6.4 基於證書的安全受權機制

6.4 基於證書的安全受權機制- Certificate -based security
    本章前面部分,咱們討論了使用ActiveMQ插件,經過客戶端認證並受權客戶端訪問消息目的地的方式來保證代理的安全.這些插件能夠正常的工做,可是他們使用明文來存儲客戶端的用戶名
和密碼等身份信息.對於大多數用戶和大部分場景來講,這種方式已經足夠使用,可是一些組織傾向於使用SSL證書來保證安全.第4章中,咱們已經討論過SSL傳輸鏈接器以及如何使用證書.本節中,
咱們將探討展開對證書的討論而且告訴你如何使用SSL傳輸鏈接器(同時支持插件)來保證代理安全.咱們將看到如何使用證書認證客戶端,同時看到如何根據他們藉以鏈接到代理的證書來分配不一樣
的訪問控制權限.
 本節中咱們井繼續使用stock portfolio例子中的publisher和consumer,可是此次他們將分別使用不一樣的證書以便表名身份以及獲取發佈和消費代理中消息目的地消息的訪問權限.
 6.4.1 準備證書
    下面讓我從建立證書開始.建立證書的過程和第4長配置基本的SSL傳輸鏈接器相似.本書附帶的示例代碼中包含了全部的證書,所以你能夠在本例中使用.
    咱們將建立2個證書,一個名稱爲producer存儲於文件名爲myproducer.ks的keystore中.建立證書命令以下:
    C:\Users\goudcheng\tt>keytool -genkey -alias producer -keyalg RSA -keystore mypr
oducer.ks
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  producer
What is the name of your organizational unit?
  [Unknown]:  Chapter 6
What is the name of your organization?
  [Unknown]:  ActiveMQ in Action
What is the name of your City or Locality?
  [Unknown]:  Belgrade
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  RS
Is CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
 correct?
  [no]:  yes

Enter key password for <producer>
        (RETURN if same as keystore password):
Re-enter new password:

    
    另外還須要建立一個名稱爲consumer並存儲在文件名爲myconsumer.ks的keystore中.建立證書命令以下:
C:\Users\goudcheng\tt>keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks
Enter keystore password:test123
Re-enter new password:
What is your first and last name?
  [Unknown]:  consumer
What is the name of your organizational unit?
  [Unknown]:  Chapter 6
What is the name of your organization?
  [Unknown]:  ActiveMQ in Action
What is the name of your City or Locality?
  [Unknown]:  Belgrade
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  RS
Is CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
 correct?
  [no]:  yes
Enter key password for <consumer>
        (RETURN if same as keystore password):
        
6.4.2 建立一個truststore
下一步要作的就是將上面建立的證書導入到代理的truststore(受信證書倉庫)中.首先,須要將證書從keystores(證書倉庫)中導出.使用下面的命令能夠從producer keystore中導出證書:
C:\Users\goudcheng\tt>keytool -export -alias producer -keystore myproducer.ks -f
ile producer_cert
Enter keystore password:
Certificate stored in file <producer_cert>
使用下面的命令能夠從consumer keystore中導出證書:
C:\Users\goudcheng\tt>keytool -export -alias consumer -keystore myconsumer.ks -f
ile consumer_cert
Enter keystore password:
Certificate stored in file <consumer_cert>

導出JMS客戶端證書之後,須要建立代理的truststore(受信證書倉庫).建立truststore並導入producer和consumer證書這個任務至關簡單.首先,使用下面命令導入producer證書到代理的truststore
C:\Users\goudcheng\tt>keytool -import -alias producer -keystore mybroker.ts -fil
e producer_cert
Enter keystore password:
Re-enter new password:
Owner: CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Issuer: CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
 C=RS
Serial number: 56da57a9
Valid from: Sat Mar 05 11:51:05 CST 2016 until: Fri Jun 03 11:51:05 CST 2016
Certificate fingerprints:
         MD5:  05:54:CC:3B:0E:EC:DC:6B:C3:19:25:48:0C:EF:15:AC
         SHA1: 4F:84:70:2E:EB:A4:E9:E7:54:15:57:AE:FF:94:53:29:E2:11:FF:4D
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
接下來,使用下面的命令導入consumer證書到代理的truststore中:
C:\Users\goudcheng\tt>keytool -import -alias consumer -keystore mybroker.ts -fil
e consumer_cert
Enter keystore password:
Owner: CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Issuer: CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
 C=RS
Serial number: 56da55da
Valid from: Sat Mar 05 11:43:22 CST 2016 until: Fri Jun 03 11:43:22 CST 2016
Certificate fingerprints:
         MD5:  54:36:3E:BE:47:8E:27:41:9C:98:6C:01:5E:BA:6B:09
         SHA1: DF:CF:62:15:0C:7C:9E:A8:9A:01:B5:74:6E:FB:31:EE:45:61:4C:D9
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
處理好代理的truststore後,咱們須要將truststore放到配置文件可訪問的地方.一般將證書放到${ACTIVEMQ_HOME}/conf/文件夾中,全部和配置有關的文件都存放在該文件夾裏.在本節的例子中咱們將使
用上面處理過的truststore,因此你須要作的只是將truststore拷貝到配置文件所在的目錄,使用下面的命令完成拷貝:
6.4.3 配置代理
下面的配置的代碼中使用上面提供的truststore可配置SSL傳輸鏈接器,設置哪些客戶端能夠鏈接到代理以及使用jaasCertificateAuthenticationPlugin(粗體顯示)來控制客戶端能夠訪問哪些代理上的資源.
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.base}/data">
  <plugins>
    <jaasCertificateAuthenticationPlugin configuration="activemq-certificate" />
    
    <authorizationPlugin>
      <map>
        <authorizationMap>
          <authorizationEntries>
            <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
            <authorizationEntry topic="STOCKS.>" read="consumers" write="publishers" admin="publishers" />
            <authorizationEntry topic="STOCKS.ORCL" read="guests" />
            <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,publishers,consumers,guests"
                                write="admins,publishers,consumers,guests" admin="admins,publishers,consumers,guests" />
          </authorizationEntries>
        </authorizationMap>
      </map>
    </authorizationPlugin>
  </plugins>
 
  <sslContext>
    <sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
                keyStorePassword="test123"
                trustStore="file:${activemq.base}/conf/mybroker.ts"
                trustStorePassword="test123"/>
  </sslContext>
 
  <transportConnectors>
    <transportConnector name="openwire" uri="tcp://localhost:61616"/>
    <transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" />
  </transportConnectors>
</broker>

上面配置文件中值得關注的地方使用粗體標示出來了.首先,<sslContext>中配置了trustStore和trustStorePassword屬性,這兩個屬性容許使用咱們前面定義的代理的truststore.
其次,SSL的傳輸鏈接器配置URI中設置了needClientAuth值爲true,這樣代理要求正在鏈接的客戶端須要提供證書,只有客戶端提供證書在服務器的truststore中時,該客戶端才被容許鏈接.
6.4.4 受權過程解釋

至此咱們使用證書完成了認證配置.接下來須要關注受權,所以咱們使用了jaasCertificateAuthenticationPlugin插件.改插件與本章以前使用的JAAS插件相似.如今配置jaasCertificate
AuthenticationPlugin插件關聯login.config文件中的activemq-certificate條目,這個條目配置代碼以下所示:
activemq-certificate
{
  org.apache.activemq.jaas.TextFileCertificateLoginModule  required debug=true
  org.apache.activemq.jaas.textfiledn.user="users.properties"
  org.apache.activemq.jaas.textfiledn.group="groups.properties";
};

使用TextFileCertificateLoginModule插件後,login.config文件於以前使用PropertiesLoginModule插件是有所不一樣,login.config中已經配置了恰當的properties文件.
下面看看user.properties文件內容:
admin=password
publisher=password
consumer=password
guest=password
sslconsumer=CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
sslpublisher=CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS

正如你看到的,咱們添加了兩個證書用戶sslconsumer和sslpublisher.你可能已經注意到了,在user.properties文件中你能夠將證書映射到指定的用戶名上– 將證書中的一些信息映射到指定的用戶名.
當映射成用戶名後,就能夠將永遠嗎配置到groups.properties文件中,以下所示:
admins=admin
publishers=admin,publisher,sslpublisher
consumers=admin,publisher,consumer,sslconsumer
guests=guest

.4.5 測試

如今,可使用前面配置和login.config文件,使用下面的命令啓動代理:
activemq  -Djava.security.auth.login.config=ch6/activemq_ssl
代理準備就行,接下來能夠看看使用不一樣證書的客戶端的訪問代理會出現什麼狀況.好比,若是咱們使用第4章中的證書訪問代理,你會發現訪問會被拒絕,由於證書不在代理的truststore(受信證書庫)中.
-Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \