Custom X509TrustManager pluggability

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Custom X509TrustManager pluggability

Modanese, Riccardo
Hello,

         I have some security (SSL stack and ACLs) related use cases that seem to be not implemented in Artemis code.

For example I need to plug a custom X509TrustManager on Artemis broker acceptors. After looking at the source code I think I found a way:

https://github.com/riccardomodanese/activemq-artemis/tree/sslConfigurableTrustManager

What do you think? I would like to contribute to the project, if the community sees a value on it.

Regards

Riccardo
Reply | Threaded
Open this post in threaded view
|

Re: Custom X509TrustManager pluggability

jbertram
I think this idea has merit, especially considering it's something that the
5.x code-base supports. There are lots of bits of pluggable functionality
in Artemis (e.g. metrics [1], security settings [2], etc.). This could
follow the same pattern where the plugin could be defined in broker.xml
with a list of key/value pairs (so the plugin could be configured easily).
Take a look at these [1] [2] for guidance. The related commits have all the
configuration changes, schema updates, tests, etc.


Justin

[1] org.apache.activemq.artemis.core.server.metrics.ActiveMQMetricsPlugin
[2] org.apache.activemq.artemis.core.server.SecuritySettingPlugin


On Mon, Oct 14, 2019 at 4:35 AM Modanese, Riccardo
<[hidden email]> wrote:

> Hello,
>
>          I have some security (SSL stack and ACLs) related use cases that
> seem to be not implemented in Artemis code.
>
> For example I need to plug a custom X509TrustManager on Artemis broker
> acceptors. After looking at the source code I think I found a way:
>
>
> https://github.com/riccardomodanese/activemq-artemis/tree/sslConfigurableTrustManager
>
> What do you think? I would like to contribute to the project, if the
> community sees a value on it.
>
> Regards
>
> Riccardo
>
Reply | Threaded
Open this post in threaded view
|

Re: Custom X509TrustManager pluggability

jbertram
In reply to this post by Modanese, Riccardo
After thinking about this a bit more it made more sense to me for the
plugin to be defined on a per-acceptor and per-connector basis. Therefore I
made the configuration part of the broker & client URLs via the new
"trustManagerFactoryPlugin" parameter. I opened a JIRA [1] and sent a PR
[2].


Justin

[1] https://issues.apache.org/jira/browse/ARTEMIS-2580
[2] https://github.com/apache/activemq-artemis/pull/2923

On Mon, Oct 14, 2019 at 4:35 AM Modanese, Riccardo
<[hidden email]> wrote:

> Hello,
>
>          I have some security (SSL stack and ACLs) related use cases that
> seem to be not implemented in Artemis code.
>
> For example I need to plug a custom X509TrustManager on Artemis broker
> acceptors. After looking at the source code I think I found a way:
>
>
> https://github.com/riccardomodanese/activemq-artemis/tree/sslConfigurableTrustManager
>
> What do you think? I would like to contribute to the project, if the
> community sees a value on it.
>
> Regards
>
> Riccardo
>
Reply | Threaded
Open this post in threaded view
|

Re: Custom X509TrustManager pluggability

Modanese, Riccardo
I agree, it’s the best choice make it configurable on acceptor bases.

I’ll take a look to your pr.

Thank you a lot!

> Il giorno 19 dic 2019, alle ore 17:28, Justin Bertram <[hidden email]> ha scritto:
>
> After thinking about this a bit more it made more sense to me for the
> plugin to be defined on a per-acceptor and per-connector basis. Therefore I
> made the configuration part of the broker & client URLs via the new
> "trustManagerFactoryPlugin" parameter. I opened a JIRA [1] and sent a PR
> [2].
>
>
> Justin
>
> [1] https://issues.apache.org/jira/browse/ARTEMIS-2580
> [2] https://github.com/apache/activemq-artemis/pull/2923
>
> On Mon, Oct 14, 2019 at 4:35 AM Modanese, Riccardo
> <[hidden email]> wrote:
>
>> Hello,
>>
>>         I have some security (SSL stack and ACLs) related use cases that
>> seem to be not implemented in Artemis code.
>>
>> For example I need to plug a custom X509TrustManager on Artemis broker
>> acceptors. After looking at the source code I think I found a way:
>>
>>
>> https://github.com/riccardomodanese/activemq-artemis/tree/sslConfigurableTrustManager
>>
>> What do you think? I would like to contribute to the project, if the
>> community sees a value on it.
>>
>> Regards
>>
>> Riccardo
>>