Bug 588504 - [RFE] [MRG] Messaging broker to listen only on SSL port
Summary: [RFE] [MRG] Messaging broker to listen only on SSL port
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 1.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: 3.0
: ---
Assignee: Andrew Stitcher
QA Contact: Leonid Zhaldybin
URL:
Whiteboard:
Depends On:
Blocks: 961010
TreeView+ depends on / blocked
 
Reported: 2010-05-03 20:15 UTC by Issue Tracker
Modified: 2018-11-26 19:33 UTC (History)
15 users (show)

Fixed In Version: qpid-cpp-0.22-4.el6, qpid-cpp-0.22-4.el5
Doc Type: Enhancement
Doc Text:
The MRG Messaging Broker is now able to require SSL connections. This feature is required to allow customers to comply with some security policies. The MRG Messaging Broker can now be prohibited from listening for regular TCP connections by specifying `--listen-disable tcp` on the broker command line, or by using the equivalent configuration file option.
Clone Of:
: 961010 (view as bug list)
Environment:
Last Closed: 2014-09-24 15:01:54 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA QPID-3351 0 None None None Never
Apache JIRA QPID-4807 0 None None None Never
Red Hat Product Errata RHEA-2014:1296 0 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 3.0 Release 2014-09-24 19:00:06 UTC

Description Issue Tracker 2010-05-03 20:15:11 UTC
Escalated to Bugzilla from IssueTracker

Comment 1 Issue Tracker 2010-05-03 20:15:12 UTC
Event posted on 04-16-2010 08:23am EDT by rrajaram

Customer #1105962 is a government customer and he requires this feature to comply with  IA policies for accreditation of the server.

Needed to comply with IA policies for accreditation of the server.
This event sent from IssueTracker by cww  [SEG - Feature Request]
 issue 773053

Comment 2 Issue Tracker 2010-05-03 20:15:14 UTC
Event posted on 04-16-2010 08:32am EDT by RFE-tool

1) Customer Name:
Account #1105962 Stephen Duke

2) Nature Of Problem:
Customer is implementing MRG-M. He has enabled SSL for this broker. By
default the broker listen's to both SSL and non ssl port. Customer would
prefer the borker to listen only on ssl port. Currently there are no
options available which will prevent the broker from listening on non ssl
port.

Customer needs to comply with IA policies for accreditation of the server

3) Business Requirements Satisfied By Request:
Customer can comply with IA policies for accreditation of the server

4) Functional Requirements That Are Not Presently Possible:
Broker listens to both ssl and non ssl ports. No options to prevent the
broker from listening on non ssl port

5) What Will Success Look Like:
Current netstat -anp | grep qpidd

tcp        0      0 0.0.0.0:5671                0.0.0.0:*                 
 LISTEN      7797/qpidd
tcp        0      0 0.0.0.0:5672                0.0.0.0:*                 
 LISTEN      7797/qpidd

5671 is the SSL port and 5672 is the non ssl port

Success would like

tcp        0      0 0.0.0.0:5671                0.0.0.0:*                 
 LISTEN      7797/qpidd

6) Desired Release Vehicle:
MRG 1.3

7) Request Meets The Rhel Inclusion Criteria:
Yes

8) Affected Packages:
qpidc

9) Sales Sponsor:


10) Rh Business Opportunity With Customer:
Customer is a TAM customer and seems to implementing MRG-M. Brad Maxwell
is the TAM

11) Status And Risk To Contract If Not Satisfied:


12) If this request is vendor specific, has the customer engaged the
partner as well?:
Not Applicable




RFE-tool assigned to issue for SEG - Feature Request.

This event sent from IssueTracker by cww  [SEG - Feature Request]
 issue 773053

Comment 4 Justin Ross 2013-02-26 15:43:00 UTC
Andrew, any thoughts?

Comment 5 Andrew Stitcher 2013-02-26 17:28:09 UTC
We still have no way to turn off the tcp connection, in theory the code would allow you to not listen using plain tcp.

There is some support for minimum allowable encryption strengths but I don't think it applies to plain tcp with no sasl so perhaps this would be the way to disallow unencrypted tcp (tcp sasl connections can be encrypted)

Comment 6 Andrew Stitcher 2013-05-02 19:22:23 UTC
This feature is now available on the trunk of the qpid release in r1478398.

You can turn tcp listening off with the option --listen-disable tcp

This will be available in the upstream 0.24 release (but could be backported if necessary)

Comment 7 Leonid Zhaldybin 2013-08-27 08:13:10 UTC
Tested on RHEL6 (both i386 and x86_64). This new feature is implemented and works as expected.

Packages used for testing:

python-qpid-0.22-4.el6
python-qpid-qmf-0.22-9.el6
qpid-cpp-client-0.22-11.el6
qpid-cpp-client-devel-0.22-11.el6
qpid-cpp-client-devel-docs-0.22-11.el6
qpid-cpp-client-ssl-0.22-11.el6
qpid-cpp-server-0.22-11.el6
qpid-cpp-server-devel-0.22-11.el6
qpid-cpp-server-ssl-0.22-11.el6
qpid-cpp-server-store-0.22-11.el6
qpid-cpp-server-xml-0.22-11.el6
qpid-java-client-0.22-5.el6
qpid-java-common-0.22-5.el6
qpid-java-example-0.22-5.el6
qpid-jca-0.22-1.el6
qpid-jca-xarecovery-0.22-1.el6
qpid-proton-c-0.4-2.2.el6
qpid-qmf-0.22-9.el6
qpid-tools-0.22-3.el6

-> VERIFIED

Comment 18 errata-xmlrpc 2014-09-24 15:01:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html


Note You need to log in before you can comment on or make changes to this bug.