Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-2755

Provide a way to perform custom validation of TLS client certificates

XMLWordPrintable

    • Documentation (Ref Guide, User Guide, etc.)
    • +
    • Hide
      In AMQ Broker 7.6, an administrator can specify an SSL TrustManagerFactory plugin in the broker configuration to associate with the SSL context. This option enables custom validation of TLS client certificates.
       
      Specifically, a new configuration parameter, `trustManagerFactoryPlugin` can now be specified on an acceptor or connector. The value of `trustManagerFactoryPlugin` defines the name of the class that implements the `org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin` interface. The single method in this interface returns a `TrustManagerFactory` value that is used when the underlying `javax.net.ssl.SSLContext` is initialized.

      The value of `trustManagerFactoryPlugin` takes precedence over all other SSL parameters that apply to the trust manager (that is, `trustAll`, `truststoreProvider`, `truststorePath`, `truststorePassword`, `crlPath`).
      Show
      In AMQ Broker 7.6, an administrator can specify an SSL TrustManagerFactory plugin in the broker configuration to associate with the SSL context. This option enables custom validation of TLS client certificates.   Specifically, a new configuration parameter, `trustManagerFactoryPlugin` can now be specified on an acceptor or connector. The value of `trustManagerFactoryPlugin` defines the name of the class that implements the `org.apache.activemq.artemis.api.core.TrustManagerFactoryPlugin` interface. The single method in this interface returns a `TrustManagerFactory` value that is used when the underlying `javax.net.ssl.SSLContext` is initialized. The value of `trustManagerFactoryPlugin` takes precedence over all other SSL parameters that apply to the trust manager (that is, `trustAll`, `truststoreProvider`, `truststorePath`, `truststorePassword`, `crlPath`).
    • Documented as Feature Request
    • Verified in a release

      ActiveMQ provided a way for the administrator to add a customer definition of an SSLContext to the server configuration. It was therefore possible to do custom validation of client certificates by, for example, associating a custom X509TrustManager to the SSLContext.

      Artemis provides no comparable way to do this. To provide a comparable facility, we need to allow plugins access to the Netty transport layer, or otherwise to allow similar, protocol-level configurability.

            rhn-support-jbertram Justin Bertram
            rhn-support-kboone Kevin Boone
            Tiago Bueno Tiago Bueno
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: