Rajith’s Column

The Apache Qpid community is happy to announce the release of Apache
Qpid 0.6.

Apache Qpid (http://qpid.apache.org) is a cross platform enterprise
messaging solution which implements the Advanced Message Queueing
Protocol (http://www.amqp.org). It provides brokers written in C++ and
Java and clients for C++, Java (including a JMS implementation), .Net,
Python, and Ruby.

This release contains many bug fixes and stability improvements over
previous release and we recommend that all users upgrade.

New in this release is another .Net WCF implementation which uses the
C++ client library as its transport rather than the native C# client.
This version has improved protocol version interoperability with Java
broker support for the 0-10 and 0-9-1 AMQP protocol versions.

Apache Qpid 0.6 can be downloaded from here:

http://www.apache.org/dist/qpid/0.6

A complete list of the reported features/bugs addressed in this release
can be found here:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310520&styleName=Html&version=12313728

In some cases you may want to allow connections to your brokers from outside the firewall. For obvious security reasons it’s recommended to use some form of encryption for such connections. Apache Qpid provides two options for securing connections.

• SSL
• SASL security layer

This articles focuses on how to secure your connections between the C++ broker (on Linux) and the JMS and C++ clients with SSL.
I plan to write an entry explaining how to use the SASL security layer in the future.

Disclaimer : The SSL tools/techniques used below for creating certificates are for illustration/testing purposes only. For production you need to use certificates from a competent third-party CA or use Professional grade CA software.

1.0 Installing SSL Support

1.1 Installing SSL Support For C++ Broker & Client
The C++ Broker/Client uses Mozilla’s Network Security Services Library (SSL) for SSL support.

1.1.1 Installing From RPMs
For Broker support

yum install qpidd-ssl

For Client

yum install qpidc

1.1.2 Building From Source

• Download a released source tarball from here
• Make sure you have the following dependencies installed
  • nss
  • nspr
• Follow the build instructions given in the INSTALL file located in the source directory

1.2 Installing Java Client
Download the Java client from here.

2.0 Creating the SSL Certificates For Testing
Lets create the required certificates for testing our SSL setup. For this purpose we are using the Mozilla certutil tool.
For more details please read [1].

2.1 Setting Up The CA
We need to setup the CA and the self signed root CA certificate.

• Create a new certificate database in the CA_db directory.

               >mkdir CA_db
               >certutil -N -d CA_db
               

• Create the self-signed Root CA certificate, specifying the subject name for the certificate.

               >certutil -S -d CA_db -n "MyRootCA" -s "CN=MyRootCA,O=ACME,ST=Ontario,C=CA" -t "CT,," -x -2
              

  • It will prompt you for a password. Enter the password you specified when creating the root CA database.
  • Type “y” for “Is this a CA certificate [y/N]?”
  • Press enter for “Enter the path length constraint, enter to skip [<0 for unlimited path]: >”
  • Type “n” for “Is this a critical extension [y/N]?”
• Extract the CA certificate from the CA’s certificate database to a file.

             >certutil -L -d CA_db -n "MyRootCA" -a -o CA_db/rootca.crt
            

2.2 Creating The Certificates For The Server (Qpid Broker)

• Create a certificate database for the Qpid Broker.

                >mkdir server_db
                >certutil -N -d server_db
               

• Import the CA certificate into the broker’s certificate database, and mark it trusted for issuing certificates for SSL client and server authentication.

              >certutil -A -d server_db -n "MyRootCA" -t "TC,," -a -i CA_db/rootca.crt
              

• Create the server certificate request, specifying the subject name for the server certificate. We make the common name (CN) be identical to the hostname of the server. Note that this step generates the server’s private key, so it must be done in the server’s database directory.

               >certutil -R -d server_db -s "CN=localhost.localdomain,O=ACME,ST=Ontario,C=CA" -a -o server_db/server.req
               

• This step simulates the CA signing and issuing a new server certificate based on the server’s certificate request. The new cert is signed with the CA’s private key, so this operation uses the CA’s databases. This step leaves the server’s new certificate in a file.

              >certutil -C -d CA_db -c "MyRootCA" -a -i server_db/server.req -o server_db/server.crt -2 -6
              

  • Select “0 - Server Auth” at the prompt
  • Press 9 at the prompt
  • Type “n” for “Is this a critical extension [y/N]?”
  • Type “n” for “Is this a CA certificate [y/N]?”
  • Enter “-1″ for “Enter the path length constraint, enter to skip [<0 for unlimited path]: >”
  • Type “n” for “Is this a critical extension [y/N]?”
  • When prompted password, enter the password you specified when creating the root CA database.
• Import (Add) the new server certificate to the broker’s certificate database in the server_db directory with the appropriate nickname. Notice that no trust is explicitly needed for this certificate.

             >certutil -A -d server_db -n localhost.localdomain -a -i server_db/server.crt -t ",,"
             

2.3 Creating The Certificates For The C++ Client

• Create a new certificate database in the client_db directory.

                >mkdir client_db
                >certutil -N -d client_db
          

• Import the CA certificate into the client’s certificate database, and mark it trusted for issuing certificates for SSL client and server authentication.

                >certutil -A -d client_db -n "MyRootCA" -t "TC,," -a -i CA_db/rootca.crt
               

• Create the client certificate request, specifying the subject name for the certificate.

                >certutil -R -d client_db -s "CN=CppClient,O=ACME,ST=Ontario,C=CA" -a -o client_db/client.req
                

• This step simulates the CA signing and issuing a new client certificate based on the client’s certificate request. The new cert is signed with the CA’s private key, so this operation uses the CA’s databases. This step leaves the client’s new certificate in a file.

               >certutil -C -d CA_db -c "MyRootCA" -a -i client_db/client.req -o client_db/client.crt -2 -6
               

  • Select “1 - Client Auth” at the prompt
  • Press 9 at the prompt
  • Type “n” for “Is this a critical extension [y/N]?”
  • Type “n” for “Is this a CA certificate [y/N]?”
  • Enter “-1″ for “Enter the path length constraint, enter to skip [<0 for unlimited path]: >”
  • Type “n” for “Is this a critical extension [y/N]?”
  • When prompted password, enter the password you specified when creating the root CA database.
• Add the new client certificate to the client’s certificate database in the client_db directory with the appropriate nickname. Notice that no trust is required for this certificate.

               >certutil -A -d client_db -n "CppClient" -a -i client_db/client.crt -t ",,"
               

2.4 Creating The Certificates For The JMS Client

• Import the CA certificate in to the trust store.

               keytool -import -v -keystore trust-store.jks -storepass password -alias RootCA -file CA_db/rootca.crt
               

• Import the CA certificate in to the key store. (need for client authentication)

               keytool -import -v -keystore key-store.jks -storepass password -alias RootCA -file CA_db/rootca.crt
               

• Generate keys for the client certificate.

               keytool -genkey -alias java-client -keyalg RSA -sigalg MD5withRSA -validity 356 -keystore key-store.jks -storepass password
               

  Answer the questions accordingly and press enter when prompted for the password to select the same password as the key-store.

• Create a certificate request.

               keytool -certreq -alias java-client -sigalg MD5withRSA -keystore key-store.jks -storepass password -v -file java-client.req
               

  Answer the questions accordingly and press enter when prompted for the password to select the same password as the key-store.

• Create a certificate request.

               keytool -certreq -alias java-client -sigalg MD5withRSA -keystore key-store.jks -storepass password -v -file java-client.req
               

  Answer the questions accordingly and press enter when prompted for the password to select the same password as the key-store.

• Sign the certificate request using CA certificate.

               certutil -C -d CA_db -c "MyRootCA" -a -i java-client.req -o java-client.crt  -2 -6
               

  • Select “1 - Client Auth” at the prompt
  • Press 9 at the prompt
  • Type “n” for “Is this a critical extension [y/N]?”
  • Type “n” for “Is this a CA certificate [y/N]?”
  • Enter “-1″ for “Enter the path length constraint, enter to skip [<0 for unlimited path]: >”
  • Type “n” for “Is this a critical extension [y/N]?”
  • When prompted password, enter the password you specified when creating the root CA database.
• Import the certificate into the key store.

               keytool -import -v -alias java-client -keystore key-store.jks -storepass password -file java-client.crt
               

3.0 Configuring The C++ Broker To Use SSL

• The $CERT_LOC denotes the directory where we created the CA_db, server_db, client_db, trust-store.jks and key-store.jks
• The broker-pfile needs to contain the password you entered while creating the server_db
• If you want to use client authentication, add –ssl-require-client-authentication to the broker options

If starting the broker from an installation.

/usr/sbin/qpidd --ssl-cert-db $CERT_LOC/server_db/ \
                       --ssl-cert-password-file $CERT_LOC/broker-pfile \
                       --ssl-cert-name localhost.localdomain \
                       --ssl-port 5674

If starting the broker from a source build

./src/qpidd --load-module ./src/.libs/ssl.so
                 --ssl-cert-db $CERT_LOC/server_db/ \
                 --ssl-cert-password-file $CERT_LOC/broker-pfile \
                 --ssl-cert-name localhost.localdomain \
                 --ssl-port 5674

4.0 Configuring The C++ Client To Use SSL
The following steps needs to be followed to enable SSL on the C++ client side.
The client side options are specified using environment variables.

1. Load the SslConnector.so
   If running from source

                          export QPID_LOAD_MODULE=./src/.libs/sslconnector.so
                 

2. To open an SSL enabled connection, set the protocol to ssl in the ConnectionSettings passed to Connection::open():

                   #include 
                   #include 
                   #include 
   
                   using namespace qpid::client;
   
                   int main(int , char** ) {
   
                   ConnectionSettings connectionSettings;
                   connectionSettings.host = “localhost”;
                   connectionSettings.port = 5674;
                   connectionSettings.protocol=”ssl”;
   
                   Connection connection;
                   try {
                        connection.open(connectionSettings);
                   ……
               

3. If client authentication is used, then we need to specify the clients certificate.

                    export QPID_SSL_CERT_DB=$CERT_LOC/client_db/
                    export QPID_SSL_CERT_NAME=CppClient
                    export QPID_SSL_CERT_PASSWORD_FILE=$CERT_LOC/cpfile
                

4.0 Configuring The JMS Client To Use SSL
The following steps needs to be followed to enable SSL on the JMS client side.

1. You need to specify the ssl option and the correct port in the Connection URL

                    amqp://guest:guest@test/?brokerlist='tcp://localhost:5674?ssl='true''
                 

2. Specify the trust store which contains the CA certificate

                   -Djavax.net.ssl.trustStore=$CERT_LOC/trust-store.jks \
                   -Djavax.net.ssl.trustStorePassword=password \
               

3. If client authentication is used, you need to specify the trust store and the key store which contains the client’s certificate

                   -Djavax.net.ssl.keyStore=$CERT_LOC/key-store.jks \
                   -Djavax.net.ssl.keyStorePassword=password \
                   -Djavax.net.ssl.trustStore=$CERT_LOC/trust-store.jks \
                   -Djavax.net.ssl.trustStorePassword=password \
               

4. In case you run into issues adding “-Djavax.net.debug=ssl” will enable logging in the Java SSL code

If you have any questions please feel free to contact us at users@qpid.apache.org.

Since joining the Apache Qpid project around Nov 2008 Microsoft has been helping with the windows port of the C++ broker. They also worked on a WCF client based on the C++ client libraries. Recently (about 2 weeks back) they contributed the code (QPID-2065). The examples could be found here.

From the read me the following features are available,
1. WCF service model programming using one way contracts
2. WCF channel model programming using IInputChannel and IOutputChannel based factories
3. Programmatic access to AMQP message properties on WCF messages
4. AMQP version 0-10 (as provided by the Qpid C++ native client library)
5. Shared connections for multiple channels based on binding parameters
6. WCF to WCF applications (using SOAP message encoders)
7. WCF to non-WCF applications (using raw content encoders)
8. Rudimentary AMQP type support for headers (Int and String)
9. Channel functional tests using NUnit
10. Programming samples

There are several opportunities for folks to collaborate in this area. Cliff Jansen who worked with Qpid on the code drop identified the following areas as potential areas for contributions.

From qpid/wcf/ReadMe.txt:

2. Planned features (not yet available)
=======================================

1. Full AMQP type support, including maps and arrays
2. System.Transactions integration (local and distributed with dynamic escalation)
3. Prefetch window for inbound messages
4. Shared sessions
5. Connection failover with AMQP broker clusters
6. Temporary queues
7. Broker management
8. System logging and tracing
9. CMake build system support
10. Transport and message based security

One item that I would like to add to the above list is documentation for the WCF client and it’s examples.

If you are interested in contributing please join us by sending an email to dev-subscribe@qpid.apache.org
You are most welcomed to contribute by way of code, testing, providing feedback or documentation.

The Apache Qpid community is pleased to announce the release of Apache Qpid M4!

Apache Qpid (http://qpid.apache.org) is a cross platform enterprise messaging solution which implements the Advanced Message Queueing Protocol (http://www.amqp.org).
It provides brokers written in Java and C++ and clients in C++, Java (including a JMS implementation), .Net, Python, and Ruby.

New features included in this release are:

• .NET, WCF and excel support for AMQP 0-10
• SSL added for C++ broker and all clients
• Windows port for C++ client & broker
• C++ Broker
  • ACL
  • Active-Active clustering
  • Federation, push bridges & dynamic routes
  • RDMA for C++ broker & C++ client (70-80us, yes us max latency on a well setup machines)
  • Support for message TTL
  • Queue options
    • added RING/ STRICT ring
    • LVQ
  • Exchange options
    • LVE
    • message sequencing
  • XQuery based XML Exchange now as plugin
• Performance work
• Management for AMQP 0-10
  • QMF C updates (console)
    • Python
    • C++
  • QMF Agent
    • C++
  • QMan JMX bridge for QMF
  • Alerts/ logger for QMF events
• JMSXUserId
• Java broker
  • Message Priority
  • bug fixes
  • some prep work for AMQP 0-10

It is available to download from:
http://www.apache.org/dist/qpid/M4/

Complete release notes are available here:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310520&styleName=Html&version=12313279

I guess by now many have heard that Microsoft is joining the Apache Qpid project and the AMQP Working Group. Sam Ramji mentioned this during his key note at the Apache Con US 2008. This is indeed great news for both the AMQP working group as well as the Apache Qpid community.

One of the engineers from Microsoft Anandeep Pannu, has written very excitedly about participating in Qpid.

In July Sam Ramji announced a sponsorship for the Apache Software Foundation. It kind of signaled about their intent to get their feet wet with playing an active role in open source. It seems that most large vendors have realized the importance of participating and promoting open source on one hand and also harnessing the power of open source on the other hand. IBM for instance played this strategy very well over the last decade or so. This is very good PR for the Qpid project and hopefully attract more participants and end users to the project. Definitely looking forward to working them in Qpid and the AMQP working group.

Danushka Menikkumbura has got AMQP support going for Axis2/C via the Apache Qpid project.
This will only work on Linux as the Qpid c++ client so far has only a Linux implementation. Currently there is ongoing work from two contributors trying to port the code base to support Windows and Solaris. This is scoped for the M3 release.

Watch the WSO2 blog space or the Axis2/C website for a tutorial/blog post from Danushka.

I have tested the following with Axis2 1.4 release and the up comming Synapse 1.2 release.

Documentation is broken into two sections.
It is important to read and understand the pros and cons for each option.

If you have any questions/suggestions please post on qpid-users@incubator.apache.org
And/Or open a JIRA at http://issues.apache.org/jira/browse/qpid
Your feedback is most welcomed.

1. Configuring the JMS transport using Apache Qpid M2.1 release.
   • This version is the latest stable release and supports the 0-9 version of the AMQP protocol.
   • You can download it from here
   • It is recomended that you use the Java broker.
   • This is the recomended production version.
2. Configuring the JMS transport using Apache Qpid trunk. (with the usual caveat that it is a less stable and a moving target).
   • The trunk supports the 0-10 version of the AMQP protocol and the next release is M3.
   • You can build it from source. https://svn.apache.org/repos/asf/incubator/qpid/trunk/qpid
   • Has the following enchancements in the JMS client over M2.1
     1. You can specify multiple binding keys per destination. i.e you could bind a queue to a particular exchange using several binding keys there by allowing you to listen from multiple sources.
     2. You can bind your queue to any exchange type using the binding URL.
     3. You can set the following options per JMS connection.
        • maxprefetch - The maximum number of pre-fetched messages per destination
        • sync_persistence - When true, a sync command is sent after every persistent message to guarantee that it has been received by the broker.
     4. A new blocking transport (as an alternative to MINA) that gives much better latency, memory and increased throughput in many cases.
     5. Currently only the c++ broker supports the 0-10 version and only works on linux.
     6. In the pipeline
        • Java Broker - expected to be in M3 release. Currently being refactored
        • C++ broker - solaris and windows port are in progress (likely to be in M3 release)

1.0 Configuring the JMS transport using Apache Qpid M2.1 release

• 1.1 Qpid provides a convinient properties file based JNDI mechanism.
  • For provider URL please specify the location of the jndi.properties file.
  • The following link provides documentation for the jndi.properties file. JNDI How To
  • The connection URL format is given here. Connection URL format

  
<parameter name="myTopicConnectionFactory">
<parameter name="java.naming.factory.initial">org.apache.qpid.jndi.PropertiesFileInitialContextFactory</parameter>
<parameter name="java.naming.provider.url">file:///opt/workspace/sandbox/axis2-1.4</parameter>
<parameter name="transport.jms.ConnectionFactoryJNDIName">TopicConnectionFactory</parameter>
</parameter>


• 1.2 If you didn’t specify a custom destination for your service via the “transport.jms.Destination” parameter then the JMS transport will create a queue with the service name as its name. In AMQP world the above translates as follows. A queue will be created with service name as its name and will be bound to the amq.direct exchange with service name as the routing key
• 1.3 If you specify a custom destination name via transport.jms.Destination in your services.xml then Qpid will look that up in the jndi.properties file and create queue based on the definition given in the file.
  The binding URL format is given here. Binding URL format

2.0 Configuring the JMS transport using Apache Qpid trunk
In addition to whats described above you can do the following.

• 2.1 Specifing multiple binding keys per destination
  
  destination.wetherServiceQueue=topic://amq.topic/WeatherQueue?bindingkey='weather.us.*'&bindingkey='weather.ca.*'
  
  The above will create a queue named WeatherQueue and will bind it to amq.topic with ‘weather.us.*’ and ‘weather.ca.*’ as the binding keys. The broker will then route any messages that matches the above patterns into WeatherQueue.
• 2.2 Binding your queue to any exchange type the broker supports by using the binding URL.
  
For example if you want to bind your queue to a fanout exchange
destination.top10StockQueue=fanout://amq.fanout/WeatherQueue

  
• 2.3 Setting prefetch limit and sync_persistence per JMS connection
  
  amqp://username:password@clientid/test?brokerlist='tcp://localhost:5672'&maxprefetch=2000&sync_persistence=true

  
• 2.4 Using the new transport
  
  Set -Dtransport=io when starting Axis2 or Synapse.

Read the rest of this entry »