当前位置: 首页 > ActiveMQ in Action 读书笔记 > 正文

6.4 基于证书的安全授权机制- Certificate -based security

 6.4 Certificate-based security

Earlier in this chapter, we described ActiveMQ plug-ins used to secure the broker byauthenticating the clients and authorizing the access to destinations. These plug-insdo their work properly, but they store client credentials using plain user names andpasswords. Though this is sufficient for most users and use cases, some organizationsprefer to implement security using SSL certificates. We’ve already discussed the SSLtransport and how it uses certificates in chapter 4. In this section we’ll expand on thatmaterial and show you how the SSL transport (along with supporting plug-in) can beused to secure the broker. We’ll see how we can authenticate clients using theircertificates, but also how we can give those clients different access rights based on thecertificate they use to connect to the broker.

 6.4 基于证书的安全授权机制

本章前面部分,我们讨论了使用ActiveMQ插件,通过客户端认证并授权客户端访问消息目的地的方式来保证代理的安全.这些插件可以正常的工作,但是他们使用明文来存储客户端的用户名和密码等身份信息.对于大多数用户和大部分场景来说,这种方式已经足够使用,但是一些组织倾向于使用SSL证书来保证安全.第4章中,我们已经讨论过SSL传输连接器以及如何使用证书.本节中,我们将探讨展开对证书的讨论并且告诉你如何使用SSL传输连接器(同时支持插件)来保证代理安全.我们将看到如何使用证书认证客户端,同时看到如何根据他们借以连接到代理的证书来分配不同的访问控制权限.

 For the example in this section we’ll use our stock portfolio publisher and consumer.Just this time, they’ll use different certificates which will identify them and givethem access to publish and consume from broker destinations.  本节中我们井继续使用stock portfolio例子中的publisher和consumer,但是这次他们将分别使用不同的证书以便表名身份以及获取发布和消费代理中消息目的地消息的访问权限.

 6.4.1 Preparing certificates

Let’s start by creating appropriate certificates. The procedure here is similar to theone we used in chapter 4 for the basic SSL transport setup. We’ve provided all thesecertificates in the examples that comes with the book, so you can use them to run theexample.

 6.4.1 准备证书

下面让我从创建证书开始.创建证书的过程和第4长配置基本的SSL传输连接器类似.本书附带的示例代码中包含了所有的证书,因此你可以在本例中使用.

 We’ll create two certificates: one named producer and contained in the myproducer.ks keystore:  我们将创建2个证书,一个名称为producer存储于文件名为myproducer.ks的keystore中.创建证书命令如下:
 and another called consumer and stored in the myconsumer.ks keystore:  另外还需要创建一个名称为consumer并存储在文件名为myconsumer.ks的keystore中.创建证书命令如下:
 Note the info of the certificates we create, as we’ll use it to grant or deny access to thebroker later. Of course, in production environments you should consider keeping certificatesin secure locations to provide better security of the whole system.  注意我们创建证书时的信息,因为稍后我们将使用这些信息来授权或决绝对代理的访问.当然,在生产环境中,你应该考虑将证书存储在一个安全的位置以便为整个系统提供更好的安全保护.

 6.4.2 Creating a truststore

The next thing we need to do is import these certificates into the broker’s truststore.But first we need to export them from their keystores. Use the following command toexport the producer keystore:

 6.4.2 创建一个truststore

下一步要做的就是将上面创建的证书导入到代理的truststore(受信证书仓库)中.首先,需要将证书从keystores(证书仓库)中导出.使用下面的命令可以从producer keystore中导出证书:

 as well as the following command to export the consumer keystore:  使用下面的命令可以从consumer keystore中导出证书:

 Now that the JMS client certificates have been exported, the broker truststore must becreated.Creating a broker truststore and importing producer and consumer certificates isa rather straightforward task. First import the producer certificate into the brokertruststore:

 导出JMS客户端证书以后,需要创建代理的truststore(受信证书仓库).创建truststore并导入producer和consumer证书这个任务相当简单.首先,使用下面命令导入producer证书到代理的truststore:

 Then import the consumer certificate into the broker truststore:  接下来,使用下面的命令导入consumer证书到代理的truststore中:
 After the broker truststore is ready, we need to place it somewhere where we can referenceit from the configuration file. This is usually the ${ACTIVEMQ_HOME}/conf/folder, where all other configuration resources reside. We’ve provided this truststorewith the examples, so all you have to do is to copy it to the right place:  处理好代理的truststore后,我们需要将truststore放到配置文件可访问的地方.通常将证书放到${ACTIVEMQ_HOME}/conf/文件夹中,所有和配置有关的文件都存放在该文件夹里.在本节的例子中我们将使用上面处理过的truststore,所以你需要做的只是将truststore拷贝到配置文件所在的目录,使用下面的命令完成拷贝:
 Now let’s focus on the configuration file and how we can use this truststore to configureActiveMQ security.  现在,让我们把目光集中到配置文件上面,看看我们如何利用truststore来配置ActiveMQ安全代理.

 6.4.3 Configuring the broker

The XML configuration file shown in the following listing uses the provided truststoreto instruct the SSL transport which clients are allowed to connect to the broker, andthen uses jaasCertificateAuthenticationPlugin (shown in bold) to authorizetheir access to broker resources.

Listing 6.7 Configuring certificate-based security

 6.4.3 配置代理

下面的配置的代码中使用上面提供的truststore可配置SSL传输连接器,设置哪些客户端可以连接到代理以及使用jaasCertificateAuthenticationPlugin(粗体显示)来控制客户端可以访问哪些代理上的资源.

清单6.7 基于证书的安全配置

 A few things are worth noting in this configuration file, as shown in bold. First of all,we added the trustStore and trustStorePassword properties to the <sslContext>configuration, which allows us to use our previously defined broker truststore. Next,we set the needClientAuth parameter in the SSL transport URI, which instructs thebroker to check connecting client certificates and allow access only to those that arefound in the truststore.  上面配置文件中值得关注的地方使用粗体标示出来了.首先,<sslContext>中配置了trustStore和trustStorePassword属性,这两个属性允许使用我们前面定义的代理的truststore.其次,SSL的传输连接器配置URI中设置了needClientAuth值为true,这样代理要求正在连接的客户端需要提供证书,只有客户端提供证书在服务器的truststore中时,该客户端才被允许连接.

 6.4.4 Authorization explained

Now that we’ve covered authentication with certificates, it’s time to take care of authorization,and that’s why we use jaasCertificateAuthenticationPlugin. This plug-inis similar to the JAAS plug-in we used earlier in this chapter. We now configure it to lookat activemq-certificate configuration in login.config, which should look like this:

 6.4.4 授权过程解释

至此我们使用证书完成了认证配置.接下来需要关注授权,因此我们使用了jaasCertificateAuthenticationPlugin插件.改插件与本章之前使用的JAAS插件类似.现在配置jaasCertificateAuthenticationPlugin插件关联login.config文件中的activemq-certificate条目,这个条目配置代码如下所示:

 The login.config file is now different in that it uses TextFileCertificateLoginModuleinstead of PropertiesLoginModule, configured using the appropriate properties.Now it’s time to see what the user.properties file looks like:  使用TextFileCertificateLoginModule插件后,login.config文件于之前使用PropertiesLoginModule插件是有所不同,login.config中已经配置了恰当的properties文件.下面看看user.properties文件内容:
 As you can see, we added our two certificates as sslconsumer and sslpublisher users.You may notice that the user.properties file is the place where you map your certificateto a certain username, and we used the appropriate info of the certificate to mapit to the desired username. Now that we have a username, we can put it in the certaingroup using groups.properties file:  正如你看到的,我们添加了两个证书用户sslconsumer和sslpublisher.你可能已经注意到了,在user.properties文件中你可以将证书映射到指定的用户名上– 将证书中的一些信息映射到指定的用户名.当映射成用户名后,就可以将永远吗配置到groups.properties文件中,如下所示:
 Once we have our users in their groups, the authorizationPlugin kicks in and authorizesthe access to broker’s destinations.  配置好了群组包含的用户之后,授权插件开始起作用并对代理中消息目的地的访问进行授权.

 6.4.5 Testing it out

Now let’s start the broker using the configuration and login.config file from earlier:

 6.4.5 测试

现在,可以使用前面配置和login.config文件,使用下面的命令启动代理:

 The broker is ready, so let’s now see how clients behave depending on which certificatethey use. For example, if we try to access the broker with the original certificateused in chapter 4, we can expect that access will be denied, as that certificate isn’t inthe broker’s truststore.  代理准备就行,接下来可以看看使用不同证书的客户端的访问代理会出现什么情况.比如,如果我们使用第4章中的证书访问代理,你会发现访问会被拒绝,因为证书不在代理的truststore(受信证书库)中.
 Note that we’re using the client truststore from the original SSL example here, sincenothing has changed regarding certificates on the broker side.Now let’s start it with the appropriate certificate and see how it works:  注意到,我们是我们使用了前面SSL例子中客户端的truststore,因为代理端的证书没有变.现在让我使用正确的证书启动Publisher:
 As expected, the publisher successfully sends stock portfolio updates to the broker inthis case. Now let’s see how to start a consumer with a proper certificate:  正如我们预期的那样,publisher能够成功的发送股票更新信息到代理.下面,再看看如何使用适当的证书启动consumer:

Finally, we can test that our authorization settings work fine. As you can see from ourbroker configuration, consumers shouldn’t be allowed to send messages to our stockrelatedtopics. So if you try to do it, the operation should fail:

最后,可以看到我们的认证机制工作正常.从代理的配置文件中可以看出,消息消费者不允许发送消息到股票相关的主题,所以,假如你尝试让消息消费者发送消息将不会成功:

 In this section, we learned how to leverage what we knew about the SSL transport (andconfiguring certificates) and with a bit of work configured certificate-based securityfor the ActiveMQ broker. This brings ActiveMQ security to an entirely new level andmakes it a perfect fit for organizations with tight security requirements.

本节中,我们学习了如何根据已知的关于SSL传输连接器相关知识(以及配置证书)来为ActiveMQ配置基于证书的安全机制.这样ActiveMQ的安全性提升到了一个新的高度,使得ActiveMQ可以更好的满足对安全型要求更高的需求.

打个赏呗

   微信打赏  支付宝打赏


本文固定链接: https://www.jack-yin.com/coding/translation/activemq-in-action/1525.html | 边城网事

该日志由 边城网事 于2013年10月30日发表在 ActiveMQ in Action 读书笔记 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: 6.4 基于证书的安全授权机制- Certificate -based security | 边城网事

6.4 基于证书的安全授权机制- Certificate -based security 暂无评论

发表评论

快捷键:Ctrl+Enter