Qpid provides authentication, rule-based authorization, encryption, and digital signing.
Authentication is done using Simple Authentication and Security Layer (SASL) to authenticate client connections to the broker. SASL is a framework that supports a variety of authentication methods. For secure applications, we suggest CRAM-MD5, DIGEST-MD5, or GSSAPI (Kerberos). The ANONYMOUS method is not secure. The PLAIN method is secure only when used together with SSL.
To enable Kerberos in a client, set the sals-mechanism
connection option to GSSAPI
:
Connection connection(broker); connection.setOption("sasl-mechanism", "GSSAPI"); try { connection.open(); ...
For Kerberos authentication, if the user running the program is already authenticated, e.g. using kinit, there is no need to supply a user name or password. If you are using another form of authentication, or are not already authenticated with Kerberos, you can supply these as connection options:
connection.setOption("username", "mick"); connection.setOption("password", "pa$$word");
Encryption and signing are done using SSL (they can also be done using SASL, but SSL provides stronger encryption). To enable SSL, set the protocol
connection option to ssl
:
connection.setOption("protocol", "ssl");
Use the following environment variables to configure the SSL client:
Table 2.7. SSL Client Environment Variables for C++ clients
SSL Client Options for C++ clients | |
---|---|
SSL_USE_EXPORT_POLICY | Use NSS export policy |
SSL_CERT_PASSWORD_FILE PATH
| File containing password to use for accessing certificate database |
SSL_CERT_DB PATH
| Path to directory containing certificate database |
SSL_CERT_NAME NAME
| Name of the certificate to use. When SSL client authentication is enabled, a certificate name should normally be provided. |