
> ------------------------------
> *From:* Oleksandr Rudyy <[hidden email]>
> *Sent:* 18 November 2020 16:41
> *To:* [hidden email] <[hidden email]>
> *Subject:* Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> If the broker port is configured with TLSv1.2, it will not accept
> connection using any other TLS protocol. Thus, it is really not required to
> provide any specific TLSv1.2 settings on the client side. Though, the JMS
> client for AMQP 1.0 supports connection options to enable and/or disable
> specific TLS protocols and cipher suites. You can use them to restrict the
> TLS protocols and cipher suites to the required ones. Here are the
> corresponding option descriptions from the client documentation [1]:
>
> * transport.enabledCipherSuites The cipher suites to enable, comma
> separated. No default, meaning the context default ciphers are used. Any
> disabled ciphers are removed from this.
> * transport.disabledCipherSuites The cipher suites to disable, comma
> separated. Ciphers listed here are removed from the enabled ciphers. No
> default.
> * transport.enabledProtocols The protocols to enable, comma separated. No
> default, meaning the context default protocols are used. Any disabled
> protocols are removed from this.
> * transport.disabledProtocols The protocols to disable, comma separated.
> Protocols listed here are removed from the enabled protocols. Default is
> "SSLv2Hello,SSLv3".
>
> In general, you  need to configure TLS transport on a client connection URL
> by simply setting protocol part of URL to amqps as in an example below
>
> amqps://myhost.mydomain:5671
>
> If a self-signed certificate is used, you need to provide a trustore with
> all required certificates including intermediate ones.
> You can utilize connection URL options transport.trustStoreLocation and
> transport.trustStorePassword to set a path to the java keystore file with
> the certificates and keystore password respectively. For example,
>
>
> amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport
>
>
> An example of connection URL with enabled TLSv1.2 is provided below
>
>
> amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2
>
> For more information about connection options please check client
> documentation at [1].
>
> I guess that you are asking about an example of how to configure a
> connection factory spring bean using spring xml. Please, correct me if I am
> wrong here.
>
> There are multiple ways you can configure the connection factory bean in
> spring framework. Please refer spring documentation [2] for more details.
>
> Here is just an example illustrating the approach when jndi properties file
> (jndi.properties) with connection factory settings is used to define the
> connection URL:
>
> You can declare bean PropertiesFactoryBean to load Qpid client JNDI
> configuration from a file in classpath as below
>
> <bean id="jndiConfiguration"
> class="org.springframework.beans.factory.config.PropertiesFactoryBean">
>   <property name="location" value="classpath:jndi.properties"/>
> </bean>
>
> Alternatively it can be done as below
>
> <util:properties id="jndiConfiguration"
> location="classpath:jndi.properties"/>
>
> Than, you can create a JNDI template bean referencing the jndiConfiguration
> bean
>
> <bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
>   <property name="environment" ref="jndiConfiguration"/>
> </bean>
>
> The connection factory bean can be created using spring
> JndiObjectFactoryBean
>
> <bean id="jmsConnectionFactory"
> class="org.springframework.jndi.JndiObjectFactoryBean"
> depends-on="jndiTemplate">
>     <property name="jndiTemplate" ref="jndiTemplate"/>
>     <property name="jndiName">
>         <value>${qpid.connection.factory.jndi.name}</value>
>     </property>
> </bean>
>
> I hope the above should help you with your client set-up.
>
> As for the BDB HA error, the  image was stripped from the email. Please
> resend the stack trace of the problem.
>
> Kind Regards,
> Alex
>
> [1]
>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Djms-2D0.54.0_docs_index.html-23ssl-2Dtransport-2Dconfiguration-2Doptions&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=TDbT4B4bfkwU6GsuwabjKohMUTLVlQkexWDfb-Axssg&e=
> [2]
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dframework_docs_2.5.x_reference_jms.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=iJKAuFeXBL0Pm2nORr9eUtBUwtOPLisdCtDFWYZSNNI&e=
>
>
> On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> >
> >
> > 1)           Could you provide us details how we can configure TLS 1.2
> for
> > our JMS client in JmsConnectionFactory bean using XML file.
> >
> > 2)           When we try to set up BDB_HA, we are getting the following
> > error.
> >
> >
> >
> >
> >
> > Please let me know if we are missing something.
> >
> >
> >
> > Regards,
> >
> > Kirankumar Malyala
> >
> >
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Tuesday, November 17, 2020 4:02 AM
> > To: [hidden email]
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> >
> >
> > Hi Kirankumar,
> >
> > There is a typo in cipher suite names: the GSM is used instead of GCM.
> >
> > Thus, the correct cipherSuiteWhiteList would be:
> >
> >
> >
> > "qpid.security.tls.cipherSuiteWhiteList":
> >
> >
> >
> "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
> >
> >
> >
> >
> >
> > Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> >
> > TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> > cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
> >
> >
> >
> > Regarding encryption of replication traffic I do not have any
> > documentation/recommendation on how to set-up  the ssh tunnels.
> >
> >
> >
> > KInd Regards,
> >
> > Alex
> >
> >
> >
> > On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> > [hidden email]> wrote:
> >
> >
> >
> > > Hi Alex,
> >
> > >
> >
> > > 1)We are using Qpid 7.1.6 version. When we add below context in our
> >
> > > Port map getting SSL handshake error, working fine only for
> >
> > > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> >
> > >
> >
> > >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> >
> > > "qpid.security.tls.cipherSuiteWhiteList":
> >
> > >
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> >
> > > --------> NOT WORKING
> >
> > >
> >
> > > 2)Also, please let us know which approach would be best for encrypting
> >
> > > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> >
> > > it's configuration documentation/procedure.
> >
> > >
> >
> > > Regards,
> >
> > > Kirankumar Malyala
> >
> > >
> >
> > > -----Original Message-----
> >
> > > From: Oleksandr Rudyy <[hidden email]>
> >
> > > Sent: Wednesday, November 11, 2020 12:03 AM
> >
> > > To: [hidden email]
> >
> > > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > >
> >
> > > Hi Kirankumar,
> >
> > >
> >
> > > The context variable can be set on any configured object. For example,
> >
> > > you can set context variables in the attribute "context" of Broker
> >
> > > configured object or/and Port configured object.
> >
> > > The children configured objects inherit context settings from their
> >
> > > parents. Thus, the Port configured object inherits all context
> >
> > > settings from the Broker as Broker is a parent of the Port.
> >
> > > The context settings can be overridden on the child configured object
> >
> > > if required. For example, you can set the context variable
> >
> > > "qpid.security.tls.protocolAllowList" on the Broker to
> >
> > > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> >
> > > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> >
> > > port connections to TLSv1.3. Another port object without overridden
> >
> > > context variable "qpid.security.tls.protocolAllowList" would inherit
> >
> > > the support of
> >
> > > TLSv1.2 and TLSv1.3 from the broker.
> >
> > >
> >
> > > As mentioned above, the context variables are kept in the attributes
> >
> > > "context" as a "map "of string keys and values. You can create your
> >
> > > initial configuration and define the context variables in the
> >
> > > "context" attribute as illustrated in the example below:
> >
> > >
> >
> > > {
> >
> > >   "name" : "${broker.name}",
> >
> > >   "modelVersion" : "7.1",
> >
> > >   "context": {
> >
> > >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> >
> > >     "qpid.security.tls.cipherSuiteAllowList":
> >
> > >
> >
> > >
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> >
> > >   },
> >
> > >
> >
> > >   ...
> >
> > >   "ports": [{
> >
> > >     "name" : "AMQP",
> >
> > >     "port" : "${qpid.amqp_port}",
> >
> > >     "context": {
> >
> > >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> >
> > >     },
> >
> > >    ...
> >
> > >    },
> >
> > >    ...
> >
> > >   ]
> >
> > > }
> >
> > >
> >
> > > In the example above, the context variables
> >
> > > "qpid.security.tls.protocolAllowList" and
> >
> > > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker
> level.
> >
> > > The port "AMQP" has its own "context" attribute where
> >
> > > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> > "AMQP"
> >
> > > will have "qpid.security.tls.protocolAllowList" defined on the port
> >
> > > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> >
> > >
> >
> > > I hope that the example above helps you to understand the context
> >
> > > variable settings.
> >
> > >
> >
> > > You can update the context variables using REST API. Though, the TLS
> >
> > > needs to be configured first on the HTTP port in order to use REST API.
> >
> > >
> >
> > >
> >
> > > Kind Regards,
> >
> > > Alex
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> >
> > > <[hidden email]> wrote:
> >
> > >
> >
> > > > Hi Alex,
> >
> > > >
> >
> > > > Thank you for your help. This is useful to look into the areas where
> >
> > > > we wanted clarity.
> >
> > > > I want to clear a few things from the points which you have
> mentioned.
> >
> > > >
> >
> > > > As you mentioned, the TLS version can set in multiple ways through
> >
> > > > context variable. Could you explain how we can set in JVM settings
> >
> > > > config.json
> >
> > > >
> >
> > > > Please share the code if you have it.
> >
> > > >
> >
> > > > Also, related to ssh tunnel configuration, could you share with us
> >
> > > > any existing references which have used ssh tunneling and
> >
> > > > master/replica concept. Then, it would be easier for us to mold it
> >
> > > > as per our
> >
> > > requirement.
> >
> > > >
> >
> > > > Regards,
> >
> > > > Kirankumar Malyala
> >
> > > >
> >
> > > >
> >
> > > > -----Original Message-----
> >
> > > > From: Oleksandr Rudyy <[hidden email]>
> >
> > > > Sent: Tuesday, November 10, 2020 5:24 AM
> >
> > > > To: [hidden email]
> >
> > > > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > > >
> >
> > > > Hi Kirankumar,
> >
> > > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> >
> > > > transports.
> >
> > > >
> >
> > > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> >
> > > > configured
> >
> > > > object(s) needs to be configured.
> >
> > > > The keystore object should contain a private key and certificates
> >
> > > > (including intermediates if required).
> >
> > > >
> >
> > > > A number of Keystore types is supported on the broker:
> >
> > > > * FileKeyStore - in this type of Keystore a java keystore is used
> >
> > > > underneath to hold the private key and certificates
> >
> > > > * NonJavaKeyStore - used to configure private key and certificates
> >
> > > > directly in PEM or DER formats
> >
> > > >
> >
> > > > The Broker allows users to quickly create a self-signed certificate
> >
> > > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> >
> > > > (with Oracle JDK or OpenJDK).
> >
> > > >
> >
> > > > The TLS protocols and TLS cipher suites can be customised (if
> >
> > > > required) using special context variables:
> >
> > > > * qpid.security.tls.protocolAllowList
> >
> > > > * qpid.security.tls.protocolDenyList
> >
> > > > * qpid.security.tls.cipherSuiteAllowList
> >
> > > > * qpid.security.tls.cipherSuiteDenyList
> >
> > > > or
> >
> > > > * qpid.security.tls.protocolWhiteList
> >
> > > > * qpid.security.tls.protocolBlackList
> >
> > > > * qpid.security.tls.cipherSuiteWhiteList
> >
> > > > * qpid.security.tls.cipherSuiteBlackList
> >
> > > >
> >
> > > > Before 7.1.9 only "white/black" list terminology was supported.
> >
> > > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> >
> > > > can be used. In version 9.0 the "allow/deny" lists completely
> >
> > > > replace "white/black" list terminology.
> >
> > > >
> >
> > > > For example, you can allow only TLSv1.3 with JDK11 by setting
> >
> > > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> >
> > > > You can specify the allowed or denied values using regular
> >
> > > > expressions represented as JSON stringified lists.
> >
> > > > For example, you can limit allowed cipher suites to only some of
> >
> > > > them by setting qpid.security.tls.cipherSuiteAllowList to
> >
> > > >
> >
> > >
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> >
> > > > The same applies to deny lists.
> >
> > > >
> >
> > > > The context variable can be set in multiple ways:
> >
> > > > * as JVM settings
> >
> > > > * as command line arguments (for example, ./bin/qpid-server -prop
> >
> > > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> >
> > > > * in a properties file system.properties (it needs to be in broker
> >
> > > > classpath)
> >
> > > > * as configured object context variables (for example, context
> >
> > > > variable set on the Broker object using REST API)
> >
> > > >
> >
> > > >
> >
> > > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> >
> > > > JE does not support TLS transport. The data replication is
> unencrypted.
> >
> > > > Potentially, you can use SSH tunnels, but that requires configuring
> >
> > > > tunes between each of HA nodes, as the nodes  communicate with each
> >
> > > > other. I believe that it should be possible to configure SSH
> >
> > > > tunnels, though I cannot give you any useful advice on how to do
> that.
> >
> > > >
> >
> > > > You can download Qpid Broker distribution files from Qpid Download
> >
> > > > page at
> >
> > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> >
> > > > do
> >
> > > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> >
> > > > =Y
> >
> > > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> >
> > > > Ep
> >
> > > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> >
> > > > .
> >
> > > >
> >
> > > > KInd Regards,
> >
> > > > Alex
> >
> > > >
> >
> > > >
> >
> > > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> >
> > > > <[hidden email]> wrote:
> >
> > > >
> >
> > > > > Hi Alex,
> >
> > > > >
> >
> > > > > We are using broker-j (for java). As of now, we are exploring on
> >
> > > > > version
> >
> > > > 7.
> >
> > > > > Please do let us know if you want any other information.
> >
> > > > >
> >
> > > > > Regards,
> >
> > > > > Kirankumar Malyala
> >
> > > > >
> >
> > > > > -----Original Message-----
> >
> > > > > From: Oleksandr Rudyy <[hidden email]>
> >
> > > > > Sent: Friday, November 6, 2020 5:44 AM
> >
> > > > > To: [hidden email]
> >
> > > > > Subject: [External] Re: Queries on Qpid setup
> >
> > > > >
> >
> > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> >
> > > > > particularly with links and attachments.
> >
> > > > >
> >
> > > > > Hi Kirankumar,
> >
> > > > > Could you please clarify what exactly Qpid broker are you trying
> >
> > > > > to
> >
> > > use?
> >
> > > > > There are two brokers in Qpid project: c++ broker and broker-j
> >
> > > > > (for
> >
> > > > java).
> >
> > > > >
> >
> > > > > Are you using Qpid Broker-J?
> >
> > > > >
> >
> > > > > Kind regards,
> >
> > > > > Alex
> >
> > > > >
> >
> > > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> >
> > > > > <[hidden email]> wrote:
> >
> > > > >
> >
> > > > > > Hi Team,
> >
> > > > > >
> >
> > > > > > We have been doing some POC on Qpid. While working on the
> >
> > > > > > configuration, we came across multiple blockers which we have
> >
> > > > > > mentioned
> >
> > > > > below.
> >
> > > > > >
> >
> > > > > >
> >
> > > > > >   *   How to use a specific version of TLS encryption for Qpid if
> > we
> >
> > > > > > deploy on VM.
> >
> > > > > >   *   We understood from the Qpid documentation that we have to
> >
> > > deploy
> >
> > > > > > broker on multiple VM's to create a group and introduce
> >
> > > > > > master/replica nodes. Any SOP on this part ?
> >
> > > > > >   *   How to apply SSL/TLS encryption to replicas in the group
> >
> > > consists
> >
> > > > > of
> >
> > > > > > master and replica nodes using SSH tunnel/IPsec.
> >
> > > > > >   *   How can we fetch file in Apache
> >
> > > > > >
> >
> > > > > > Please let us know if some one from your team can guide us on
> >
> > > > > > these
> >
> > > > > points.
> >
> > > > > >
> >
> > > > > > Regards,
> >
> > > > > > Kirankumar Malyala
> >
> > > > > >
> >
> > > > > > ________________________________
> >
> > > > > >
> >
> > > > > > This message is for the designated recipient only and may
> >
> > > > > > contain privileged, proprietary, or otherwise confidential
> >
> > > > > > information. If you have received it in error, please notify the
> >
> > > > > > sender immediately and delete the original. Any other use of the
> >
> > > > > > e-mail by you is
> >
> > > > prohibited.
> >
> > > > > > Where allowed by local law, electronic communications with
> >
> > > > > > Accenture and its affiliates, including e-mail and instant
> >
> > > > > > messaging (including content), may be scanned by our systems for
> >
> > > > > > the purposes of information security and assessment of internal
> >
> > > > > > compliance with
> >
> > > > > Accenture policy. Your privacy is important to us.
> >
> > > > > > Accenture uses your personal data only in compliance with data
> >
> > > > > > protection laws. For further information on how Accenture
> >
> > > > > > processes your personal data, please see our privacy statement
> >
> > > > > > at https://www.accenture.com/us-en/privacy-policy.
> >
> > > > > >
> >
> > > > > > ________________________________________________________________
> >
> > > > > > __
> >
> > > > > > __
> >
> > > > > > __
> >
> > > > > > ________________
> >
> > > > > >
> >
> > > > > > http://www.accenture.com
> >
> > > > > >
> >
> > > > >
> >
> > > > > ________________________________
> >
> > > > >
> >
> > > > > This message is for the designated recipient only and may contain
> >
> > > > > privileged, proprietary, or otherwise confidential information. If
> >
> > > > > you have received it in error, please notify the sender
> >
> > > > > immediately and delete the original. Any other use of the e-mail
> >
> > > > > by you is
> >
> > > prohibited.
> >
> > > > > Where allowed by local law, electronic communications with
> >
> > > > > Accenture and its affiliates, including e-mail and instant
> >
> > > > > messaging (including content), may be scanned by our systems for
> >
> > > > > the purposes of information security and assessment of internal
> >
> > > > > compliance with
> >
> > > > Accenture policy. Your privacy is important to us.
> >
> > > > > Accenture uses your personal data only in compliance with data
> >
> > > > > protection laws. For further information on how Accenture
> >
> > > > > processes your personal data, please see our privacy statement at
> >
> > > > > https://www.accenture.com/us-en/privacy-policy.
> >
> > > > >
> >
> > > > > __________________________________________________________________
> >
> > > > > __
> >
> > > > > __
> >
> > > > > ________________
> >
> > > > >
> >
> > > > > http://www.accenture.com
> >
> > > > >
> >
> > > >
> >
> > > > ________________________________
> >
> > > >
> >
> > > > This message is for the designated recipient only and may contain
> >
> > > > privileged, proprietary, or otherwise confidential information. If
> >
> > > > you have received it in error, please notify the sender immediately
> >
> > > > and delete the original. Any other use of the e-mail by you is
> > prohibited.
> >
> > > > Where allowed by local law, electronic communications with Accenture
> >
> > > > and its affiliates, including e-mail and instant messaging
> >
> > > > (including content), may be scanned by our systems for the purposes
> >
> > > > of information security and assessment of internal compliance with
> >
> > > Accenture policy. Your privacy is important to us.
> >
> > > > Accenture uses your personal data only in compliance with data
> >
> > > > protection laws. For further information on how Accenture processes
> >
> > > > your personal data, please see our privacy statement at
> >
> > > > https://www.accenture.com/us-en/privacy-policy.
> >
> > > >
> >
> > > > ____________________________________________________________________
> >
> > > > __
> >
> > > > ________________
> >
> > > >
> >
> > > > http://www.accenture.com
> >
> > > >
> >
> > >
> >
> > > ________________________________
> >
> > >
> >
> > > This message is for the designated recipient only and may contain
> >
> > > privileged, proprietary, or otherwise confidential information. If you
> >
> > > have received it in error, please notify the sender immediately and
> >
> > > delete the original. Any other use of the e-mail by you is prohibited.
> >
> > > Where allowed by local law, electronic communications with Accenture
> >
> > > and its affiliates, including e-mail and instant messaging (including
> >
> > > content), may be scanned by our systems for the purposes of
> >
> > > information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> >
> > > Accenture uses your personal data only in compliance with data
> >
> > > protection laws. For further information on how Accenture processes
> >
> > > your personal data, please see our privacy statement at
> >
> > > https://www.accenture.com/us-en/privacy-policy.
> >
> > >
> >
> > > ______________________________________________________________________
> >
> > > ________________
> >
> > >
> >
> > > http://www.accenture.com
> >
> > >
> >
> > > ---------------------------------------------------------------------
> >
> > > To unsubscribe, e-mail: [hidden email] For
> >
> > > additional commands, e-mail: [hidden email]
> >
> > >
> >
> > >
> >
> > ------------------------------
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> have
> > received it in error, please notify the sender immediately and delete the
> > original. Any other use of the e-mail by you is prohibited. Where allowed
> > by local law, electronic communications with Accenture and its
> affiliates,
> > including e-mail and instant messaging (including content), may be
> scanned
> > by our systems for the purposes of information security and assessment of
> > internal compliance with Accenture policy. Your privacy is important to
> us.
> > Accenture uses your personal data only in compliance with data protection
> > laws. For further information on how Accenture processes your personal
> > data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> >
> ______________________________________________________________________________________
> >
> > http://www.accenture.com
> >
>
> ------------------------------
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> http://www.accenture.com
>



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Robbie Gemmell
Administrator
There appears to be a loop in progress here.

Your attachments did not make it to the list, so we can't see them.
The lists are for text, and strip essentially all
attachments/insertions. Do not attach or insert things. Use text in
the email body, or else link to items - e.g you could reference a
GitHub repo with images/config you want people to look at.

As you just keep referring to just an "error" in your mail, no one
reading the list actually has any idea at all what it is you are
seeing yet and so simply can't advise you, beyond pointing you at the
docs as I did.

On Fri, 4 Dec 2020 at 06:08, Malyala, Kirankumar
<[hidden email]> wrote:

>
> Hi,
>
> I have launched 2 ubuntu VMs and installed Qpid on them. To create HA for Qpid replication, I am trying to create a virtual host node in one of the VM's Qpid as attached (1) and getting an error (2).
>
> Please suggest me if I need to folllow any pre requisites or am going in a wrong way.
>
> Regards,
> Kirankumar Malyala
>
> ________________________________
> From: Robbie Gemmell <[hidden email]>
> Sent: 03 December 2020 22:17
> To: users <[hidden email]>
> Subject: Re: [External] Re: Queries on Qpid setup
>
> The mailing list strips all but the most trivial of attachments/insertions
> so your images did not make it, as with the previous time when Alex asked
> you to resend the information that hadnt made it. For images, you'll need
> to link to them somewhere. If you have text to send, such as an error or
> stacktrace, just send the text.
>
> The documentation around creating an HA group is at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Dbroker-2Dj-2D8.0.2_book_Java-2DBroker-2DHigh-2DAvailability-2DCreatingGroup.html&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=4wi1VX9jruNPNl5TuQ2yTZZmpR96Ce5z33ZqfMpGteM&s=RZJcR73PTn_8mbCMS_HkNqDQYngaGouwRdKE4QrW_l4&e=
>
> On Thu, 3 Dec 2020 at 15:08, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > When we are trying for Qpid HA setup, we are getting the below error.
> > Please guide us the steps for configuring HA in between multiple servers.
> >
> >
> >
> >
> >
> > Regards,
> > Kirankumar Malyala
> > ------------------------------
> > *From:* Oleksandr Rudyy <[hidden email]>
> > *Sent:* 18 November 2020 16:41
> > *To:* [hidden email] <[hidden email]>
> > *Subject:* Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> > If the broker port is configured with TLSv1.2, it will not accept
> > connection using any other TLS protocol. Thus, it is really not required to
> > provide any specific TLSv1.2 settings on the client side. Though, the JMS
> > client for AMQP 1.0 supports connection options to enable and/or disable
> > specific TLS protocols and cipher suites. You can use them to restrict the
> > TLS protocols and cipher suites to the required ones. Here are the
> > corresponding option descriptions from the client documentation [1]:
> >
> > * transport.enabledCipherSuites The cipher suites to enable, comma
> > separated. No default, meaning the context default ciphers are used. Any
> > disabled ciphers are removed from this.
> > * transport.disabledCipherSuites The cipher suites to disable, comma
> > separated. Ciphers listed here are removed from the enabled ciphers. No
> > default.
> > * transport.enabledProtocols The protocols to enable, comma separated. No
> > default, meaning the context default protocols are used. Any disabled
> > protocols are removed from this.
> > * transport.disabledProtocols The protocols to disable, comma separated.
> > Protocols listed here are removed from the enabled protocols. Default is
> > "SSLv2Hello,SSLv3".
> >
> > In general, you  need to configure TLS transport on a client connection URL
> > by simply setting protocol part of URL to amqps as in an example below
> >
> > amqps://myhost.mydomain:5671
> >
> > If a self-signed certificate is used, you need to provide a trustore with
> > all required certificates including intermediate ones.
> > You can utilize connection URL options transport.trustStoreLocation and
> > transport.trustStorePassword to set a path to the java keystore file with
> > the certificates and keystore password respectively. For example,
> >
> >
> > amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport
> >
> >
> > An example of connection URL with enabled TLSv1.2 is provided below
> >
> >
> > amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2
> >
> > For more information about connection options please check client
> > documentation at [1].
> >
> > I guess that you are asking about an example of how to configure a
> > connection factory spring bean using spring xml. Please, correct me if I am
> > wrong here.
> >
> > There are multiple ways you can configure the connection factory bean in
> > spring framework. Please refer spring documentation [2] for more details.
> >
> > Here is just an example illustrating the approach when jndi properties file
> > (jndi.properties) with connection factory settings is used to define the
> > connection URL:
> >
> > You can declare bean PropertiesFactoryBean to load Qpid client JNDI
> > configuration from a file in classpath as below
> >
> > <bean id="jndiConfiguration"
> > class="org.springframework.beans.factory.config.PropertiesFactoryBean">
> >   <property name="location" value="classpath:jndi.properties"/>
> > </bean>
> >
> > Alternatively it can be done as below
> >
> > <util:properties id="jndiConfiguration"
> > location="classpath:jndi.properties"/>
> >
> > Than, you can create a JNDI template bean referencing the jndiConfiguration
> > bean
> >
> > <bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
> >   <property name="environment" ref="jndiConfiguration"/>
> > </bean>
> >
> > The connection factory bean can be created using spring
> > JndiObjectFactoryBean
> >
> > <bean id="jmsConnectionFactory"
> > class="org.springframework.jndi.JndiObjectFactoryBean"
> > depends-on="jndiTemplate">
> >     <property name="jndiTemplate" ref="jndiTemplate"/>
> >     <property name="jndiName">
> >         <value>${qpid.connection.factory.jndi.name}</value>
> >     </property>
> > </bean>
> >
> > I hope the above should help you with your client set-up.
> >
> > As for the BDB HA error, the  image was stripped from the email. Please
> > resend the stack trace of the problem.
> >
> > Kind Regards,
> > Alex
> >
> > [1]
> >
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Djms-2D0.54.0_docs_index.html-23ssl-2Dtransport-2Dconfiguration-2Doptions&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=TDbT4B4bfkwU6GsuwabjKohMUTLVlQkexWDfb-Axssg&e=
> > [2]
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dframework_docs_2.5.x_reference_jms.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=iJKAuFeXBL0Pm2nORr9eUtBUwtOPLisdCtDFWYZSNNI&e=
> >
> >
> > On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Alex,
> > >
> > >
> > >
> > > 1)           Could you provide us details how we can configure TLS 1.2
> > for
> > > our JMS client in JmsConnectionFactory bean using XML file.
> > >
> > > 2)           When we try to set up BDB_HA, we are getting the following
> > > error.
> > >
> > >
> > >
> > >
> > >
> > > Please let me know if we are missing something.
> > >
> > >
> > >
> > > Regards,
> > >
> > > Kirankumar Malyala
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <[hidden email]>
> > > Sent: Tuesday, November 17, 2020 4:02 AM
> > > To: [hidden email]
> > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > >
> > >
> > > Hi Kirankumar,
> > >
> > > There is a typo in cipher suite names: the GSM is used instead of GCM.
> > >
> > > Thus, the correct cipherSuiteWhiteList would be:
> > >
> > >
> > >
> > > "qpid.security.tls.cipherSuiteWhiteList":
> > >
> > >
> > >
> > "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
> > >
> > >
> > >
> > >
> > >
> > > Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> > >
> > > TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> > > cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
> > >
> > >
> > >
> > > Regarding encryption of replication traffic I do not have any
> > > documentation/recommendation on how to set-up  the ssh tunnels.
> > >
> > >
> > >
> > > KInd Regards,
> > >
> > > Alex
> > >
> > >
> > >
> > > On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> > > [hidden email]> wrote:
> > >
> > >
> > >
> > > > Hi Alex,
> > >
> > > >
> > >
> > > > 1)We are using Qpid 7.1.6 version. When we add below context in our
> > >
> > > > Port map getting SSL handshake error, working fine only for
> > >
> > > > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> > >
> > > >
> > >
> > > >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> > >
> > > > "qpid.security.tls.cipherSuiteWhiteList":
> > >
> > > >
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > >
> > > > --------> NOT WORKING
> > >
> > > >
> > >
> > > > 2)Also, please let us know which approach would be best for encrypting
> > >
> > > > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> > >
> > > > it's configuration documentation/procedure.
> > >
> > > >
> > >
> > > > Regards,
> > >
> > > > Kirankumar Malyala
> > >
> > > >
> > >
> > > > -----Original Message-----
> > >
> > > > From: Oleksandr Rudyy <[hidden email]>
> > >
> > > > Sent: Wednesday, November 11, 2020 12:03 AM
> > >
> > > > To: [hidden email]
> > >
> > > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > > >
> > >
> > > > Hi Kirankumar,
> > >
> > > >
> > >
> > > > The context variable can be set on any configured object. For example,
> > >
> > > > you can set context variables in the attribute "context" of Broker
> > >
> > > > configured object or/and Port configured object.
> > >
> > > > The children configured objects inherit context settings from their
> > >
> > > > parents. Thus, the Port configured object inherits all context
> > >
> > > > settings from the Broker as Broker is a parent of the Port.
> > >
> > > > The context settings can be overridden on the child configured object
> > >
> > > > if required. For example, you can set the context variable
> > >
> > > > "qpid.security.tls.protocolAllowList" on the Broker to
> > >
> > > > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> > >
> > > > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> > >
> > > > port connections to TLSv1.3. Another port object without overridden
> > >
> > > > context variable "qpid.security.tls.protocolAllowList" would inherit
> > >
> > > > the support of
> > >
> > > > TLSv1.2 and TLSv1.3 from the broker.
> > >
> > > >
> > >
> > > > As mentioned above, the context variables are kept in the attributes
> > >
> > > > "context" as a "map "of string keys and values. You can create your
> > >
> > > > initial configuration and define the context variables in the
> > >
> > > > "context" attribute as illustrated in the example below:
> > >
> > > >
> > >
> > > > {
> > >
> > > >   "name" : "${broker.name}",
> > >
> > > >   "modelVersion" : "7.1",
> > >
> > > >   "context": {
> > >
> > > >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> > >
> > > >     "qpid.security.tls.cipherSuiteAllowList":
> > >
> > > >
> > >
> > > >
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > >
> > > >   },
> > >
> > > >
> > >
> > > >   ...
> > >
> > > >   "ports": [{
> > >
> > > >     "name" : "AMQP",
> > >
> > > >     "port" : "${qpid.amqp_port}",
> > >
> > > >     "context": {
> > >
> > > >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> > >
> > > >     },
> > >
> > > >    ...
> > >
> > > >    },
> > >
> > > >    ...
> > >
> > > >   ]
> > >
> > > > }
> > >
> > > >
> > >
> > > > In the example above, the context variables
> > >
> > > > "qpid.security.tls.protocolAllowList" and
> > >
> > > > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker
> > level.
> > >
> > > > The port "AMQP" has its own "context" attribute where
> > >
> > > > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> > > "AMQP"
> > >
> > > > will have "qpid.security.tls.protocolAllowList" defined on the port
> > >
> > > > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> > >
> > > >
> > >
> > > > I hope that the example above helps you to understand the context
> > >
> > > > variable settings.
> > >
> > > >
> > >
> > > > You can update the context variables using REST API. Though, the TLS
> > >
> > > > needs to be configured first on the HTTP port in order to use REST API.
> > >
> > > >
> > >
> > > >
> > >
> > > > Kind Regards,
> > >
> > > > Alex
> > >
> > > >
> > >
> > > >
> > >
> > > >
> > >
> > > >
> > >
> > > > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> > >
> > > > <[hidden email]> wrote:
> > >
> > > >
> > >
> > > > > Hi Alex,
> > >
> > > > >
> > >
> > > > > Thank you for your help. This is useful to look into the areas where
> > >
> > > > > we wanted clarity.
> > >
> > > > > I want to clear a few things from the points which you have
> > mentioned.
> > >
> > > > >
> > >
> > > > > As you mentioned, the TLS version can set in multiple ways through
> > >
> > > > > context variable. Could you explain how we can set in JVM settings
> > >
> > > > > config.json
> > >
> > > > >
> > >
> > > > > Please share the code if you have it.
> > >
> > > > >
> > >
> > > > > Also, related to ssh tunnel configuration, could you share with us
> > >
> > > > > any existing references which have used ssh tunneling and
> > >
> > > > > master/replica concept. Then, it would be easier for us to mold it
> > >
> > > > > as per our
> > >
> > > > requirement.
> > >
> > > > >
> > >
> > > > > Regards,
> > >
> > > > > Kirankumar Malyala
> > >
> > > > >
> > >
> > > > >
> > >
> > > > > -----Original Message-----
> > >
> > > > > From: Oleksandr Rudyy <[hidden email]>
> > >
> > > > > Sent: Tuesday, November 10, 2020 5:24 AM
> > >
> > > > > To: [hidden email]
> > >
> > > > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > > > >
> > >
> > > > > Hi Kirankumar,
> > >
> > > > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > >
> > > > > transports.
> > >
> > > > >
> > >
> > > > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > >
> > > > > configured
> > >
> > > > > object(s) needs to be configured.
> > >
> > > > > The keystore object should contain a private key and certificates
> > >
> > > > > (including intermediates if required).
> > >
> > > > >
> > >
> > > > > A number of Keystore types is supported on the broker:
> > >
> > > > > * FileKeyStore - in this type of Keystore a java keystore is used
> > >
> > > > > underneath to hold the private key and certificates
> > >
> > > > > * NonJavaKeyStore - used to configure private key and certificates
> > >
> > > > > directly in PEM or DER formats
> > >
> > > > >
> > >
> > > > > The Broker allows users to quickly create a self-signed certificate
> > >
> > > > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > >
> > > > > (with Oracle JDK or OpenJDK).
> > >
> > > > >
> > >
> > > > > The TLS protocols and TLS cipher suites can be customised (if
> > >
> > > > > required) using special context variables:
> > >
> > > > > * qpid.security.tls.protocolAllowList
> > >
> > > > > * qpid.security.tls.protocolDenyList
> > >
> > > > > * qpid.security.tls.cipherSuiteAllowList
> > >
> > > > > * qpid.security.tls.cipherSuiteDenyList
> > >
> > > > > or
> > >
> > > > > * qpid.security.tls.protocolWhiteList
> > >
> > > > > * qpid.security.tls.protocolBlackList
> > >
> > > > > * qpid.security.tls.cipherSuiteWhiteList
> > >
> > > > > * qpid.security.tls.cipherSuiteBlackList
> > >
> > > > >
> > >
> > > > > Before 7.1.9 only "white/black" list terminology was supported.
> > >
> > > > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > >
> > > > > can be used. In version 9.0 the "allow/deny" lists completely
> > >
> > > > > replace "white/black" list terminology.
> > >
> > > > >
> > >
> > > > > For example, you can allow only TLSv1.3 with JDK11 by setting
> > >
> > > > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > >
> > > > > You can specify the allowed or denied values using regular
> > >
> > > > > expressions represented as JSON stringified lists.
> > >
> > > > > For example, you can limit allowed cipher suites to only some of
> > >
> > > > > them by setting qpid.security.tls.cipherSuiteAllowList to
> > >
> > > > >
> > >
> > > >
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > >
> > > > > The same applies to deny lists.
> > >
> > > > >
> > >
> > > > > The context variable can be set in multiple ways:
> > >
> > > > > * as JVM settings
> > >
> > > > > * as command line arguments (for example, ./bin/qpid-server -prop
> > >
> > > > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > >
> > > > > * in a properties file system.properties (it needs to be in broker
> > >
> > > > > classpath)
> > >
> > > > > * as configured object context variables (for example, context
> > >
> > > > > variable set on the Broker object using REST API)
> > >
> > > > >
> > >
> > > > >
> > >
> > > > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> > >
> > > > > JE does not support TLS transport. The data replication is
> > unencrypted.
> > >
> > > > > Potentially, you can use SSH tunnels, but that requires configuring
> > >
> > > > > tunes between each of HA nodes, as the nodes  communicate with each
> > >
> > > > > other. I believe that it should be possible to configure SSH
> > >
> > > > > tunnels, though I cannot give you any useful advice on how to do
> > that.
> > >
> > > > >
> > >
> > > > > You can download Qpid Broker distribution files from Qpid Download
> > >
> > > > > page at
> > >
> > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > >
> > > > > do
> > >
> > > > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > >
> > > > > =Y
> > >
> > > > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > >
> > > > > Ep
> > >
> > > > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > >
> > > > > .
> > >
> > > > >
> > >
> > > > > KInd Regards,
> > >
> > > > > Alex
> > >
> > > > >
> > >
> > > > >
> > >
> > > > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > >
> > > > > <[hidden email]> wrote:
> > >
> > > > >
> > >
> > > > > > Hi Alex,
> > >
> > > > > >
> > >
> > > > > > We are using broker-j (for java). As of now, we are exploring on
> > >
> > > > > > version
> > >
> > > > > 7.
> > >
> > > > > > Please do let us know if you want any other information.
> > >
> > > > > >
> > >
> > > > > > Regards,
> > >
> > > > > > Kirankumar Malyala
> > >
> > > > > >
> > >
> > > > > > -----Original Message-----
> > >
> > > > > > From: Oleksandr Rudyy <[hidden email]>
> > >
> > > > > > Sent: Friday, November 6, 2020 5:44 AM
> > >
> > > > > > To: [hidden email]
> > >
> > > > > > Subject: [External] Re: Queries on Qpid setup
> > >
> > > > > >
> > >
> > > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > >
> > > > > > particularly with links and attachments.
> > >
> > > > > >
> > >
> > > > > > Hi Kirankumar,
> > >
> > > > > > Could you please clarify what exactly Qpid broker are you trying
> > >
> > > > > > to
> > >
> > > > use?
> > >
> > > > > > There are two brokers in Qpid project: c++ broker and broker-j
> > >
> > > > > > (for
> > >
> > > > > java).
> > >
> > > > > >
> > >
> > > > > > Are you using Qpid Broker-J?
> > >
> > > > > >
> > >
> > > > > > Kind regards,
> > >
> > > > > > Alex
> > >
> > > > > >
> > >
> > > > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > >
> > > > > > <[hidden email]> wrote:
> > >
> > > > > >
> > >
> > > > > > > Hi Team,
> > >
> > > > > > >
> > >
> > > > > > > We have been doing some POC on Qpid. While working on the
> > >
> > > > > > > configuration, we came across multiple blockers which we have
> > >
> > > > > > > mentioned
> > >
> > > > > > below.
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > >   *   How to use a specific version of TLS encryption for Qpid if
> > > we
> > >
> > > > > > > deploy on VM.
> > >
> > > > > > >   *   We understood from the Qpid documentation that we have to
> > >
> > > > deploy
> > >
> > > > > > > broker on multiple VM's to create a group and introduce
> > >
> > > > > > > master/replica nodes. Any SOP on this part ?
> > >
> > > > > > >   *   How to apply SSL/TLS encryption to replicas in the group
> > >
> > > > consists
> > >
> > > > > > of
> > >
> > > > > > > master and replica nodes using SSH tunnel/IPsec.
> > >
> > > > > > >   *   How can we fetch file in Apache
> > >
> > > > > > >
> > >
> > > > > > > Please let us know if some one from your team can guide us on
> > >
> > > > > > > these
> > >
> > > > > > points.
> > >
> > > > > > >
> > >
> > > > > > > Regards,
> > >
> > > > > > > Kirankumar Malyala
> > >
> > > > > > >
> > >
> > > > > > > ________________________________
> > >
> > > > > > >
> > >
> > > > > > > This message is for the designated recipient only and may
> > >
> > > > > > > contain privileged, proprietary, or otherwise confidential
> > >
> > > > > > > information. If you have received it in error, please notify the
> > >
> > > > > > > sender immediately and delete the original. Any other use of the
> > >
> > > > > > > e-mail by you is
> > >
> > > > > prohibited.
> > >
> > > > > > > Where allowed by local law, electronic communications with
> > >
> > > > > > > Accenture and its affiliates, including e-mail and instant
> > >
> > > > > > > messaging (including content), may be scanned by our systems for
> > >
> > > > > > > the purposes of information security and assessment of internal
> > >
> > > > > > > compliance with
> > >
> > > > > > Accenture policy. Your privacy is important to us.
> > >
> > > > > > > Accenture uses your personal data only in compliance with data
> > >
> > > > > > > protection laws. For further information on how Accenture
> > >
> > > > > > > processes your personal data, please see our privacy statement
> > >
> > > > > > > at https://www.accenture.com/us-en/privacy-policy.
> > >
> > > > > > >
> > >
> > > > > > > ________________________________________________________________
> > >
> > > > > > > __
> > >
> > > > > > > __
> > >
> > > > > > > __
> > >
> > > > > > > ________________
> > >
> > > > > > >
> > >
> > > > > > > http://www.accenture.com
> > >
> > > > > > >
> > >
> > > > > >
> > >
> > > > > > ________________________________
> > >
> > > > > >
> > >
> > > > > > This message is for the designated recipient only and may contain
> > >
> > > > > > privileged, proprietary, or otherwise confidential information. If
> > >
> > > > > > you have received it in error, please notify the sender
> > >
> > > > > > immediately and delete the original. Any other use of the e-mail
> > >
> > > > > > by you is
> > >
> > > > prohibited.
> > >
> > > > > > Where allowed by local law, electronic communications with
> > >
> > > > > > Accenture and its affiliates, including e-mail and instant
> > >
> > > > > > messaging (including content), may be scanned by our systems for
> > >
> > > > > > the purposes of information security and assessment of internal
> > >
> > > > > > compliance with
> > >
> > > > > Accenture policy. Your privacy is important to us.
> > >
> > > > > > Accenture uses your personal data only in compliance with data
> > >
> > > > > > protection laws. For further information on how Accenture
> > >
> > > > > > processes your personal data, please see our privacy statement at
> > >
> > > > > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > > > >
> > >
> > > > > > __________________________________________________________________
> > >
> > > > > > __
> > >
> > > > > > __
> > >
> > > > > > ________________
> > >
> > > > > >
> > >
> > > > > > http://www.accenture.com
> > >
> > > > > >
> > >
> > > > >
> > >
> > > > > ________________________________
> > >
> > > > >
> > >
> > > > > This message is for the designated recipient only and may contain
> > >
> > > > > privileged, proprietary, or otherwise confidential information. If
> > >
> > > > > you have received it in error, please notify the sender immediately
> > >
> > > > > and delete the original. Any other use of the e-mail by you is
> > > prohibited.
> > >
> > > > > Where allowed by local law, electronic communications with Accenture
> > >
> > > > > and its affiliates, including e-mail and instant messaging
> > >
> > > > > (including content), may be scanned by our systems for the purposes
> > >
> > > > > of information security and assessment of internal compliance with
> > >
> > > > Accenture policy. Your privacy is important to us.
> > >
> > > > > Accenture uses your personal data only in compliance with data
> > >
> > > > > protection laws. For further information on how Accenture processes
> > >
> > > > > your personal data, please see our privacy statement at
> > >
> > > > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > > >
> > >
> > > > > ____________________________________________________________________
> > >
> > > > > __
> > >
> > > > > ________________
> > >
> > > > >
> > >
> > > > > http://www.accenture.com
> > >
> > > > >
> > >
> > > >
> > >
> > > > ________________________________
> > >
> > > >
> > >
> > > > This message is for the designated recipient only and may contain
> > >
> > > > privileged, proprietary, or otherwise confidential information. If you
> > >
> > > > have received it in error, please notify the sender immediately and
> > >
> > > > delete the original. Any other use of the e-mail by you is prohibited.
> > >
> > > > Where allowed by local law, electronic communications with Accenture
> > >
> > > > and its affiliates, including e-mail and instant messaging (including
> > >
> > > > content), may be scanned by our systems for the purposes of
> > >
> > > > information security and assessment of internal compliance with
> > > Accenture policy. Your privacy is important to us.
> > >
> > > > Accenture uses your personal data only in compliance with data
> > >
> > > > protection laws. For further information on how Accenture processes
> > >
> > > > your personal data, please see our privacy statement at
> > >
> > > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > >
> > >
> > > > ______________________________________________________________________
> > >
> > > > ________________
> > >
> > > >
> > >
> > > > http://www.accenture.com
> > >
> > > >
> > >
> > > > ---------------------------------------------------------------------
> > >
> > > > To unsubscribe, e-mail: [hidden email] For
> > >
> > > > additional commands, e-mail: [hidden email]
> > >
> > > >
> > >
> > > >
> > >
> > > ------------------------------
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If you
> > have
> > > received it in error, please notify the sender immediately and delete the
> > > original. Any other use of the e-mail by you is prohibited. Where allowed
> > > by local law, electronic communications with Accenture and its
> > affiliates,
> > > including e-mail and instant messaging (including content), may be
> > scanned
> > > by our systems for the purposes of information security and assessment of
> > > internal compliance with Accenture policy. Your privacy is important to
> > us.
> > > Accenture uses your personal data only in compliance with data protection
> > > laws. For further information on how Accenture processes your personal
> > > data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > >
> > ______________________________________________________________________________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ------------------------------
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you have
> > received it in error, please notify the sender immediately and delete the
> > original. Any other use of the e-mail by you is prohibited. Where allowed
> > by local law, electronic communications with Accenture and its affiliates,
> > including e-mail and instant messaging (including content), may be scanned
> > by our systems for the purposes of information security and assessment of
> > internal compliance with Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data protection
> > laws. For further information on how Accenture processes your personal
> > data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________________________
> >
> > http://www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> ______________________________________________________________________________________
>
> www.accenture.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Malyala, Kirankumar
Hi,

Sorry for that.
I am attaching the error messages as text

Virtual Host Node
Name*:
Type*:
Create new group or join existing group*:
Group name*:
Address*:
Store path:
path/to/store
Permitted group nodes
Permitted addresses*:

65.0.21.17:5000

13.127.218.84:6000
-
Address:
host:port
+
Upload virtualhost configuration from file:
Context variables
Virtual Host
Type*:
The virtualhost will have the same name as the group.


422 - Cannot bind to address '65.0.21.17:5000'. Address is already in use.
Please correct the problem and retry your operation.

Regards,
Kirankumar Malyala

________________________________
From: Robbie Gemmell <[hidden email]>
Sent: 04 December 2020 15:34
To: users <[hidden email]>
Subject: Re: [External] Re: Queries on Qpid setup

There appears to be a loop in progress here.

Your attachments did not make it to the list, so we can't see them.
The lists are for text, and strip essentially all
attachments/insertions. Do not attach or insert things. Use text in
the email body, or else link to items - e.g you could reference a
GitHub repo with images/config you want people to look at.

As you just keep referring to just an "error" in your mail, no one
reading the list actually has any idea at all what it is you are
seeing yet and so simply can't advise you, beyond pointing you at the
docs as I did.

On Fri, 4 Dec 2020 at 06:08, Malyala, Kirankumar
<[hidden email]> wrote:

>
> Hi,
>
> I have launched 2 ubuntu VMs and installed Qpid on them. To create HA for Qpid replication, I am trying to create a virtual host node in one of the VM's Qpid as attached (1) and getting an error (2).
>
> Please suggest me if I need to folllow any pre requisites or am going in a wrong way.
>
> Regards,
> Kirankumar Malyala
>
> ________________________________
> From: Robbie Gemmell <[hidden email]>
> Sent: 03 December 2020 22:17
> To: users <[hidden email]>
> Subject: Re: [External] Re: Queries on Qpid setup
>
> The mailing list strips all but the most trivial of attachments/insertions
> so your images did not make it, as with the previous time when Alex asked
> you to resend the information that hadnt made it. For images, you'll need
> to link to them somewhere. If you have text to send, such as an error or
> stacktrace, just send the text.
>
> The documentation around creating an HA group is at
> https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Dbroker-2Dj-2D8.0.2_book_Java-2DBroker-2DHigh-2DAvailability-2DCreatingGroup.html&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=4wi1VX9jruNPNl5TuQ2yTZZmpR96Ce5z33ZqfMpGteM&s=RZJcR73PTn_8mbCMS_HkNqDQYngaGouwRdKE4QrW_l4&e=
>
> On Thu, 3 Dec 2020 at 15:08, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > When we are trying for Qpid HA setup, we are getting the below error.
> > Please guide us the steps for configuring HA in between multiple servers.
> >
> >
> >
> >
> >
> > Regards,
> > Kirankumar Malyala
> > ------------------------------
> > *From:* Oleksandr Rudyy <[hidden email]>
> > *Sent:* 18 November 2020 16:41
> > *To:* [hidden email] <[hidden email]>
> > *Subject:* Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> > If the broker port is configured with TLSv1.2, it will not accept
> > connection using any other TLS protocol. Thus, it is really not required to
> > provide any specific TLSv1.2 settings on the client side. Though, the JMS
> > client for AMQP 1.0 supports connection options to enable and/or disable
> > specific TLS protocols and cipher suites. You can use them to restrict the
> > TLS protocols and cipher suites to the required ones. Here are the
> > corresponding option descriptions from the client documentation [1]:
> >
> > * transport.enabledCipherSuites The cipher suites to enable, comma
> > separated. No default, meaning the context default ciphers are used. Any
> > disabled ciphers are removed from this.
> > * transport.disabledCipherSuites The cipher suites to disable, comma
> > separated. Ciphers listed here are removed from the enabled ciphers. No
> > default.
> > * transport.enabledProtocols The protocols to enable, comma separated. No
> > default, meaning the context default protocols are used. Any disabled
> > protocols are removed from this.
> > * transport.disabledProtocols The protocols to disable, comma separated.
> > Protocols listed here are removed from the enabled protocols. Default is
> > "SSLv2Hello,SSLv3".
> >
> > In general, you  need to configure TLS transport on a client connection URL
> > by simply setting protocol part of URL to amqps as in an example below
> >
> > amqps://myhost.mydomain:5671
> >
> > If a self-signed certificate is used, you need to provide a trustore with
> > all required certificates including intermediate ones.
> > You can utilize connection URL options transport.trustStoreLocation and
> > transport.trustStorePassword to set a path to the java keystore file with
> > the certificates and keystore password respectively. For example,
> >
> >
> > amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport
> >
> >
> > An example of connection URL with enabled TLSv1.2 is provided below
> >
> >
> > amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2
> >
> > For more information about connection options please check client
> > documentation at [1].
> >
> > I guess that you are asking about an example of how to configure a
> > connection factory spring bean using spring xml. Please, correct me if I am
> > wrong here.
> >
> > There are multiple ways you can configure the connection factory bean in
> > spring framework. Please refer spring documentation [2] for more details.
> >
> > Here is just an example illustrating the approach when jndi properties file
> > (jndi.properties) with connection factory settings is used to define the
> > connection URL:
> >
> > You can declare bean PropertiesFactoryBean to load Qpid client JNDI
> > configuration from a file in classpath as below
> >
> > <bean id="jndiConfiguration"
> > class="org.springframework.beans.factory.config.PropertiesFactoryBean">
> >   <property name="location" value="classpath:jndi.properties"/>
> > </bean>
> >
> > Alternatively it can be done as below
> >
> > <util:properties id="jndiConfiguration"
> > location="classpath:jndi.properties"/>
> >
> > Than, you can create a JNDI template bean referencing the jndiConfiguration
> > bean
> >
> > <bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
> >   <property name="environment" ref="jndiConfiguration"/>
> > </bean>
> >
> > The connection factory bean can be created using spring
> > JndiObjectFactoryBean
> >
> > <bean id="jmsConnectionFactory"
> > class="org.springframework.jndi.JndiObjectFactoryBean"
> > depends-on="jndiTemplate">
> >     <property name="jndiTemplate" ref="jndiTemplate"/>
> >     <property name="jndiName">
> >         <value>${qpid.connection.factory.jndi.name}</value>
> >     </property>
> > </bean>
> >
> > I hope the above should help you with your client set-up.
> >
> > As for the BDB HA error, the  image was stripped from the email. Please
> > resend the stack trace of the problem.
> >
> > Kind Regards,
> > Alex
> >
> > [1]
> >
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Djms-2D0.54.0_docs_index.html-23ssl-2Dtransport-2Dconfiguration-2Doptions&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=TDbT4B4bfkwU6GsuwabjKohMUTLVlQkexWDfb-Axssg&e=
> > [2]
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dframework_docs_2.5.x_reference_jms.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=iJKAuFeXBL0Pm2nORr9eUtBUwtOPLisdCtDFWYZSNNI&e=
> >
> >
> > On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Alex,
> > >
> > >
> > >
> > > 1)           Could you provide us details how we can configure TLS 1.2
> > for
> > > our JMS client in JmsConnectionFactory bean using XML file.
> > >
> > > 2)           When we try to set up BDB_HA, we are getting the following
> > > error.
> > >
> > >
> > >
> > >
> > >
> > > Please let me know if we are missing something.
> > >
> > >
> > >
> > > Regards,
> > >
> > > Kirankumar Malyala
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <[hidden email]>
> > > Sent: Tuesday, November 17, 2020 4:02 AM
> > > To: [hidden email]
> > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > >
> > >
> > > Hi Kirankumar,
> > >
> > > There is a typo in cipher suite names: the GSM is used instead of GCM.
> > >
> > > Thus, the correct cipherSuiteWhiteList would be:
> > >
> > >
> > >
> > > "qpid.security.tls.cipherSuiteWhiteList":
> > >
> > >
> > >
> > "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
> > >
> > >
> > >
> > >
> > >
> > > Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> > >
> > > TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> > > cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
> > >
> > >
> > >
> > > Regarding encryption of replication traffic I do not have any
> > > documentation/recommendation on how to set-up  the ssh tunnels.
> > >
> > >
> > >
> > > KInd Regards,
> > >
> > > Alex
> > >
> > >
> > >
> > > On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> > > [hidden email]> wrote:
> > >
> > >
> > >
> > > > Hi Alex,
> > >
> > > >
> > >
> > > > 1)We are using Qpid 7.1.6 version. When we add below context in our
> > >
> > > > Port map getting SSL handshake error, working fine only for
> > >
> > > > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> > >
> > > >
> > >
> > > >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> > >
> > > > "qpid.security.tls.cipherSuiteWhiteList":
> > >
> > > >
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > >
> > > > --------> NOT WORKING
> > >
> > > >
> > >
> > > > 2)Also, please let us know which approach would be best for encrypting
> > >
> > > > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> > >
> > > > it's configuration documentation/procedure.
> > >
> > > >
> > >
> > > > Regards,
> > >
> > > > Kirankumar Malyala
> > >
> > > >
> > >
> > > > -----Original Message-----
> > >
> > > > From: Oleksandr Rudyy <[hidden email]>
> > >
> > > > Sent: Wednesday, November 11, 2020 12:03 AM
> > >
> > > > To: [hidden email]
> > >
> > > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > > >
> > >
> > > > Hi Kirankumar,
> > >
> > > >
> > >
> > > > The context variable can be set on any configured object. For example,
> > >
> > > > you can set context variables in the attribute "context" of Broker
> > >
> > > > configured object or/and Port configured object.
> > >
> > > > The children configured objects inherit context settings from their
> > >
> > > > parents. Thus, the Port configured object inherits all context
> > >
> > > > settings from the Broker as Broker is a parent of the Port.
> > >
> > > > The context settings can be overridden on the child configured object
> > >
> > > > if required. For example, you can set the context variable
> > >
> > > > "qpid.security.tls.protocolAllowList" on the Broker to
> > >
> > > > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> > >
> > > > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> > >
> > > > port connections to TLSv1.3. Another port object without overridden
> > >
> > > > context variable "qpid.security.tls.protocolAllowList" would inherit
> > >
> > > > the support of
> > >
> > > > TLSv1.2 and TLSv1.3 from the broker.
> > >
> > > >
> > >
> > > > As mentioned above, the context variables are kept in the attributes
> > >
> > > > "context" as a "map "of string keys and values. You can create your
> > >
> > > > initial configuration and define the context variables in the
> > >
> > > > "context" attribute as illustrated in the example below:
> > >
> > > >
> > >
> > > > {
> > >
> > > >   "name" : "${broker.name}",
> > >
> > > >   "modelVersion" : "7.1",
> > >
> > > >   "context": {
> > >
> > > >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> > >
> > > >     "qpid.security.tls.cipherSuiteAllowList":
> > >
> > > >
> > >
> > > >
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > >
> > > >   },
> > >
> > > >
> > >
> > > >   ...
> > >
> > > >   "ports": [{
> > >
> > > >     "name" : "AMQP",
> > >
> > > >     "port" : "${qpid.amqp_port}",
> > >
> > > >     "context": {
> > >
> > > >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> > >
> > > >     },
> > >
> > > >    ...
> > >
> > > >    },
> > >
> > > >    ...
> > >
> > > >   ]
> > >
> > > > }
> > >
> > > >
> > >
> > > > In the example above, the context variables
> > >
> > > > "qpid.security.tls.protocolAllowList" and
> > >
> > > > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker
> > level.
> > >
> > > > The port "AMQP" has its own "context" attribute where
> > >
> > > > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> > > "AMQP"
> > >
> > > > will have "qpid.security.tls.protocolAllowList" defined on the port
> > >
> > > > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> > >
> > > >
> > >
> > > > I hope that the example above helps you to understand the context
> > >
> > > > variable settings.
> > >
> > > >
> > >
> > > > You can update the context variables using REST API. Though, the TLS
> > >
> > > > needs to be configured first on the HTTP port in order to use REST API.
> > >
> > > >
> > >
> > > >
> > >
> > > > Kind Regards,
> > >
> > > > Alex
> > >
> > > >
> > >
> > > >
> > >
> > > >
> > >
> > > >
> > >
> > > > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> > >
> > > > <[hidden email]> wrote:
> > >
> > > >
> > >
> > > > > Hi Alex,
> > >
> > > > >
> > >
> > > > > Thank you for your help. This is useful to look into the areas where
> > >
> > > > > we wanted clarity.
> > >
> > > > > I want to clear a few things from the points which you have
> > mentioned.
> > >
> > > > >
> > >
> > > > > As you mentioned, the TLS version can set in multiple ways through
> > >
> > > > > context variable. Could you explain how we can set in JVM settings
> > >
> > > > > config.json
> > >
> > > > >
> > >
> > > > > Please share the code if you have it.
> > >
> > > > >
> > >
> > > > > Also, related to ssh tunnel configuration, could you share with us
> > >
> > > > > any existing references which have used ssh tunneling and
> > >
> > > > > master/replica concept. Then, it would be easier for us to mold it
> > >
> > > > > as per our
> > >
> > > > requirement.
> > >
> > > > >
> > >
> > > > > Regards,
> > >
> > > > > Kirankumar Malyala
> > >
> > > > >
> > >
> > > > >
> > >
> > > > > -----Original Message-----
> > >
> > > > > From: Oleksandr Rudyy <[hidden email]>
> > >
> > > > > Sent: Tuesday, November 10, 2020 5:24 AM
> > >
> > > > > To: [hidden email]
> > >
> > > > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > > > >
> > >
> > > > > Hi Kirankumar,
> > >
> > > > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > >
> > > > > transports.
> > >
> > > > >
> > >
> > > > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > >
> > > > > configured
> > >
> > > > > object(s) needs to be configured.
> > >
> > > > > The keystore object should contain a private key and certificates
> > >
> > > > > (including intermediates if required).
> > >
> > > > >
> > >
> > > > > A number of Keystore types is supported on the broker:
> > >
> > > > > * FileKeyStore - in this type of Keystore a java keystore is used
> > >
> > > > > underneath to hold the private key and certificates
> > >
> > > > > * NonJavaKeyStore - used to configure private key and certificates
> > >
> > > > > directly in PEM or DER formats
> > >
> > > > >
> > >
> > > > > The Broker allows users to quickly create a self-signed certificate
> > >
> > > > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > >
> > > > > (with Oracle JDK or OpenJDK).
> > >
> > > > >
> > >
> > > > > The TLS protocols and TLS cipher suites can be customised (if
> > >
> > > > > required) using special context variables:
> > >
> > > > > * qpid.security.tls.protocolAllowList
> > >
> > > > > * qpid.security.tls.protocolDenyList
> > >
> > > > > * qpid.security.tls.cipherSuiteAllowList
> > >
> > > > > * qpid.security.tls.cipherSuiteDenyList
> > >
> > > > > or
> > >
> > > > > * qpid.security.tls.protocolWhiteList
> > >
> > > > > * qpid.security.tls.protocolBlackList
> > >
> > > > > * qpid.security.tls.cipherSuiteWhiteList
> > >
> > > > > * qpid.security.tls.cipherSuiteBlackList
> > >
> > > > >
> > >
> > > > > Before 7.1.9 only "white/black" list terminology was supported.
> > >
> > > > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > >
> > > > > can be used. In version 9.0 the "allow/deny" lists completely
> > >
> > > > > replace "white/black" list terminology.
> > >
> > > > >
> > >
> > > > > For example, you can allow only TLSv1.3 with JDK11 by setting
> > >
> > > > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > >
> > > > > You can specify the allowed or denied values using regular
> > >
> > > > > expressions represented as JSON stringified lists.
> > >
> > > > > For example, you can limit allowed cipher suites to only some of
> > >
> > > > > them by setting qpid.security.tls.cipherSuiteAllowList to
> > >
> > > > >
> > >
> > > >
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > >
> > > > > The same applies to deny lists.
> > >
> > > > >
> > >
> > > > > The context variable can be set in multiple ways:
> > >
> > > > > * as JVM settings
> > >
> > > > > * as command line arguments (for example, ./bin/qpid-server -prop
> > >
> > > > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > >
> > > > > * in a properties file system.properties (it needs to be in broker
> > >
> > > > > classpath)
> > >
> > > > > * as configured object context variables (for example, context
> > >
> > > > > variable set on the Broker object using REST API)
> > >
> > > > >
> > >
> > > > >
> > >
> > > > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> > >
> > > > > JE does not support TLS transport. The data replication is
> > unencrypted.
> > >
> > > > > Potentially, you can use SSH tunnels, but that requires configuring
> > >
> > > > > tunes between each of HA nodes, as the nodes  communicate with each
> > >
> > > > > other. I believe that it should be possible to configure SSH
> > >
> > > > > tunnels, though I cannot give you any useful advice on how to do
> > that.
> > >
> > > > >
> > >
> > > > > You can download Qpid Broker distribution files from Qpid Download
> > >
> > > > > page at
> > >
> > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > >
> > > > > do
> > >
> > > > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > >
> > > > > =Y
> > >
> > > > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > >
> > > > > Ep
> > >
> > > > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > >
> > > > > .
> > >
> > > > >
> > >
> > > > > KInd Regards,
> > >
> > > > > Alex
> > >
> > > > >
> > >
> > > > >
> > >
> > > > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > >
> > > > > <[hidden email]> wrote:
> > >
> > > > >
> > >
> > > > > > Hi Alex,
> > >
> > > > > >
> > >
> > > > > > We are using broker-j (for java). As of now, we are exploring on
> > >
> > > > > > version
> > >
> > > > > 7.
> > >
> > > > > > Please do let us know if you want any other information.
> > >
> > > > > >
> > >
> > > > > > Regards,
> > >
> > > > > > Kirankumar Malyala
> > >
> > > > > >
> > >
> > > > > > -----Original Message-----
> > >
> > > > > > From: Oleksandr Rudyy <[hidden email]>
> > >
> > > > > > Sent: Friday, November 6, 2020 5:44 AM
> > >
> > > > > > To: [hidden email]
> > >
> > > > > > Subject: [External] Re: Queries on Qpid setup
> > >
> > > > > >
> > >
> > > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > >
> > > > > > particularly with links and attachments.
> > >
> > > > > >
> > >
> > > > > > Hi Kirankumar,
> > >
> > > > > > Could you please clarify what exactly Qpid broker are you trying
> > >
> > > > > > to
> > >
> > > > use?
> > >
> > > > > > There are two brokers in Qpid project: c++ broker and broker-j
> > >
> > > > > > (for
> > >
> > > > > java).
> > >
> > > > > >
> > >
> > > > > > Are you using Qpid Broker-J?
> > >
> > > > > >
> > >
> > > > > > Kind regards,
> > >
> > > > > > Alex
> > >
> > > > > >
> > >
> > > > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > >
> > > > > > <[hidden email]> wrote:
> > >
> > > > > >
> > >
> > > > > > > Hi Team,
> > >
> > > > > > >
> > >
> > > > > > > We have been doing some POC on Qpid. While working on the
> > >
> > > > > > > configuration, we came across multiple blockers which we have
> > >
> > > > > > > mentioned
> > >
> > > > > > below.
> > >
> > > > > > >
> > >
> > > > > > >
> > >
> > > > > > >   *   How to use a specific version of TLS encryption for Qpid if
> > > we
> > >
> > > > > > > deploy on VM.
> > >
> > > > > > >   *   We understood from the Qpid documentation that we have to
> > >
> > > > deploy
> > >
> > > > > > > broker on multiple VM's to create a group and introduce
> > >
> > > > > > > master/replica nodes. Any SOP on this part ?
> > >
> > > > > > >   *   How to apply SSL/TLS encryption to replicas in the group
> > >
> > > > consists
> > >
> > > > > > of
> > >
> > > > > > > master and replica nodes using SSH tunnel/IPsec.
> > >
> > > > > > >   *   How can we fetch file in Apache
> > >
> > > > > > >
> > >
> > > > > > > Please let us know if some one from your team can guide us on
> > >
> > > > > > > these
> > >
> > > > > > points.
> > >
> > > > > > >
> > >
> > > > > > > Regards,
> > >
> > > > > > > Kirankumar Malyala
> > >
> > > > > > >
> > >
> > > > > > > ________________________________
> > >
> > > > > > >
> > >
> > > > > > > This message is for the designated recipient only and may
> > >
> > > > > > > contain privileged, proprietary, or otherwise confidential
> > >
> > > > > > > information. If you have received it in error, please notify the
> > >
> > > > > > > sender immediately and delete the original. Any other use of the
> > >
> > > > > > > e-mail by you is
> > >
> > > > > prohibited.
> > >
> > > > > > > Where allowed by local law, electronic communications with
> > >
> > > > > > > Accenture and its affiliates, including e-mail and instant
> > >
> > > > > > > messaging (including content), may be scanned by our systems for
> > >
> > > > > > > the purposes of information security and assessment of internal
> > >
> > > > > > > compliance with
> > >
> > > > > > Accenture policy. Your privacy is important to us.
> > >
> > > > > > > Accenture uses your personal data only in compliance with data
> > >
> > > > > > > protection laws. For further information on how Accenture
> > >
> > > > > > > processes your personal data, please see our privacy statement
> > >
> > > > > > > at https://www.accenture.com/us-en/privacy-policy.
> > >
> > > > > > >
> > >
> > > > > > > ________________________________________________________________
> > >
> > > > > > > __
> > >
> > > > > > > __
> > >
> > > > > > > __
> > >
> > > > > > > ________________
> > >
> > > > > > >
> > >
> > > > > > > http://www.accenture.com
> > >
> > > > > > >
> > >
> > > > > >
> > >
> > > > > > ________________________________
> > >
> > > > > >
> > >
> > > > > > This message is for the designated recipient only and may contain
> > >
> > > > > > privileged, proprietary, or otherwise confidential information. If
> > >
> > > > > > you have received it in error, please notify the sender
> > >
> > > > > > immediately and delete the original. Any other use of the e-mail
> > >
> > > > > > by you is
> > >
> > > > prohibited.
> > >
> > > > > > Where allowed by local law, electronic communications with
> > >
> > > > > > Accenture and its affiliates, including e-mail and instant
> > >
> > > > > > messaging (including content), may be scanned by our systems for
> > >
> > > > > > the purposes of information security and assessment of internal
> > >
> > > > > > compliance with
> > >
> > > > > Accenture policy. Your privacy is important to us.
> > >
> > > > > > Accenture uses your personal data only in compliance with data
> > >
> > > > > > protection laws. For further information on how Accenture
> > >
> > > > > > processes your personal data, please see our privacy statement at
> > >
> > > > > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > > > >
> > >
> > > > > > __________________________________________________________________
> > >
> > > > > > __
> > >
> > > > > > __
> > >
> > > > > > ________________
> > >
> > > > > >
> > >
> > > > > > http://www.accenture.com
> > >
> > > > > >
> > >
> > > > >
> > >
> > > > > ________________________________
> > >
> > > > >
> > >
> > > > > This message is for the designated recipient only and may contain
> > >
> > > > > privileged, proprietary, or otherwise confidential information. If
> > >
> > > > > you have received it in error, please notify the sender immediately
> > >
> > > > > and delete the original. Any other use of the e-mail by you is
> > > prohibited.
> > >
> > > > > Where allowed by local law, electronic communications with Accenture
> > >
> > > > > and its affiliates, including e-mail and instant messaging
> > >
> > > > > (including content), may be scanned by our systems for the purposes
> > >
> > > > > of information security and assessment of internal compliance with
> > >
> > > > Accenture policy. Your privacy is important to us.
> > >
> > > > > Accenture uses your personal data only in compliance with data
> > >
> > > > > protection laws. For further information on how Accenture processes
> > >
> > > > > your personal data, please see our privacy statement at
> > >
> > > > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > > >
> > >
> > > > > ____________________________________________________________________
> > >
> > > > > __
> > >
> > > > > ________________
> > >
> > > > >
> > >
> > > > > http://www.accenture.com
> > >
> > > > >
> > >
> > > >
> > >
> > > > ________________________________
> > >
> > > >
> > >
> > > > This message is for the designated recipient only and may contain
> > >
> > > > privileged, proprietary, or otherwise confidential information. If you
> > >
> > > > have received it in error, please notify the sender immediately and
> > >
> > > > delete the original. Any other use of the e-mail by you is prohibited.
> > >
> > > > Where allowed by local law, electronic communications with Accenture
> > >
> > > > and its affiliates, including e-mail and instant messaging (including
> > >
> > > > content), may be scanned by our systems for the purposes of
> > >
> > > > information security and assessment of internal compliance with
> > > Accenture policy. Your privacy is important to us.
> > >
> > > > Accenture uses your personal data only in compliance with data
> > >
> > > > protection laws. For further information on how Accenture processes
> > >
> > > > your personal data, please see our privacy statement at
> > >
> > > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > >
> > >
> > > > ______________________________________________________________________
> > >
> > > > ________________
> > >
> > > >
> > >
> > > > http://www.accenture.com
> > >
> > > >
> > >
> > > > ---------------------------------------------------------------------
> > >
> > > > To unsubscribe, e-mail: [hidden email] For
> > >
> > > > additional commands, e-mail: [hidden email]
> > >
> > > >
> > >
> > > >
> > >
> > > ------------------------------
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If you
> > have
> > > received it in error, please notify the sender immediately and delete the
> > > original. Any other use of the e-mail by you is prohibited. Where allowed
> > > by local law, electronic communications with Accenture and its
> > affiliates,
> > > including e-mail and instant messaging (including content), may be
> > scanned
> > > by our systems for the purposes of information security and assessment of
> > > internal compliance with Accenture policy. Your privacy is important to
> > us.
> > > Accenture uses your personal data only in compliance with data protection
> > > laws. For further information on how Accenture processes your personal
> > > data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > >
> > ______________________________________________________________________________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ------------------------------
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you have
> > received it in error, please notify the sender immediately and delete the
> > original. Any other use of the e-mail by you is prohibited. Where allowed
> > by local law, electronic communications with Accenture and its affiliates,
> > including e-mail and instant messaging (including content), may be scanned
> > by our systems for the purposes of information security and assessment of
> > internal compliance with Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data protection
> > laws. For further information on how Accenture processes your personal
> > data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________________________
> >
> > http://www.accenture.com
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> ______________________________________________________________________________________
>
> www.accenture.com<http://www.accenture.com>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Robbie Gemmell
Administrator
I'm not sure if that lost some formatting you applied or something, as
it looks like some of the details dont seem to make sense otherwise
(e.g the empty but required address), so I'm still not 100% clear on
what the config is saying, but the error at the end seems fairly self
explanatory. It is failing to bind to '65.0.21.17:5000' because that
port is already in use. You'll either need to ensure whatever is
unexpectedly using port 5000 is stopped from doing so first, or ensure
the value being used is updated/corrected to something else so it
doesnt clash with it.

Note that as the documentation covers, the host:port values given here
are not the same as those used by messaging clients connecting to the
brokers. The BDB HA bits run their own acceptor and connect to each
other directly.

On Fri, 4 Dec 2020 at 11:06, Malyala, Kirankumar
<[hidden email]> wrote:

>
> Hi,
>
> Sorry for that.
> I am attaching the error messages as text
>
> Virtual Host Node
> Name*:
> Type*:
> Create new group or join existing group*:
> Group name*:
> Address*:
> Store path:
> path/to/store
> Permitted group nodes
> Permitted addresses*:
>
> 65.0.21.17:5000
>
> 13.127.218.84:6000
> -
> Address:
> host:port
> +
> Upload virtualhost configuration from file:
> Context variables
> Virtual Host
> Type*:
> The virtualhost will have the same name as the group.
>
>
> 422 - Cannot bind to address '65.0.21.17:5000'. Address is already in use.
> Please correct the problem and retry your operation.
>
> Regards,
> Kirankumar Malyala
>
> ________________________________
> From: Robbie Gemmell <[hidden email]>
> Sent: 04 December 2020 15:34
> To: users <[hidden email]>
> Subject: Re: [External] Re: Queries on Qpid setup
>
> There appears to be a loop in progress here.
>
> Your attachments did not make it to the list, so we can't see them.
> The lists are for text, and strip essentially all
> attachments/insertions. Do not attach or insert things. Use text in
> the email body, or else link to items - e.g you could reference a
> GitHub repo with images/config you want people to look at.
>
> As you just keep referring to just an "error" in your mail, no one
> reading the list actually has any idea at all what it is you are
> seeing yet and so simply can't advise you, beyond pointing you at the
> docs as I did.
>
> On Fri, 4 Dec 2020 at 06:08, Malyala, Kirankumar
> <[hidden email]> wrote:
> >
> > Hi,
> >
> > I have launched 2 ubuntu VMs and installed Qpid on them. To create HA for Qpid replication, I am trying to create a virtual host node in one of the VM's Qpid as attached (1) and getting an error (2).
> >
> > Please suggest me if I need to folllow any pre requisites or am going in a wrong way.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > ________________________________
> > From: Robbie Gemmell <[hidden email]>
> > Sent: 03 December 2020 22:17
> > To: users <[hidden email]>
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > The mailing list strips all but the most trivial of attachments/insertions
> > so your images did not make it, as with the previous time when Alex asked
> > you to resend the information that hadnt made it. For images, you'll need
> > to link to them somewhere. If you have text to send, such as an error or
> > stacktrace, just send the text.
> >
> > The documentation around creating an HA group is at
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Dbroker-2Dj-2D8.0.2_book_Java-2DBroker-2DHigh-2DAvailability-2DCreatingGroup.html&d=DwIFaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=4wi1VX9jruNPNl5TuQ2yTZZmpR96Ce5z33ZqfMpGteM&s=RZJcR73PTn_8mbCMS_HkNqDQYngaGouwRdKE4QrW_l4&e=
> >
> > On Thu, 3 Dec 2020 at 15:08, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Alex,
> > >
> > > When we are trying for Qpid HA setup, we are getting the below error.
> > > Please guide us the steps for configuring HA in between multiple servers.
> > >
> > >
> > >
> > >
> > >
> > > Regards,
> > > Kirankumar Malyala
> > > ------------------------------
> > > *From:* Oleksandr Rudyy <[hidden email]>
> > > *Sent:* 18 November 2020 16:41
> > > *To:* [hidden email] <[hidden email]>
> > > *Subject:* Re: [External] Re: Queries on Qpid setup
> > >
> > > Hi Kirankumar,
> > > If the broker port is configured with TLSv1.2, it will not accept
> > > connection using any other TLS protocol. Thus, it is really not required to
> > > provide any specific TLSv1.2 settings on the client side. Though, the JMS
> > > client for AMQP 1.0 supports connection options to enable and/or disable
> > > specific TLS protocols and cipher suites. You can use them to restrict the
> > > TLS protocols and cipher suites to the required ones. Here are the
> > > corresponding option descriptions from the client documentation [1]:
> > >
> > > * transport.enabledCipherSuites The cipher suites to enable, comma
> > > separated. No default, meaning the context default ciphers are used. Any
> > > disabled ciphers are removed from this.
> > > * transport.disabledCipherSuites The cipher suites to disable, comma
> > > separated. Ciphers listed here are removed from the enabled ciphers. No
> > > default.
> > > * transport.enabledProtocols The protocols to enable, comma separated. No
> > > default, meaning the context default protocols are used. Any disabled
> > > protocols are removed from this.
> > > * transport.disabledProtocols The protocols to disable, comma separated.
> > > Protocols listed here are removed from the enabled protocols. Default is
> > > "SSLv2Hello,SSLv3".
> > >
> > > In general, you  need to configure TLS transport on a client connection URL
> > > by simply setting protocol part of URL to amqps as in an example below
> > >
> > > amqps://myhost.mydomain:5671
> > >
> > > If a self-signed certificate is used, you need to provide a trustore with
> > > all required certificates including intermediate ones.
> > > You can utilize connection URL options transport.trustStoreLocation and
> > > transport.trustStorePassword to set a path to the java keystore file with
> > > the certificates and keystore password respectively. For example,
> > >
> > >
> > > amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport
> > >
> > >
> > > An example of connection URL with enabled TLSv1.2 is provided below
> > >
> > >
> > > amqps://myhost.mydomain:5671?transport.trustStoreLocation=/path/to/trust-store.pkcs12&transport.trustStorePassword=transport&transport.enabledProtocols=TLSv1.2
> > >
> > > For more information about connection options please check client
> > > documentation at [1].
> > >
> > > I guess that you are asking about an example of how to configure a
> > > connection factory spring bean using spring xml. Please, correct me if I am
> > > wrong here.
> > >
> > > There are multiple ways you can configure the connection factory bean in
> > > spring framework. Please refer spring documentation [2] for more details.
> > >
> > > Here is just an example illustrating the approach when jndi properties file
> > > (jndi.properties) with connection factory settings is used to define the
> > > connection URL:
> > >
> > > You can declare bean PropertiesFactoryBean to load Qpid client JNDI
> > > configuration from a file in classpath as below
> > >
> > > <bean id="jndiConfiguration"
> > > class="org.springframework.beans.factory.config.PropertiesFactoryBean">
> > >   <property name="location" value="classpath:jndi.properties"/>
> > > </bean>
> > >
> > > Alternatively it can be done as below
> > >
> > > <util:properties id="jndiConfiguration"
> > > location="classpath:jndi.properties"/>
> > >
> > > Than, you can create a JNDI template bean referencing the jndiConfiguration
> > > bean
> > >
> > > <bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
> > >   <property name="environment" ref="jndiConfiguration"/>
> > > </bean>
> > >
> > > The connection factory bean can be created using spring
> > > JndiObjectFactoryBean
> > >
> > > <bean id="jmsConnectionFactory"
> > > class="org.springframework.jndi.JndiObjectFactoryBean"
> > > depends-on="jndiTemplate">
> > >     <property name="jndiTemplate" ref="jndiTemplate"/>
> > >     <property name="jndiName">
> > >         <value>${qpid.connection.factory.jndi.name}</value>
> > >     </property>
> > > </bean>
> > >
> > > I hope the above should help you with your client set-up.
> > >
> > > As for the BDB HA error, the  image was stripped from the email. Please
> > > resend the stack trace of the problem.
> > >
> > > Kind Regards,
> > > Alex
> > >
> > > [1]
> > >
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_releases_qpid-2Djms-2D0.54.0_docs_index.html-23ssl-2Dtransport-2Dconfiguration-2Doptions&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=TDbT4B4bfkwU6GsuwabjKohMUTLVlQkexWDfb-Axssg&e=
> > > [2]
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.spring.io_spring-2Dframework_docs_2.5.x_reference_jms.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=YdSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=Q7pGWQpmE9C7n1fxQ5x62HtPdrfpN2MYB0kMXcXQ1rc&s=iJKAuFeXBL0Pm2nORr9eUtBUwtOPLisdCtDFWYZSNNI&e=
> > >
> > >
> > > On Wed, 18 Nov 2020 at 07:48, Malyala, Kirankumar
> > > <[hidden email]> wrote:
> > >
> > > > Hi Alex,
> > > >
> > > >
> > > >
> > > > 1)           Could you provide us details how we can configure TLS 1.2
> > > for
> > > > our JMS client in JmsConnectionFactory bean using XML file.
> > > >
> > > > 2)           When we try to set up BDB_HA, we are getting the following
> > > > error.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Please let me know if we are missing something.
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Kirankumar Malyala
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Oleksandr Rudyy <[hidden email]>
> > > > Sent: Tuesday, November 17, 2020 4:02 AM
> > > > To: [hidden email]
> > > > Subject: Re: [External] Re: Queries on Qpid setup
> > > >
> > > >
> > > >
> > > > Hi Kirankumar,
> > > >
> > > > There is a typo in cipher suite names: the GSM is used instead of GCM.
> > > >
> > > > Thus, the correct cipherSuiteWhiteList would be:
> > > >
> > > >
> > > >
> > > > "qpid.security.tls.cipherSuiteWhiteList":
> > > >
> > > >
> > > >
> > > "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> > > >
> > > > TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They
> > > > cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is
> > > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
> > > >
> > > >
> > > >
> > > > Regarding encryption of replication traffic I do not have any
> > > > documentation/recommendation on how to set-up  the ssh tunnels.
> > > >
> > > >
> > > >
> > > > KInd Regards,
> > > >
> > > > Alex
> > > >
> > > >
> > > >
> > > > On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <
> > > > [hidden email]> wrote:
> > > >
> > > >
> > > >
> > > > > Hi Alex,
> > > >
> > > > >
> > > >
> > > > > 1)We are using Qpid 7.1.6 version. When we add below context in our
> > > >
> > > > > Port map getting SSL handshake error, working fine only for
> > > >
> > > > > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> > > >
> > > > >
> > > >
> > > > >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> > > >
> > > > > "qpid.security.tls.cipherSuiteWhiteList":
> > > >
> > > > >
> > > >
> > > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > > >
> > > > > --------> NOT WORKING
> > > >
> > > > >
> > > >
> > > > > 2)Also, please let us know which approach would be best for encrypting
> > > >
> > > > > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> > > >
> > > > > it's configuration documentation/procedure.
> > > >
> > > > >
> > > >
> > > > > Regards,
> > > >
> > > > > Kirankumar Malyala
> > > >
> > > > >
> > > >
> > > > > -----Original Message-----
> > > >
> > > > > From: Oleksandr Rudyy <[hidden email]>
> > > >
> > > > > Sent: Wednesday, November 11, 2020 12:03 AM
> > > >
> > > > > To: [hidden email]
> > > >
> > > > > Subject: Re: [External] Re: Queries on Qpid setup
> > > >
> > > > >
> > > >
> > > > > Hi Kirankumar,
> > > >
> > > > >
> > > >
> > > > > The context variable can be set on any configured object. For example,
> > > >
> > > > > you can set context variables in the attribute "context" of Broker
> > > >
> > > > > configured object or/and Port configured object.
> > > >
> > > > > The children configured objects inherit context settings from their
> > > >
> > > > > parents. Thus, the Port configured object inherits all context
> > > >
> > > > > settings from the Broker as Broker is a parent of the Port.
> > > >
> > > > > The context settings can be overridden on the child configured object
> > > >
> > > > > if required. For example, you can set the context variable
> > > >
> > > > > "qpid.security.tls.protocolAllowList" on the Broker to
> > > >
> > > > > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> > > >
> > > > > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> > > >
> > > > > port connections to TLSv1.3. Another port object without overridden
> > > >
> > > > > context variable "qpid.security.tls.protocolAllowList" would inherit
> > > >
> > > > > the support of
> > > >
> > > > > TLSv1.2 and TLSv1.3 from the broker.
> > > >
> > > > >
> > > >
> > > > > As mentioned above, the context variables are kept in the attributes
> > > >
> > > > > "context" as a "map "of string keys and values. You can create your
> > > >
> > > > > initial configuration and define the context variables in the
> > > >
> > > > > "context" attribute as illustrated in the example below:
> > > >
> > > > >
> > > >
> > > > > {
> > > >
> > > > >   "name" : "${broker.name}",
> > > >
> > > > >   "modelVersion" : "7.1",
> > > >
> > > > >   "context": {
> > > >
> > > > >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> > > >
> > > > >     "qpid.security.tls.cipherSuiteAllowList":
> > > >
> > > > >
> > > >
> > > > >
> > > >
> > > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > > >
> > > > >   },
> > > >
> > > > >
> > > >
> > > > >   ...
> > > >
> > > > >   "ports": [{
> > > >
> > > > >     "name" : "AMQP",
> > > >
> > > > >     "port" : "${qpid.amqp_port}",
> > > >
> > > > >     "context": {
> > > >
> > > > >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> > > >
> > > > >     },
> > > >
> > > > >    ...
> > > >
> > > > >    },
> > > >
> > > > >    ...
> > > >
> > > > >   ]
> > > >
> > > > > }
> > > >
> > > > >
> > > >
> > > > > In the example above, the context variables
> > > >
> > > > > "qpid.security.tls.protocolAllowList" and
> > > >
> > > > > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker
> > > level.
> > > >
> > > > > The port "AMQP" has its own "context" attribute where
> > > >
> > > > > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port
> > > > "AMQP"
> > > >
> > > > > will have "qpid.security.tls.protocolAllowList" defined on the port
> > > >
> > > > > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> > > >
> > > > >
> > > >
> > > > > I hope that the example above helps you to understand the context
> > > >
> > > > > variable settings.
> > > >
> > > > >
> > > >
> > > > > You can update the context variables using REST API. Though, the TLS
> > > >
> > > > > needs to be configured first on the HTTP port in order to use REST API.
> > > >
> > > > >
> > > >
> > > > >
> > > >
> > > > > Kind Regards,
> > > >
> > > > > Alex
> > > >
> > > > >
> > > >
> > > > >
> > > >
> > > > >
> > > >
> > > > >
> > > >
> > > > > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> > > >
> > > > > <[hidden email]> wrote:
> > > >
> > > > >
> > > >
> > > > > > Hi Alex,
> > > >
> > > > > >
> > > >
> > > > > > Thank you for your help. This is useful to look into the areas where
> > > >
> > > > > > we wanted clarity.
> > > >
> > > > > > I want to clear a few things from the points which you have
> > > mentioned.
> > > >
> > > > > >
> > > >
> > > > > > As you mentioned, the TLS version can set in multiple ways through
> > > >
> > > > > > context variable. Could you explain how we can set in JVM settings
> > > >
> > > > > > config.json
> > > >
> > > > > >
> > > >
> > > > > > Please share the code if you have it.
> > > >
> > > > > >
> > > >
> > > > > > Also, related to ssh tunnel configuration, could you share with us
> > > >
> > > > > > any existing references which have used ssh tunneling and
> > > >
> > > > > > master/replica concept. Then, it would be easier for us to mold it
> > > >
> > > > > > as per our
> > > >
> > > > > requirement.
> > > >
> > > > > >
> > > >
> > > > > > Regards,
> > > >
> > > > > > Kirankumar Malyala
> > > >
> > > > > >
> > > >
> > > > > >
> > > >
> > > > > > -----Original Message-----
> > > >
> > > > > > From: Oleksandr Rudyy <[hidden email]>
> > > >
> > > > > > Sent: Tuesday, November 10, 2020 5:24 AM
> > > >
> > > > > > To: [hidden email]
> > > >
> > > > > > Subject: Re: [External] Re: Queries on Qpid setup
> > > >
> > > > > >
> > > >
> > > > > > Hi Kirankumar,
> > > >
> > > > > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > > >
> > > > > > transports.
> > > >
> > > > > >
> > > >
> > > > > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > > >
> > > > > > configured
> > > >
> > > > > > object(s) needs to be configured.
> > > >
> > > > > > The keystore object should contain a private key and certificates
> > > >
> > > > > > (including intermediates if required).
> > > >
> > > > > >
> > > >
> > > > > > A number of Keystore types is supported on the broker:
> > > >
> > > > > > * FileKeyStore - in this type of Keystore a java keystore is used
> > > >
> > > > > > underneath to hold the private key and certificates
> > > >
> > > > > > * NonJavaKeyStore - used to configure private key and certificates
> > > >
> > > > > > directly in PEM or DER formats
> > > >
> > > > > >
> > > >
> > > > > > The Broker allows users to quickly create a self-signed certificate
> > > >
> > > > > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > > >
> > > > > > (with Oracle JDK or OpenJDK).
> > > >
> > > > > >
> > > >
> > > > > > The TLS protocols and TLS cipher suites can be customised (if
> > > >
> > > > > > required) using special context variables:
> > > >
> > > > > > * qpid.security.tls.protocolAllowList
> > > >
> > > > > > * qpid.security.tls.protocolDenyList
> > > >
> > > > > > * qpid.security.tls.cipherSuiteAllowList
> > > >
> > > > > > * qpid.security.tls.cipherSuiteDenyList
> > > >
> > > > > > or
> > > >
> > > > > > * qpid.security.tls.protocolWhiteList
> > > >
> > > > > > * qpid.security.tls.protocolBlackList
> > > >
> > > > > > * qpid.security.tls.cipherSuiteWhiteList
> > > >
> > > > > > * qpid.security.tls.cipherSuiteBlackList
> > > >
> > > > > >
> > > >
> > > > > > Before 7.1.9 only "white/black" list terminology was supported.
> > > >
> > > > > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > > >
> > > > > > can be used. In version 9.0 the "allow/deny" lists completely
> > > >
> > > > > > replace "white/black" list terminology.
> > > >
> > > > > >
> > > >
> > > > > > For example, you can allow only TLSv1.3 with JDK11 by setting
> > > >
> > > > > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > > >
> > > > > > You can specify the allowed or denied values using regular
> > > >
> > > > > > expressions represented as JSON stringified lists.
> > > >
> > > > > > For example, you can limit allowed cipher suites to only some of
> > > >
> > > > > > them by setting qpid.security.tls.cipherSuiteAllowList to
> > > >
> > > > > >
> > > >
> > > > >
> > > >
> > > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > > >
> > > > > > The same applies to deny lists.
> > > >
> > > > > >
> > > >
> > > > > > The context variable can be set in multiple ways:
> > > >
> > > > > > * as JVM settings
> > > >
> > > > > > * as command line arguments (for example, ./bin/qpid-server -prop
> > > >
> > > > > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > > >
> > > > > > * in a properties file system.properties (it needs to be in broker
> > > >
> > > > > > classpath)
> > > >
> > > > > > * as configured object context variables (for example, context
> > > >
> > > > > > variable set on the Broker object using REST API)
> > > >
> > > > > >
> > > >
> > > > > >
> > > >
> > > > > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> > > >
> > > > > > JE does not support TLS transport. The data replication is
> > > unencrypted.
> > > >
> > > > > > Potentially, you can use SSH tunnels, but that requires configuring
> > > >
> > > > > > tunes between each of HA nodes, as the nodes  communicate with each
> > > >
> > > > > > other. I believe that it should be possible to configure SSH
> > > >
> > > > > > tunnels, though I cannot give you any useful advice on how to do
> > > that.
> > > >
> > > > > >
> > > >
> > > > > > You can download Qpid Broker distribution files from Qpid Download
> > > >
> > > > > > page at
> > > >
> > > > > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > > >
> > > > > > do
> > > >
> > > > > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > > >
> > > > > > =Y
> > > >
> > > > > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > > >
> > > > > > Ep
> > > >
> > > > > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > > >
> > > > > > .
> > > >
> > > > > >
> > > >
> > > > > > KInd Regards,
> > > >
> > > > > > Alex
> > > >
> > > > > >
> > > >
> > > > > >
> > > >
> > > > > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > > >
> > > > > > <[hidden email]> wrote:
> > > >
> > > > > >
> > > >
> > > > > > > Hi Alex,
> > > >
> > > > > > >
> > > >
> > > > > > > We are using broker-j (for java). As of now, we are exploring on
> > > >
> > > > > > > version
> > > >
> > > > > > 7.
> > > >
> > > > > > > Please do let us know if you want any other information.
> > > >
> > > > > > >
> > > >
> > > > > > > Regards,
> > > >
> > > > > > > Kirankumar Malyala
> > > >
> > > > > > >
> > > >
> > > > > > > -----Original Message-----
> > > >
> > > > > > > From: Oleksandr Rudyy <[hidden email]>
> > > >
> > > > > > > Sent: Friday, November 6, 2020 5:44 AM
> > > >
> > > > > > > To: [hidden email]
> > > >
> > > > > > > Subject: [External] Re: Queries on Qpid setup
> > > >
> > > > > > >
> > > >
> > > > > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > > >
> > > > > > > particularly with links and attachments.
> > > >
> > > > > > >
> > > >
> > > > > > > Hi Kirankumar,
> > > >
> > > > > > > Could you please clarify what exactly Qpid broker are you trying
> > > >
> > > > > > > to
> > > >
> > > > > use?
> > > >
> > > > > > > There are two brokers in Qpid project: c++ broker and broker-j
> > > >
> > > > > > > (for
> > > >
> > > > > > java).
> > > >
> > > > > > >
> > > >
> > > > > > > Are you using Qpid Broker-J?
> > > >
> > > > > > >
> > > >
> > > > > > > Kind regards,
> > > >
> > > > > > > Alex
> > > >
> > > > > > >
> > > >
> > > > > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > >
> > > > > > > <[hidden email]> wrote:
> > > >
> > > > > > >
> > > >
> > > > > > > > Hi Team,
> > > >
> > > > > > > >
> > > >
> > > > > > > > We have been doing some POC on Qpid. While working on the
> > > >
> > > > > > > > configuration, we came across multiple blockers which we have
> > > >
> > > > > > > > mentioned
> > > >
> > > > > > > below.
> > > >
> > > > > > > >
> > > >
> > > > > > > >
> > > >
> > > > > > > >   *   How to use a specific version of TLS encryption for Qpid if
> > > > we
> > > >
> > > > > > > > deploy on VM.
> > > >
> > > > > > > >   *   We understood from the Qpid documentation that we have to
> > > >
> > > > > deploy
> > > >
> > > > > > > > broker on multiple VM's to create a group and introduce
> > > >
> > > > > > > > master/replica nodes. Any SOP on this part ?
> > > >
> > > > > > > >   *   How to apply SSL/TLS encryption to replicas in the group
> > > >
> > > > > consists
> > > >
> > > > > > > of
> > > >
> > > > > > > > master and replica nodes using SSH tunnel/IPsec.
> > > >
> > > > > > > >   *   How can we fetch file in Apache
> > > >
> > > > > > > >
> > > >
> > > > > > > > Please let us know if some one from your team can guide us on
> > > >
> > > > > > > > these
> > > >
> > > > > > > points.
> > > >
> > > > > > > >
> > > >
> > > > > > > > Regards,
> > > >
> > > > > > > > Kirankumar Malyala
> > > >
> > > > > > > >
> > > >
> > > > > > > > ________________________________
> > > >
> > > > > > > >
> > > >
> > > > > > > > This message is for the designated recipient only and may
> > > >
> > > > > > > > contain privileged, proprietary, or otherwise confidential
> > > >
> > > > > > > > information. If you have received it in error, please notify the
> > > >
> > > > > > > > sender immediately and delete the original. Any other use of the
> > > >
> > > > > > > > e-mail by you is
> > > >
> > > > > > prohibited.
> > > >
> > > > > > > > Where allowed by local law, electronic communications with
> > > >
> > > > > > > > Accenture and its affiliates, including e-mail and instant
> > > >
> > > > > > > > messaging (including content), may be scanned by our systems for
> > > >
> > > > > > > > the purposes of information security and assessment of internal
> > > >
> > > > > > > > compliance with
> > > >
> > > > > > > Accenture policy. Your privacy is important to us.
> > > >
> > > > > > > > Accenture uses your personal data only in compliance with data
> > > >
> > > > > > > > protection laws. For further information on how Accenture
> > > >
> > > > > > > > processes your personal data, please see our privacy statement
> > > >
> > > > > > > > at https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > > > > >
> > > >
> > > > > > > > ________________________________________________________________
> > > >
> > > > > > > > __
> > > >
> > > > > > > > __
> > > >
> > > > > > > > __
> > > >
> > > > > > > > ________________
> > > >
> > > > > > > >
> > > >
> > > > > > > > http://www.accenture.com
> > > >
> > > > > > > >
> > > >
> > > > > > >
> > > >
> > > > > > > ________________________________
> > > >
> > > > > > >
> > > >
> > > > > > > This message is for the designated recipient only and may contain
> > > >
> > > > > > > privileged, proprietary, or otherwise confidential information. If
> > > >
> > > > > > > you have received it in error, please notify the sender
> > > >
> > > > > > > immediately and delete the original. Any other use of the e-mail
> > > >
> > > > > > > by you is
> > > >
> > > > > prohibited.
> > > >
> > > > > > > Where allowed by local law, electronic communications with
> > > >
> > > > > > > Accenture and its affiliates, including e-mail and instant
> > > >
> > > > > > > messaging (including content), may be scanned by our systems for
> > > >
> > > > > > > the purposes of information security and assessment of internal
> > > >
> > > > > > > compliance with
> > > >
> > > > > > Accenture policy. Your privacy is important to us.
> > > >
> > > > > > > Accenture uses your personal data only in compliance with data
> > > >
> > > > > > > protection laws. For further information on how Accenture
> > > >
> > > > > > > processes your personal data, please see our privacy statement at
> > > >
> > > > > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > > > >
> > > >
> > > > > > > __________________________________________________________________
> > > >
> > > > > > > __
> > > >
> > > > > > > __
> > > >
> > > > > > > ________________
> > > >
> > > > > > >
> > > >
> > > > > > > http://www.accenture.com
> > > >
> > > > > > >
> > > >
> > > > > >
> > > >
> > > > > > ________________________________
> > > >
> > > > > >
> > > >
> > > > > > This message is for the designated recipient only and may contain
> > > >
> > > > > > privileged, proprietary, or otherwise confidential information. If
> > > >
> > > > > > you have received it in error, please notify the sender immediately
> > > >
> > > > > > and delete the original. Any other use of the e-mail by you is
> > > > prohibited.
> > > >
> > > > > > Where allowed by local law, electronic communications with Accenture
> > > >
> > > > > > and its affiliates, including e-mail and instant messaging
> > > >
> > > > > > (including content), may be scanned by our systems for the purposes
> > > >
> > > > > > of information security and assessment of internal compliance with
> > > >
> > > > > Accenture policy. Your privacy is important to us.
> > > >
> > > > > > Accenture uses your personal data only in compliance with data
> > > >
> > > > > > protection laws. For further information on how Accenture processes
> > > >
> > > > > > your personal data, please see our privacy statement at
> > > >
> > > > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > > >
> > > >
> > > > > > ____________________________________________________________________
> > > >
> > > > > > __
> > > >
> > > > > > ________________
> > > >
> > > > > >
> > > >
> > > > > > http://www.accenture.com
> > > >
> > > > > >
> > > >
> > > > >
> > > >
> > > > > ________________________________
> > > >
> > > > >
> > > >
> > > > > This message is for the designated recipient only and may contain
> > > >
> > > > > privileged, proprietary, or otherwise confidential information. If you
> > > >
> > > > > have received it in error, please notify the sender immediately and
> > > >
> > > > > delete the original. Any other use of the e-mail by you is prohibited.
> > > >
> > > > > Where allowed by local law, electronic communications with Accenture
> > > >
> > > > > and its affiliates, including e-mail and instant messaging (including
> > > >
> > > > > content), may be scanned by our systems for the purposes of
> > > >
> > > > > information security and assessment of internal compliance with
> > > > Accenture policy. Your privacy is important to us.
> > > >
> > > > > Accenture uses your personal data only in compliance with data
> > > >
> > > > > protection laws. For further information on how Accenture processes
> > > >
> > > > > your personal data, please see our privacy statement at
> > > >
> > > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > >
> > > >
> > > > > ______________________________________________________________________
> > > >
> > > > > ________________
> > > >
> > > > >
> > > >
> > > > > http://www.accenture.com
> > > >
> > > > >
> > > >
> > > > > ---------------------------------------------------------------------
> > > >
> > > > > To unsubscribe, e-mail: [hidden email] For
> > > >
> > > > > additional commands, e-mail: [hidden email]
> > > >
> > > > >
> > > >
> > > > >
> > > >
> > > > ------------------------------
> > > >
> > > > This message is for the designated recipient only and may contain
> > > > privileged, proprietary, or otherwise confidential information. If you
> > > have
> > > > received it in error, please notify the sender immediately and delete the
> > > > original. Any other use of the e-mail by you is prohibited. Where allowed
> > > > by local law, electronic communications with Accenture and its
> > > affiliates,
> > > > including e-mail and instant messaging (including content), may be
> > > scanned
> > > > by our systems for the purposes of information security and assessment of
> > > > internal compliance with Accenture policy. Your privacy is important to
> > > us.
> > > > Accenture uses your personal data only in compliance with data protection
> > > > laws. For further information on how Accenture processes your personal
> > > > data, please see our privacy statement at
> > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > >
> > > ______________________________________________________________________________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ------------------------------
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If you have
> > > received it in error, please notify the sender immediately and delete the
> > > original. Any other use of the e-mail by you is prohibited. Where allowed
> > > by local law, electronic communications with Accenture and its affiliates,
> > > including e-mail and instant messaging (including content), may be scanned
> > > by our systems for the purposes of information security and assessment of
> > > internal compliance with Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data protection
> > > laws. For further information on how Accenture processes your personal
> > > data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > ______________________________________________________________________________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> > ______________________________________________________________________________________
> >
> > www.accenture.com<http://www.accenture.com>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Kumar Mishra, Rajesh
In reply to this post by Oleksandr Rudyy
Hi Team,

We have enable the TLS on HTTP port, we want to fource user to use HTTPS for web, but we also calling some APIs and we don't want to use https here.

WEB - https://qpid-host.com:8080
for APIs call we want to use - http://qpid-host.com:8080/api-end-point or http://localhost:8080/api-end-point

Colud you please help me with the configuration.


Thanks,
Rajesh Mishra
________________________________
From: Malyala, Kirankumar <[hidden email]>
Sent: Tuesday, November 17, 2020 9:29 AM
To: Kumar Mishra, Rajesh <[hidden email]>; Grover, Rahul <[hidden email]>; Kumari, Arti A. <[hidden email]>; Mitra, Dibbojyoti <[hidden email]>
Cc: Sharma, Tulsi Ram <[hidden email]>
Subject: FW: [External] Re: Queries on Qpid setup

Hi All,

FYI

Regards,
Kirankumar Malyala

-----Original Message-----
From: Oleksandr Rudyy <[hidden email]>
Sent: Tuesday, November 17, 2020 4:02 AM
To: [hidden email]
Subject: Re: [External] Re: Queries on Qpid setup

Hi Kirankumar,
There is a typo in cipher suite names: the GSM is used instead of GCM.
Thus, the correct cipherSuiteWhiteList would be:

"qpid.security.tls.cipherSuiteWhiteList":
"[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"


Please note that cipher suites TLS_AES_128_GCM_SHA256 and
TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

Regarding encryption of replication traffic I do not have any documentation/recommendation on how to set-up  the ssh tunnels.

KInd Regards,
Alex

On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <[hidden email]> wrote:

> Hi Alex,
>
> 1)We are using Qpid 7.1.6 version. When we add below context in our
> Port map getting SSL handshake error, working fine only for
> "qpid.security.tls.protocolWhiteList": "TLSv1.2".
>
>  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> "qpid.security.tls.cipherSuiteWhiteList":
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> --------> NOT WORKING
>
> 2)Also, please let us know which approach would be best for encrypting
> replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> it's configuration documentation/procedure.
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Wednesday, November 11, 2020 12:03 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
>
> The context variable can be set on any configured object. For example,
> you can set context variables in the attribute "context" of Broker
> configured object or/and Port configured object.
> The children configured objects inherit context settings from their
> parents. Thus, the Port configured object inherits all context
> settings from the Broker as Broker is a parent of the Port.
> The context settings can be overridden on the child configured object
> if required. For example, you can set the context variable
> "qpid.security.tls.protocolAllowList" on the Broker to
> "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> port connections to TLSv1.3. Another port object without overridden
> context variable "qpid.security.tls.protocolAllowList" would inherit
> the support of
> TLSv1.2 and TLSv1.3 from the broker.
>
> As mentioned above, the context variables are kept in the attributes
> "context" as a "map "of string keys and values. You can create your
> initial configuration and define the context variables in the
> "context" attribute as illustrated in the example below:
>
> {
>   "name" : "${broker.name}",
>   "modelVersion" : "7.1",
>   "context": {
>     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
>     "qpid.security.tls.cipherSuiteAllowList":
>
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
>   },
>
>   ...
>   "ports": [{
>     "name" : "AMQP",
>     "port" : "${qpid.amqp_port}",
>     "context": {
>       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
>     },
>    ...
>    },
>    ...
>   ]
> }
>
> In the example above, the context variables
> "qpid.security.tls.protocolAllowList" and
> "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
> The port "AMQP" has its own "context" attribute where
> "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
> will have "qpid.security.tls.protocolAllowList" defined on the port
> and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
>
> I hope that the example above helps you to understand the context
> variable settings.
>
> You can update the context variables using REST API. Though, the TLS
> needs to be configured first on the HTTP port in order to use REST API.
>
>
> Kind Regards,
> Alex
>
>
>
>
> On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > Thank you for your help. This is useful to look into the areas where
> > we wanted clarity.
> > I want to clear a few things from the points which you have mentioned.
> >
> > As you mentioned, the TLS version can set in multiple ways through
> > context variable. Could you explain how we can set in JVM settings
> > config.json
> >
> > Please share the code if you have it.
> >
> > Also, related to ssh tunnel configuration, could you share with us
> > any existing references which have used ssh tunneling and
> > master/replica concept. Then, it would be easier for us to mold it
> > as per our
> requirement.
> >
> > Regards,
> > Kirankumar Malyala
> >
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Tuesday, November 10, 2020 5:24 AM
> > To: [hidden email]
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > transports.
> >
> > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > configured
> > object(s) needs to be configured.
> > The keystore object should contain a private key and certificates
> > (including intermediates if required).
> >
> > A number of Keystore types is supported on the broker:
> > * FileKeyStore - in this type of Keystore a java keystore is used
> > underneath to hold the private key and certificates
> > * NonJavaKeyStore - used to configure private key and certificates
> > directly in PEM or DER formats
> >
> > The Broker allows users to quickly create a self-signed certificate
> > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > (with Oracle JDK or OpenJDK).
> >
> > The TLS protocols and TLS cipher suites can be customised (if
> > required) using special context variables:
> > * qpid.security.tls.protocolAllowList
> > * qpid.security.tls.protocolDenyList
> > * qpid.security.tls.cipherSuiteAllowList
> > * qpid.security.tls.cipherSuiteDenyList
> > or
> > * qpid.security.tls.protocolWhiteList
> > * qpid.security.tls.protocolBlackList
> > * qpid.security.tls.cipherSuiteWhiteList
> > * qpid.security.tls.cipherSuiteBlackList
> >
> > Before 7.1.9 only "white/black" list terminology was supported.
> > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > can be used. In version 9.0 the "allow/deny" lists completely
> > replace "white/black" list terminology.
> >
> > For example, you can allow only TLSv1.3 with JDK11 by setting
> > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > You can specify the allowed or denied values using regular
> > expressions represented as JSON stringified lists.
> > For example, you can limit allowed cipher suites to only some of
> > them by setting qpid.security.tls.cipherSuiteAllowList to
> >
> "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > The same applies to deny lists.
> >
> > The context variable can be set in multiple ways:
> > * as JVM settings
> > * as command line arguments (for example, ./bin/qpid-server -prop
> > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > * in a properties file system.properties (it needs to be in broker
> > classpath)
> > * as configured object context variables (for example, context
> > variable set on the Broker object using REST API)
> >
> >
> > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> > JE does not support TLS transport. The data replication is unencrypted.
> > Potentially, you can use SSH tunnels, but that requires configuring
> > tunes between each of HA nodes, as the nodes  communicate with each
> > other. I believe that it should be possible to configure SSH
> > tunnels, though I cannot give you any useful advice on how to do that.
> >
> > You can download Qpid Broker distribution files from Qpid Download
> > page at
> > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > do
> > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > =Y
> > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > Ep
> > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > .
> >
> > KInd Regards,
> > Alex
> >
> >
> > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Alex,
> > >
> > > We are using broker-j (for java). As of now, we are exploring on
> > > version
> > 7.
> > > Please do let us know if you want any other information.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <[hidden email]>
> > > Sent: Friday, November 6, 2020 5:44 AM
> > > To: [hidden email]
> > > Subject: [External] Re: Queries on Qpid setup
> > >
> > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > > particularly with links and attachments.
> > >
> > > Hi Kirankumar,
> > > Could you please clarify what exactly Qpid broker are you trying
> > > to
> use?
> > > There are two brokers in Qpid project: c++ broker and broker-j
> > > (for
> > java).
> > >
> > > Are you using Qpid Broker-J?
> > >
> > > Kind regards,
> > > Alex
> > >
> > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > <[hidden email]> wrote:
> > >
> > > > Hi Team,
> > > >
> > > > We have been doing some POC on Qpid. While working on the
> > > > configuration, we came across multiple blockers which we have
> > > > mentioned
> > > below.
> > > >
> > > >
> > > >   *   How to use a specific version of TLS encryption for Qpid if we
> > > > deploy on VM.
> > > >   *   We understood from the Qpid documentation that we have to
> deploy
> > > > broker on multiple VM's to create a group and introduce
> > > > master/replica nodes. Any SOP on this part ?
> > > >   *   How to apply SSL/TLS encryption to replicas in the group
> consists
> > > of
> > > > master and replica nodes using SSH tunnel/IPsec.
> > > >   *   How can we fetch file in Apache
> > > >
> > > > Please let us know if some one from your team can guide us on
> > > > these
> > > points.
> > > >
> > > > Regards,
> > > > Kirankumar Malyala
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may
> > > > contain privileged, proprietary, or otherwise confidential
> > > > information. If you have received it in error, please notify the
> > > > sender immediately and delete the original. Any other use of the
> > > > e-mail by you is
> > prohibited.
> > > > Where allowed by local law, electronic communications with
> > > > Accenture and its affiliates, including e-mail and instant
> > > > messaging (including content), may be scanned by our systems for
> > > > the purposes of information security and assessment of internal
> > > > compliance with
> > > Accenture policy. Your privacy is important to us.
> > > > Accenture uses your personal data only in compliance with data
> > > > protection laws. For further information on how Accenture
> > > > processes your personal data, please see our privacy statement
> > > > at https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > ________________________________________________________________
> > > > __
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender
> > > immediately and delete the original. Any other use of the e-mail
> > > by you is
> prohibited.
> > > Where allowed by local law, electronic communications with
> > > Accenture and its affiliates, including e-mail and instant
> > > messaging (including content), may be scanned by our systems for
> > > the purposes of information security and assessment of internal
> > > compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture
> > > processes your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > __________________________________________________________________
> > > __
> > > __
> > > ________________
> > >
> > > http://www.accenture.com
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If
> > you have received it in error, please notify the sender immediately
> > and delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging
> > (including content), may be scanned by our systems for the purposes
> > of information security and assessment of internal compliance with
> Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ____________________________________________________________________
> > __
> > ________________
> >
> > www.accenture.com<http://www.accenture.com>
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you
> have received it in error, please notify the sender immediately and
> delete the original. Any other use of the e-mail by you is prohibited.
> Where allowed by local law, electronic communications with Accenture
> and its affiliates, including e-mail and instant messaging (including
> content), may be scanned by our systems for the purposes of
> information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data
> protection laws. For further information on how Accenture processes
> your personal data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________
> ________________
>
> www.accenture.com<http://www.accenture.com>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email] For
> additional commands, e-mail: [hidden email]
>
>

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com
Reply | Threaded
Open this post in threaded view
|

Re: [External] Re: Queries on Qpid setup

Oleksandr Rudyy
Hi Rajesh,
If required the HTTP port can be configured with a support of both TCP
and TLS transports. Though, managing Broker via plain HTTP would be
inherently insecure, as the credentials would be sent in plain sign
and could be easily intercepted.
Thus, in order to secure your Broker, it is strongly recommended to use
HTTPS for both UI and REST API calls.

Kind Regards,
Alex

On Thu, 4 Feb 2021 at 19:25, Kumar Mishra, Rajesh
<[hidden email]> wrote:

>
> Hi Team,
>
> We have enable the TLS on HTTP port, we want to fource user to use HTTPS for web, but we also calling some APIs and we don't want to use https here.
>
> WEB - https://qpid-host.com:8080
> for APIs call we want to use - http://qpid-host.com:8080/api-end-point or http://localhost:8080/api-end-point
>
> Colud you please help me with the configuration.
>
>
> Thanks,
> Rajesh Mishra
> ________________________________
> From: Malyala, Kirankumar <[hidden email]>
> Sent: Tuesday, November 17, 2020 9:29 AM
> To: Kumar Mishra, Rajesh <[hidden email]>; Grover, Rahul <[hidden email]>; Kumari, Arti A. <[hidden email]>; Mitra, Dibbojyoti <[hidden email]>
> Cc: Sharma, Tulsi Ram <[hidden email]>
> Subject: FW: [External] Re: Queries on Qpid setup
>
> Hi All,
>
> FYI
>
> Regards,
> Kirankumar Malyala
>
> -----Original Message-----
> From: Oleksandr Rudyy <[hidden email]>
> Sent: Tuesday, November 17, 2020 4:02 AM
> To: [hidden email]
> Subject: Re: [External] Re: Queries on Qpid setup
>
> Hi Kirankumar,
> There is a typo in cipher suite names: the GSM is used instead of GCM.
> Thus, the correct cipherSuiteWhiteList would be:
>
> "qpid.security.tls.cipherSuiteWhiteList":
> "[\"(TLS|SSL)_AES_128_GCM_SHA256\",\"(TLS|SSL)_AES_256_GCM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384\"]"
>
>
> Please note that cipher suites TLS_AES_128_GCM_SHA256 and
> TLS_AES_256_GCM_SHA384 have been introduced in JDK11 for TLSv1.3. They cannot be used with TLSv1.2. The only TLSv1.2 cipher suite in the list is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
>
> Regarding encryption of replication traffic I do not have any documentation/recommendation on how to set-up  the ssh tunnels.
>
> KInd Regards,
> Alex
>
> On Mon, 16 Nov 2020 at 14:54, Malyala, Kirankumar <[hidden email]> wrote:
>
> > Hi Alex,
> >
> > 1)We are using Qpid 7.1.6 version. When we add below context in our
> > Port map getting SSL handshake error, working fine only for
> > "qpid.security.tls.protocolWhiteList": "TLSv1.2".
> >
> >  "qpid.security.tls.protocolWhiteList": "TLSv1.2",  --------> WORKING
> > "qpid.security.tls.cipherSuiteWhiteList":
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"(TLS|SSL)_AES_256_GSM_SHA384\",\"(TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> > --------> NOT WORKING
> >
> > 2)Also, please let us know which approach would be best for encrypting
> > replicas (SSH tunneling, S Tunnel or IPSec) in Qpid setup and share
> > it's configuration documentation/procedure.
> >
> > Regards,
> > Kirankumar Malyala
> >
> > -----Original Message-----
> > From: Oleksandr Rudyy <[hidden email]>
> > Sent: Wednesday, November 11, 2020 12:03 AM
> > To: [hidden email]
> > Subject: Re: [External] Re: Queries on Qpid setup
> >
> > Hi Kirankumar,
> >
> > The context variable can be set on any configured object. For example,
> > you can set context variables in the attribute "context" of Broker
> > configured object or/and Port configured object.
> > The children configured objects inherit context settings from their
> > parents. Thus, the Port configured object inherits all context
> > settings from the Broker as Broker is a parent of the Port.
> > The context settings can be overridden on the child configured object
> > if required. For example, you can set the context variable
> > "qpid.security.tls.protocolAllowList" on the Broker to
> > "[\"TLSv1.2\",\"TLSv1.3\"]" to allow only TLSv1.2 and TLSv1.3 and
> > override it on the Port to  "[\\"TLSv1.3\"]" in order to restrict the
> > port connections to TLSv1.3. Another port object without overridden
> > context variable "qpid.security.tls.protocolAllowList" would inherit
> > the support of
> > TLSv1.2 and TLSv1.3 from the broker.
> >
> > As mentioned above, the context variables are kept in the attributes
> > "context" as a "map "of string keys and values. You can create your
> > initial configuration and define the context variables in the
> > "context" attribute as illustrated in the example below:
> >
> > {
> >   "name" : "${broker.name}",
> >   "modelVersion" : "7.1",
> >   "context": {
> >     "qpid.security.tls.protocolAllowList": "[\"TLSv1.2\",\"TLSv1.3\"]",
> >     "qpid.security.tls.cipherSuiteAllowList":
> >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]"
> >   },
> >
> >   ...
> >   "ports": [{
> >     "name" : "AMQP",
> >     "port" : "${qpid.amqp_port}",
> >     "context": {
> >       "qpid.security.tls.protocolAllowList": "[\"TLSv1.3\"]",
> >     },
> >    ...
> >    },
> >    ...
> >   ]
> > }
> >
> > In the example above, the context variables
> > "qpid.security.tls.protocolAllowList" and
> > "qpid.security.tls.cipherSuiteAllowList" are defined on the broker level.
> > The port "AMQP" has its own "context" attribute where
> > "qpid.security.tls.protocolAllowList" is overridden. Thus, the port "AMQP"
> > will have "qpid.security.tls.protocolAllowList" defined on the port
> > and "qpid.security.tls.cipherSuiteAllowList" inherited from the Broker.
> >
> > I hope that the example above helps you to understand the context
> > variable settings.
> >
> > You can update the context variables using REST API. Though, the TLS
> > needs to be configured first on the HTTP port in order to use REST API.
> >
> >
> > Kind Regards,
> > Alex
> >
> >
> >
> >
> > On Tue, 10 Nov 2020 at 08:47, Malyala, Kirankumar
> > <[hidden email]> wrote:
> >
> > > Hi Alex,
> > >
> > > Thank you for your help. This is useful to look into the areas where
> > > we wanted clarity.
> > > I want to clear a few things from the points which you have mentioned.
> > >
> > > As you mentioned, the TLS version can set in multiple ways through
> > > context variable. Could you explain how we can set in JVM settings
> > > config.json
> > >
> > > Please share the code if you have it.
> > >
> > > Also, related to ssh tunnel configuration, could you share with us
> > > any existing references which have used ssh tunneling and
> > > master/replica concept. Then, it would be easier for us to mold it
> > > as per our
> > requirement.
> > >
> > > Regards,
> > > Kirankumar Malyala
> > >
> > >
> > > -----Original Message-----
> > > From: Oleksandr Rudyy <[hidden email]>
> > > Sent: Tuesday, November 10, 2020 5:24 AM
> > > To: [hidden email]
> > > Subject: Re: [External] Re: Queries on Qpid setup
> > >
> > > Hi Kirankumar,
> > > The AMQP and HTTP ports of Qpid Broker-J support TLS and plain TCP
> > > transports.
> > >
> > > In order to enable TLS on broker HTTP or/and AMQP ports Keystore
> > > configured
> > > object(s) needs to be configured.
> > > The keystore object should contain a private key and certificates
> > > (including intermediates if required).
> > >
> > > A number of Keystore types is supported on the broker:
> > > * FileKeyStore - in this type of Keystore a java keystore is used
> > > underneath to hold the private key and certificates
> > > * NonJavaKeyStore - used to configure private key and certificates
> > > directly in PEM or DER formats
> > >
> > > The Broker allows users to quickly create a self-signed certificate
> > > with a special type of Keystore called "AutoGeneratedSelfSigned"
> > > (with Oracle JDK or OpenJDK).
> > >
> > > The TLS protocols and TLS cipher suites can be customised (if
> > > required) using special context variables:
> > > * qpid.security.tls.protocolAllowList
> > > * qpid.security.tls.protocolDenyList
> > > * qpid.security.tls.cipherSuiteAllowList
> > > * qpid.security.tls.cipherSuiteDenyList
> > > or
> > > * qpid.security.tls.protocolWhiteList
> > > * qpid.security.tls.protocolBlackList
> > > * qpid.security.tls.cipherSuiteWhiteList
> > > * qpid.security.tls.cipherSuiteBlackList
> > >
> > > Before 7.1.9 only "white/black" list terminology was supported.
> > > Starting from version 7.1.9 the alternative names "allow/deny" lists
> > > can be used. In version 9.0 the "allow/deny" lists completely
> > > replace "white/black" list terminology.
> > >
> > > For example, you can allow only TLSv1.3 with JDK11 by setting
> > > context variable qpid.security.tls.protocolAllowList to "TLSv1.3".
> > > You can specify the allowed or denied values using regular
> > > expressions represented as JSON stringified lists.
> > > For example, you can limit allowed cipher suites to only some of
> > > them by setting qpid.security.tls.cipherSuiteAllowList to
> > >
> > "[\"(TLS|SSL)_AES_128_GSM_SHA256\",\"TLS|SSL)_AES_256_GSM_SHA384\",\"TLS|SSL)_ECDHE_ECDSA_WITH_AES_256_GSM_SHA384\"]".
> > > The same applies to deny lists.
> > >
> > > The context variable can be set in multiple ways:
> > > * as JVM settings
> > > * as command line arguments (for example, ./bin/qpid-server -prop
> > > qpid.security.tls.protocolAllowList=TLSv1.3 )
> > > * in a properties file system.properties (it needs to be in broker
> > > classpath)
> > > * as configured object context variables (for example, context
> > > variable set on the Broker object using REST API)
> > >
> > >
> > > The Qpid Broker HA  is based on Oracle BDB JE. Unfortunately the BDB
> > > JE does not support TLS transport. The data replication is unencrypted.
> > > Potentially, you can use SSH tunnels, but that requires configuring
> > > tunes between each of HA nodes, as the nodes  communicate with each
> > > other. I believe that it should be possible to configure SSH
> > > tunnels, though I cannot give you any useful advice on how to do that.
> > >
> > > You can download Qpid Broker distribution files from Qpid Download
> > > page at
> > > https://urldefense.proofpoint.com/v2/url?u=http-3A__qpid.apache.org_
> > > do
> > > wnload.html&d=DwIBaQ&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r
> > > =Y
> > > dSqhSx8YFLJDN_n65eGzQ3B2rXHaWU4sFWjwmAFuqk&m=CHW762HTZYXkKklTBr0qYJv
> > > Ep
> > > WV3Ro1epc3-mNfHBSc&s=7N1MM3_7tifJZgQtWDbw_lajxuHfJdWYRJR0kIGiVlg&e=
> > > .
> > >
> > > KInd Regards,
> > > Alex
> > >
> > >
> > > On Fri, 6 Nov 2020 at 04:50, Malyala, Kirankumar
> > > <[hidden email]> wrote:
> > >
> > > > Hi Alex,
> > > >
> > > > We are using broker-j (for java). As of now, we are exploring on
> > > > version
> > > 7.
> > > > Please do let us know if you want any other information.
> > > >
> > > > Regards,
> > > > Kirankumar Malyala
> > > >
> > > > -----Original Message-----
> > > > From: Oleksandr Rudyy <[hidden email]>
> > > > Sent: Friday, November 6, 2020 5:44 AM
> > > > To: [hidden email]
> > > > Subject: [External] Re: Queries on Qpid setup
> > > >
> > > > This message is from an EXTERNAL SENDER - be CAUTIOUS,
> > > > particularly with links and attachments.
> > > >
> > > > Hi Kirankumar,
> > > > Could you please clarify what exactly Qpid broker are you trying
> > > > to
> > use?
> > > > There are two brokers in Qpid project: c++ broker and broker-j
> > > > (for
> > > java).
> > > >
> > > > Are you using Qpid Broker-J?
> > > >
> > > > Kind regards,
> > > > Alex
> > > >
> > > > On Thu, 5 Nov 2020 at 08:05, Malyala, Kirankumar
> > > > <[hidden email]> wrote:
> > > >
> > > > > Hi Team,
> > > > >
> > > > > We have been doing some POC on Qpid. While working on the
> > > > > configuration, we came across multiple blockers which we have
> > > > > mentioned
> > > > below.
> > > > >
> > > > >
> > > > >   *   How to use a specific version of TLS encryption for Qpid if we
> > > > > deploy on VM.
> > > > >   *   We understood from the Qpid documentation that we have to
> > deploy
> > > > > broker on multiple VM's to create a group and introduce
> > > > > master/replica nodes. Any SOP on this part ?
> > > > >   *   How to apply SSL/TLS encryption to replicas in the group
> > consists
> > > > of
> > > > > master and replica nodes using SSH tunnel/IPsec.
> > > > >   *   How can we fetch file in Apache
> > > > >
> > > > > Please let us know if some one from your team can guide us on
> > > > > these
> > > > points.
> > > > >
> > > > > Regards,
> > > > > Kirankumar Malyala
> > > > >
> > > > > ________________________________
> > > > >
> > > > > This message is for the designated recipient only and may
> > > > > contain privileged, proprietary, or otherwise confidential
> > > > > information. If you have received it in error, please notify the
> > > > > sender immediately and delete the original. Any other use of the
> > > > > e-mail by you is
> > > prohibited.
> > > > > Where allowed by local law, electronic communications with
> > > > > Accenture and its affiliates, including e-mail and instant
> > > > > messaging (including content), may be scanned by our systems for
> > > > > the purposes of information security and assessment of internal
> > > > > compliance with
> > > > Accenture policy. Your privacy is important to us.
> > > > > Accenture uses your personal data only in compliance with data
> > > > > protection laws. For further information on how Accenture
> > > > > processes your personal data, please see our privacy statement
> > > > > at https://www.accenture.com/us-en/privacy-policy.
> > > > >
> > > > > ________________________________________________________________
> > > > > __
> > > > > __
> > > > > __
> > > > > ________________
> > > > >
> > > > > http://www.accenture.com
> > > > >
> > > >
> > > > ________________________________
> > > >
> > > > This message is for the designated recipient only and may contain
> > > > privileged, proprietary, or otherwise confidential information. If
> > > > you have received it in error, please notify the sender
> > > > immediately and delete the original. Any other use of the e-mail
> > > > by you is
> > prohibited.
> > > > Where allowed by local law, electronic communications with
> > > > Accenture and its affiliates, including e-mail and instant
> > > > messaging (including content), may be scanned by our systems for
> > > > the purposes of information security and assessment of internal
> > > > compliance with
> > > Accenture policy. Your privacy is important to us.
> > > > Accenture uses your personal data only in compliance with data
> > > > protection laws. For further information on how Accenture
> > > > processes your personal data, please see our privacy statement at
> > > > https://www.accenture.com/us-en/privacy-policy.
> > > >
> > > > __________________________________________________________________
> > > > __
> > > > __
> > > > ________________
> > > >
> > > > http://www.accenture.com
> > > >
> > >
> > > ________________________________
> > >
> > > This message is for the designated recipient only and may contain
> > > privileged, proprietary, or otherwise confidential information. If
> > > you have received it in error, please notify the sender immediately
> > > and delete the original. Any other use of the e-mail by you is prohibited.
> > > Where allowed by local law, electronic communications with Accenture
> > > and its affiliates, including e-mail and instant messaging
> > > (including content), may be scanned by our systems for the purposes
> > > of information security and assessment of internal compliance with
> > Accenture policy. Your privacy is important to us.
> > > Accenture uses your personal data only in compliance with data
> > > protection laws. For further information on how Accenture processes
> > > your personal data, please see our privacy statement at
> > > https://www.accenture.com/us-en/privacy-policy.
> > >
> > > ____________________________________________________________________
> > > __
> > > ________________
> > >
> > > www.accenture.com<http://www.accenture.com>
> > >
> >
> > ________________________________
> >
> > This message is for the designated recipient only and may contain
> > privileged, proprietary, or otherwise confidential information. If you
> > have received it in error, please notify the sender immediately and
> > delete the original. Any other use of the e-mail by you is prohibited.
> > Where allowed by local law, electronic communications with Accenture
> > and its affiliates, including e-mail and instant messaging (including
> > content), may be scanned by our systems for the purposes of
> > information security and assessment of internal compliance with Accenture policy. Your privacy is important to us.
> > Accenture uses your personal data only in compliance with data
> > protection laws. For further information on how Accenture processes
> > your personal data, please see our privacy statement at
> > https://www.accenture.com/us-en/privacy-policy.
> >
> > ______________________________________________________________________
> > ________________
> >
> > www.accenture.com<http://www.accenture.com>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email] For
> > additional commands, e-mail: [hidden email]
> >
> >
>
> ________________________________
>
> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
> ______________________________________________________________________________________
>
> www.accenture.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]