Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 588504 - [RFE] [MRG] Messaging broker to listen only on SSL port
[RFE] [MRG] Messaging broker to listen only on SSL port
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
1.0
All Linux
medium Severity medium
: 3.0
: ---
Assigned To: Andrew Stitcher
Leonid Zhaldybin
: FutureFeature, Triaged
Depends On:
Blocks: 961010
  Show dependency treegraph
 
Reported: 2010-05-03 16:15 EDT by Issue Tracker
Modified: 2018-10-27 09:43 EDT (History)
15 users (show)

See Also:
Fixed In Version: qpid-cpp-0.22-4.el6, qpid-cpp-0.22-4.el5
Doc Type: Enhancement
Doc Text:
The MRG Messaging Broker is now able to require SSL connections. This feature is required to allow customers to comply with some security policies. The MRG Messaging Broker can now be prohibited from listening for regular TCP connections by specifying `--listen-disable tcp` on the broker command line, or by using the equivalent configuration file option.
Story Points: ---
Clone Of:
: 961010 (view as bug list)
Environment:
Last Closed: 2014-09-24 11:01:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache JIRA QPID-3351 None None None Never
Apache JIRA QPID-4807 None None None Never
Red Hat Product Errata RHEA-2014:1296 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 3.0 Release 2014-09-24 15:00:06 EDT

  None (edit)
Description Issue Tracker 2010-05-03 16:15:11 EDT
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2010-05-03 16:15:12 EDT
Event posted on 04-16-2010 08:23am EDT by rrajaram

Customer #1105962 is a government customer and he requires this feature to comply with  IA policies for accreditation of the server.

Needed to comply with IA policies for accreditation of the server.
This event sent from IssueTracker by cww  [SEG - Feature Request]
 issue 773053
Comment 2 Issue Tracker 2010-05-03 16:15:14 EDT
Event posted on 04-16-2010 08:32am EDT by RFE-tool

1) Customer Name:
Account #1105962 Stephen Duke

2) Nature Of Problem:
Customer is implementing MRG-M. He has enabled SSL for this broker. By
default the broker listen's to both SSL and non ssl port. Customer would
prefer the borker to listen only on ssl port. Currently there are no
options available which will prevent the broker from listening on non ssl
port.

Customer needs to comply with IA policies for accreditation of the server

3) Business Requirements Satisfied By Request:
Customer can comply with IA policies for accreditation of the server

4) Functional Requirements That Are Not Presently Possible:
Broker listens to both ssl and non ssl ports. No options to prevent the
broker from listening on non ssl port

5) What Will Success Look Like:
Current netstat -anp | grep qpidd

tcp        0      0 0.0.0.0:5671                0.0.0.0:*                 
 LISTEN      7797/qpidd
tcp        0      0 0.0.0.0:5672                0.0.0.0:*                 
 LISTEN      7797/qpidd

5671 is the SSL port and 5672 is the non ssl port

Success would like

tcp        0      0 0.0.0.0:5671                0.0.0.0:*                 
 LISTEN      7797/qpidd

6) Desired Release Vehicle:
MRG 1.3

7) Request Meets The Rhel Inclusion Criteria:
Yes

8) Affected Packages:
qpidc

9) Sales Sponsor:


10) Rh Business Opportunity With Customer:
Customer is a TAM customer and seems to implementing MRG-M. Brad Maxwell
is the TAM

11) Status And Risk To Contract If Not Satisfied:


12) If this request is vendor specific, has the customer engaged the
partner as well?:
Not Applicable




RFE-tool assigned to issue for SEG - Feature Request.

This event sent from IssueTracker by cww  [SEG - Feature Request]
 issue 773053
Comment 4 Justin Ross 2013-02-26 10:43:00 EST
Andrew, any thoughts?
Comment 5 Andrew Stitcher 2013-02-26 12:28:09 EST
We still have no way to turn off the tcp connection, in theory the code would allow you to not listen using plain tcp.

There is some support for minimum allowable encryption strengths but I don't think it applies to plain tcp with no sasl so perhaps this would be the way to disallow unencrypted tcp (tcp sasl connections can be encrypted)
Comment 6 Andrew Stitcher 2013-05-02 15:22:23 EDT
This feature is now available on the trunk of the qpid release in r1478398.

You can turn tcp listening off with the option --listen-disable tcp

This will be available in the upstream 0.24 release (but could be backported if necessary)
Comment 7 Leonid Zhaldybin 2013-08-27 04:13:10 EDT
Tested on RHEL6 (both i386 and x86_64). This new feature is implemented and works as expected.

Packages used for testing:

python-qpid-0.22-4.el6
python-qpid-qmf-0.22-9.el6
qpid-cpp-client-0.22-11.el6
qpid-cpp-client-devel-0.22-11.el6
qpid-cpp-client-devel-docs-0.22-11.el6
qpid-cpp-client-ssl-0.22-11.el6
qpid-cpp-server-0.22-11.el6
qpid-cpp-server-devel-0.22-11.el6
qpid-cpp-server-ssl-0.22-11.el6
qpid-cpp-server-store-0.22-11.el6
qpid-cpp-server-xml-0.22-11.el6
qpid-java-client-0.22-5.el6
qpid-java-common-0.22-5.el6
qpid-java-example-0.22-5.el6
qpid-jca-0.22-1.el6
qpid-jca-xarecovery-0.22-1.el6
qpid-proton-c-0.4-2.2.el6
qpid-qmf-0.22-9.el6
qpid-tools-0.22-3.el6

-> VERIFIED
Comment 18 errata-xmlrpc 2014-09-24 11:01:54 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html

Note You need to log in before you can comment on or make changes to this bug.