6.4 基于证书的安全受权机制

时间 2019-11-17

原文原文链接

6.4 基于证书的安全受权机制- Certificate -based security
   本章前面部分,咱们讨论了使用ActiveMQ插件,经过客户端认证并受权客户端访问消息目的地的方式来保证代理的安全.这些插件能够正常的工做,可是他们使用明文来存储客户端的用户名
和密码等身份信息.对于大多数用户和大部分场景来讲,这种方式已经足够使用,可是一些组织倾向于使用SSL证书来保证安全.第4章中,咱们已经讨论过SSL传输链接器以及如何使用证书.本节中,
咱们将探讨展开对证书的讨论而且告诉你如何使用SSL传输链接器(同时支持插件)来保证代理安全.咱们将看到如何使用证书认证客户端,同时看到如何根据他们借以链接到代理的证书来分配不一样
的访问控制权限.
本节中咱们井继续使用stock portfolio例子中的publisher和consumer,可是此次他们将分别使用不一样的证书以便表名身份以及获取发布和消费代理中消息目的地消息的访问权限.
6.4.1 准备证书
   下面让我从建立证书开始.建立证书的过程和第4长配置基本的SSL传输链接器相似.本书附带的示例代码中包含了全部的证书,所以你能够在本例中使用.
   咱们将建立2个证书,一个名称为producer存储于文件名为myproducer.ks的keystore中.建立证书命令以下:
   C:\Users\goudcheng\tt>keytool -genkey -alias producer -keyalg RSA -keystore mypr
oducer.ks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: producer
What is the name of your organizational unit?
[Unknown]: Chapter 6
What is the name of your organization?
[Unknown]: ActiveMQ in Action
What is the name of your City or Locality?
[Unknown]: Belgrade
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: RS
Is CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
correct?
[no]: yes

Enter key password for <producer>
        (RETURN if same as keystore password):
Re-enter new password:


   另外还须要建立一个名称为consumer并存储在文件名为myconsumer.ks的keystore中.建立证书命令以下:
C:\Users\goudcheng\tt>keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks
Enter keystore password:test123
Re-enter new password:
What is your first and last name?
[Unknown]: consumer
What is the name of your organizational unit?
[Unknown]: Chapter 6
What is the name of your organization?
[Unknown]: ActiveMQ in Action
What is the name of your City or Locality?
[Unknown]: Belgrade
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]: RS
Is CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
correct?
[no]: yes
Enter key password for <consumer>
        (RETURN if same as keystore password):

6.4.2 建立一个truststore
下一步要作的就是将上面建立的证书导入到代理的truststore(受信证书仓库)中.首先,须要将证书从keystores(证书仓库)中导出.使用下面的命令能够从producer keystore中导出证书:
C:\Users\goudcheng\tt>keytool -export -alias producer -keystore myproducer.ks -f
ile producer_cert
Enter keystore password:
Certificate stored in file <producer_cert>
使用下面的命令能够从consumer keystore中导出证书:
C:\Users\goudcheng\tt>keytool -export -alias consumer -keystore myconsumer.ks -f
ile consumer_cert
Enter keystore password:
Certificate stored in file <consumer_cert>

导出JMS客户端证书之后,须要建立代理的truststore(受信证书仓库).建立truststore并导入producer和consumer证书这个任务至关简单.首先,使用下面命令导入producer证书到代理的truststore
C:\Users\goudcheng\tt>keytool -import -alias producer -keystore mybroker.ts -fil
e producer_cert
Enter keystore password:
Re-enter new password:
Owner: CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Issuer: CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Serial number: 56da57a9
Valid from: Sat Mar 05 11:51:05 CST 2016 until: Fri Jun 03 11:51:05 CST 2016
Certificate fingerprints:
         MD5: 05:54:CC:3B:0E:EC:DC:6B:C3:19:25:48:0C:EF:15:AC
         SHA1: 4F:84:70:2E:EB:A4:E9:E7:54:15:57:AE:FF:94:53:29:E2:11:FF:4D
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
接下来,使用下面的命令导入consumer证书到代理的truststore中:
C:\Users\goudcheng\tt>keytool -import -alias consumer -keystore mybroker.ts -fil
e consumer_cert
Enter keystore password:
Owner: CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Issuer: CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown,
C=RS
Serial number: 56da55da
Valid from: Sat Mar 05 11:43:22 CST 2016 until: Fri Jun 03 11:43:22 CST 2016
Certificate fingerprints:
         MD5: 54:36:3E:BE:47:8E:27:41:9C:98:6C:01:5E:BA:6B:09
         SHA1: DF:CF:62:15:0C:7C:9E:A8:9A:01:B5:74:6E:FB:31:EE:45:61:4C:D9
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]: yes
Certificate was added to keystore
处理好代理的truststore后,咱们须要将truststore放到配置文件可访问的地方.一般将证书放到${ACTIVEMQ_HOME}/conf/文件夹中,全部和配置有关的文件都存放在该文件夹里.在本节的例子中咱们将使
用上面处理过的truststore,因此你须要作的只是将truststore拷贝到配置文件所在的目录,使用下面的命令完成拷贝:
6.4.3 配置代理
下面的配置的代码中使用上面提供的truststore可配置SSL传输链接器,设置哪些客户端能够链接到代理以及使用jaasCertificateAuthenticationPlugin(粗体显示)来控制客户端能够访问哪些代理上的资源.
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="localhost" dataDirectory="${activemq.base}/data">
<plugins>
    <jaasCertificateAuthenticationPlugin configuration="activemq-certificate" />

    <authorizationPlugin>
      <map>
        <authorizationMap>
          <authorizationEntries>
            <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
            <authorizationEntry topic="STOCKS.>" read="consumers" write="publishers" admin="publishers" />
            <authorizationEntry topic="STOCKS.ORCL" read="guests" />
            <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,publishers,consumers,guests"
                                write="admins,publishers,consumers,guests" admin="admins,publishers,consumers,guests" />
          </authorizationEntries>
        </authorizationMap>
      </map>
    </authorizationPlugin>
</plugins>

<sslContext>
    <sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
                keyStorePassword="test123"
                trustStore="file:${activemq.base}/conf/mybroker.ts"
                trustStorePassword="test123"/>
</sslContext>

<transportConnectors>
    <transportConnector name="openwire" uri="tcp://localhost:61616"/>
    <transportConnector name="ssl" uri="ssl://localhost:61617?needClientAuth=true" />
</transportConnectors>
</broker>

上面配置文件中值得关注的地方使用粗体标示出来了.首先,<sslContext>中配置了trustStore和trustStorePassword属性,这两个属性容许使用咱们前面定义的代理的truststore.
其次,SSL的传输链接器配置URI中设置了needClientAuth值为true,这样代理要求正在链接的客户端须要提供证书,只有客户端提供证书在服务器的truststore中时,该客户端才被容许链接.
6.4.4 受权过程解释

至此咱们使用证书完成了认证配置.接下来须要关注受权,所以咱们使用了jaasCertificateAuthenticationPlugin插件.改插件与本章以前使用的JAAS插件相似.如今配置jaasCertificate
AuthenticationPlugin插件关联login.config文件中的activemq-certificate条目,这个条目配置代码以下所示:
activemq-certificate
{
org.apache.activemq.jaas.TextFileCertificateLoginModule required debug=true
org.apache.activemq.jaas.textfiledn.user="users.properties"
org.apache.activemq.jaas.textfiledn.group="groups.properties";
};

使用TextFileCertificateLoginModule插件后,login.config文件于以前使用PropertiesLoginModule插件是有所不一样,login.config中已经配置了恰当的properties文件.
下面看看user.properties文件内容:
admin=password
publisher=password
consumer=password
guest=password
sslconsumer=CN=consumer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS
sslpublisher=CN=producer, OU=Chapter 6, O=ActiveMQ in Action, L=Belgrade, ST=Unknown, C=RS

正如你看到的,咱们添加了两个证书用户sslconsumer和sslpublisher.你可能已经注意到了,在user.properties文件中你能够将证书映射到指定的用户名上– 将证书中的一些信息映射到指定的用户名.
当映射成用户名后,就能够将永远吗配置到groups.properties文件中,以下所示:
admins=admin
publishers=admin,publisher,sslpublisher
consumers=admin,publisher,consumer,sslconsumer
guests=guest

.4.5 测试

如今,可使用前面配置和login.config文件,使用下面的命令启动代理:
activemq -Djava.security.auth.login.config=ch6/activemq_ssl
代理准备就行,接下来能够看看使用不一样证书的客户端的访问代理会出现什么状况.好比,若是咱们使用第4章中的证书访问代理,你会发现访问会被拒绝,由于证书不在代理的truststore(受信证书库)中.
-Djavax.net.ssl.keyStore=${ACTIVEMQ_HOME}/conf/client.ks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=${ACTIVEMQ_HOME}/conf/client.ts \

java