Bug 895515

Summary:	'--ssl-key' option missing in several management tools
Product:	Red Hat Enterprise MRG	Reporter:	Petr Matousek <pematous>
Component:	qpid-tools	Assignee:	Ken Giusti <kgiusti>
Status:	CLOSED ERRATA	QA Contact:	Petra Svobodová <psvobodo>
Severity:	low	Docs Contact:
Priority:	medium
Version:	Development	CC:	iboverma, jross, kgiusti, psvobodo
Target Milestone:	3.0	Keywords:	Patch
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	qpid-tools-0.22-3.el6, qpid-tools-0.22-3.el5	Doc Type:	Bug Fix
Doc Text:	It was discovered that some of the QPID command-line tools did not provide a way for the user to supply a private key when a certificate was used to identify the user of the command to the broker. This caused the command to fail because it was not able to use the certificate without the key. The fix ensures all QPID command line tools that allow user identification through a self-identifying certificate now allow the private key to be supplied via the `--ssl-key` option. This option takes a path to a file that contains the certificate's private key in PEM format. The command line tool now presents the certificate to the broker for authorization, and the command is executed successfully. This feature is documented in the "Enable SSL in Python Clients" section of the Messaging Installation and Configuration Guide and the "Connection Options Reference" of the Messaging Programming Reference Guide.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-09-24 15:05:13 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Petr Matousek 2013-01-15 12:23:04 UTC

Description of problem:

Several management tools offer except '--ssl-certificate' also '--ssl-key' options (qpid-config, qpid-printevents, qpid-stat) and some don't (qpid-queue-stats, qpid-route, qpid-cluster). Implement the option to all the management tools that supports ssl. All the management tools shall be consistent.

Version-Release number of selected component (if applicable):
qpid-tools-0.18-7.el5

How reproducible:
100%

Steps to Reproduce:
n/a
  
Actual results:
Not all the management tools offer '--ssl-key' option

Expected results:
All the management tools that supports ssl offer '--ssl-key' option

Comment 1 Ken Giusti 2013-02-06 14:40:35 UTC

I believe the fix for BZ895535 addresses this bug also:

https://bugzilla.redhat.com/show_bug.cgi?id=895535

Petr, do you agree?

Comment 3 Petr Matousek 2013-02-06 15:50:18 UTC

I agree that this issue is solved (starting from qpid-tools-0.18-8 all the qpid-tools that supports '--ssl-certificate' option supports '--ssl-key' option as well).

I do not agree that this bug is duplicate of bug 895535 and I believe that the standard procedure shall be applied MODIFIED -> ON_QA -> VERIFIED.

From my point of view this issue is solved and already tested on QE side and may be included to 2.3 release. Adding qa_ack+.

Comment 4 Petr Matousek 2013-02-08 14:20:43 UTC

There is still one tool that supports '--ssl-certificate' option and miss the '--ssl-key' option: qpid-tool (tested package: qpid-tools-0.18-8)

Note: The ssl certificate can be passed through the second command line argument atm.

moreover the supported ssl-certificate option is not listed in the help for the command:

# qpid-tool --help
Usage:  qpid-tool [[<username>/<password>@]<target-host>[:<tcp-port>]]

expected syntax:

Usage:  qpid-tool [[<username>/<password>@]<target-host>[:<tcp-port>]] <ssl_certfile> <ssl_keyfile>

OR

Usage:  qpid-tool [[<username>/<password>@]<target-host>[:<tcp-port>]]     
options:
    --ssl-certificate=<cert>
                        Client SSL certificate (PEM Format)
    --ssl-key=<key>     Client SSL private key (PEM Format)


Expected fix:
Add support for '--ssl-key' option to qpid-tool
List the ssl options in the command help

Comment 11 Petr Matousek 2013-02-14 10:56:46 UTC

QE Note: All of the qpid-tools except 'qpid-tool' were already updated to support '--ssl-key' option and the functionality of the option was already verified in MRG/M 2.3 release. 

So this bug tracks only the last one remaining issue listed in comment 4.

Comment 12 Justin Ross 2013-02-23 12:49:34 UTC

Bug 710429 has a patch that addresses the issue in comment 4.

(In reply to comment #11)
> QE Note: All of the qpid-tools except 'qpid-tool' were already updated to
> support '--ssl-key' option and the functionality of the option was already
> verified in MRG/M 2.3 release. 
> 
> So this bug tracks only the last one remaining issue listed in comment 4.

Comment 13 Ken Giusti 2013-04-16 23:41:48 UTC

Upstream patch should resolve the issues as described in comment 4:

http://svn.apache.org/viewvc?view=revision&revision=1468683

Comment 17 Petra Svobodová 2013-12-20 13:48:12 UTC

All qpid-tools (qpid-config, qpid-stat, qpid-route, qpid-queue-stats, qpid-printevents and qpid-tool) provide options --ssl-certificate and --ssl-key and display them in their help. 
Functionality of --ssl-key connection options of the tools are verified in bug 895535.

Verified on package qpid-tools-0.22-7 on Rhel 6.5 in i386 and x86_64 architectures.

--> VERIFIED

Comment 20 errata-xmlrpc 2014-09-24 15:05:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html