6.4 基于证书的安全授权机制- Certificate -based security
本章前面部分,我们讨论了使用ActiveMQ插件,通过客户端认证并授权客户端访问消息目的地的方式来保证代理的安全.这些插件可以正常的工作,但是他们使用明文来存储客户端的用户名
和密码等身份信息.对于大多数用户和大部分场景来说,这种方式已经足够使用,但是一些组织倾向于使用SSL证书来保证安全.第4章中,我们已经讨论过SSL传输连接器以及如何使用证书.本节中,
我们将探讨展开对证书的讨论并且告诉你如何使用SSL传输连接器(同时支持插件)来保证代理安全.我们将看到如何使用证书认证客户端,同时看到如何根据他们借以连接到代理的证书来分配不同
的访问控制权限.
本节中我们井继续使用stock portfolio例子中的publisher和consumer,但是这次他们将分别使用不同的证书以便表名身份以及获取发布和消费代理中消息目的地消息的访问权限.
6.4.1 准备证书
下面让我从创建证书开始.创建证书的过程和第4长配置基本的SSL传输连接器类似.本书附带的示例代码中包含了所有的证书,因此你可以在本例中使用.
我们将创建2个证书,一个名称为producer存储于文件名为myproducer.ks的keystore中.创建证书命令如下:
C:\Users\goudcheng\tt>keytool -genkey -alias producer -keyalg RSA -keystore mypr
oducer.ks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: producer
What is the name of your organizational unit?
[Unknown]: Chapter 6
What is the name of your organization?
[Unknown]: ActiveMQ in Action
What is the name of your City or Locality?
[Unknown]: Belgrade
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: RS
Is CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
correct?
[no]: yes
Enter key password for <producer>
(RETURN if same as keystore password):
Re-enter new password:
另外还需要创建一个名称为consumer并存储在文件名为myconsumer.ks的keystore中.创建证书命令如下:
C:\Users\goudcheng\tt>keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks
Enter keystore password:test123
Re-enter new password:
What is your first and last name?
[Unknown]: consumer
What is the name of your organizational unit?
[Unknown]: Chapter 6
What is the name of your organization?
[Unknown]: ActiveMQ in Action
What is the name of your City or Locality?
[Unknown]: Belgrade
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: RS
Is CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
correct?
[no]: yes
Enter key password for <consumer>
(RETURN if same as keystore password):
6.4.2 创建一个truststore
下一步要做的就是将上面创建的证书导入到代理的truststore(受信证书仓库)中.首先,需要将证书从keystores(证书仓库)中导出.使用下面的命令可以从producer keystore中导出证书:
C:\Users\goudcheng\tt>keytool -export -alias producer -keystore myproducer.ks -f
ile producer_cert
Enter keystore password:
Certificate stored in file <producer_cert>
使用下面的命令可以从consumer keystore中导出证书:
C:\Users\goudcheng\tt>keytool -export -alias consumer -keystore myconsumer.ks -f
ile consumer_cert
Enter keystore password:
Certificate stored in file <consumer_cert>
导出JMS客户端证书以后,需要创建代理的truststore(受信证书仓库).创建truststore并导入producer和consumer证书这个任务相当简单.首先,使用下面命令导入producer证书到代理的truststore
C:\Users\goudcheng\tt>keytool -import -alias producer -keystore mybroker.ts -fil
e producer_cert
Enter keystore password:
Re-enter new password:
Owner: CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Issuer: CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Serial number: 56da57a9
Valid from: Sat Mar 05 11:51:05 CST 2016 until: Fri Jun 03 11:51:05 CST 2016
Certificate fingerprints:
MD5: 05:54:CC:3B:0E:EC:DC:6B:C3:19:25:48:0C:EF:15:AC
SHA1: 4F:84:70:2E:EB:A4:E9:E7:54:15:57:AE:FF:94:53:29:E2:11:FF:4D
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
接下来,使用下面的命令导入consumer证书到代理的truststore中:
C:\Users\goudcheng\tt>keytool -import -alias consumer -keystore mybroker.ts -fil
e consumer_cert
Enter keystore password:
Owner: CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Issuer: CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Serial number: 56da55da
Valid from: Sat Mar 05 11:43:22 CST 2016 until: Fri Jun 03 11:43:22 CST 2016
Certificate fingerprints:
MD5: 54:36:3E:BE:47:8E:27:41:9C:98:6C:01:5E:BA:6B:09
SHA1: DF:CF:62:15:0C:7C:9E:A8:9A:01:B5:74:6E:FB:31:EE:45:61:4C:D9
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
处理好代理的truststore后,我们需要将truststore放到配置文件可访问的地方.通常将证书放到${ACTIVEMQ_HOME}/conf/文件夹中,所有和配置有关的文件都存放在该文件夹里.在本节的例子中我们将使
用上面处理过的truststore,所以你需要做的只是将truststore拷贝到配置文件所在的目录,使用下面的命令完成拷贝:
6.4.3 配置代理
下面的配置的代码中使用上面提供的truststore可配置SSL传输连接器,设置哪些客户端可以连接到代理以及使用jaasCertificateAuthenticationPlugin(粗体显示)来控制客户端可以访问哪些代理上的资源.
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.base}/data">
<plugins>
<jaasCertificateAuthenticationPlugin configuration="activemq-certificate" />
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="STOCKS.>" read="consumers" write="publishers" admin="publishers" />
<authorizationEntry topic="STOCKS.ORCL" read="guests" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,publishers,consumers,guests"
write="admins,publishers,consumers,guests" admin="admins,publishers,consumers,guests" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
<sslContext>
<sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
keyStorePassword="test123"
trustStore="file:${activemq.base}/conf/mybroker.ts"
trustStorePassword="test123"/>
</sslContext>
<transportConnectors>
<transportConnector name="openwire" uri="tcp://localhost:61616"/>
<transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" />
</transportConnectors>
</broker>
上面配置文件中值得关注的地方使用粗体标示出来了.首先,<sslContext>中配置了trustStore和trustStorePassword属性,这两个属性允许使用我们前面定义的代理的truststore.
其次,SSL的传输连接器配置URI中设置了needClientAuth值为true,这样代理要求正在连接的客户端需要提供证书,只有客户端提供证书在服务器的truststore中时,该客户端才被允许连接.
6.4.4 授权过程解释
至此我们使用证书完成了认证配置.接下来需要关注授权,因此我们使用了jaasCertificateAuthenticationPlugin插件.改插件与本章之前使用的JAAS插件类似.现在配置jaasCertificate
AuthenticationPlugin插件关联login.config文件中的activemq-certificate条目,这个条目配置代码如下所示:
activemq-certificate
{
org.apache.activemq.jaas.TextFileCertificateLoginModule required debug=true
org.apache.activemq.jaas.textfiledn.user="users.properties"
org.apache.activemq.jaas.textfiledn.group="groups.properties";
};
使用TextFileCertificateLoginModule插件后,login.config文件于之前使用PropertiesLoginModule插件是有所不同,login.config中已经配置了恰当的properties文件.
下面看看user.properties文件内容:
admin=password
publisher=password
consumer=password
guest=password
sslconsumer=CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
sslpublisher=CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
正如你看到的,我们添加了两个证书用户sslconsumer和sslpublisher.你可能已经注意到了,在user.properties文件中你可以将证书映射到指定的用户名上– 将证书中的一些信息映射到指定的用户名.
当映射成用户名后,就可以将永远吗配置到groups.properties文件中,如下所示:
admins=admin
publishers=admin,publisher,sslpublisher
consumers=admin,publisher,consumer,sslconsumer
guests=guest
.4.5 测试
现在,可以使用前面配置和login.config文件,使用下面的命令启动代理:
activemq -Djava.security.auth.login.config=ch6/activemq_ssl
代理准备就行,接下来可以看看使用不同证书的客户端的访问代理会出现什么情况.比如,如果我们使用第4章中的证书访问代理,你会发现访问会被拒绝,因为证书不在代理的truststore(受信证书库)中.
-Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \
来源:oschina
链接:https://my.oschina.net/u/2010394/blog/631381