Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 588504

Summary: [RFE] [MRG] Messaging broker to listen only on SSL port
Product: Red Hat Enterprise MRG Reporter: Issue Tracker <tao>
Component: qpid-cppAssignee: Andrew Stitcher <astitcher>
Status: CLOSED ERRATA QA Contact: Leonid Zhaldybin <lzhaldyb>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: astitcher, cww, esammons, freznice, gsim, iboverma, jmorgan, jross, jwulf, lzhaldyb, mharvey, pematous, spoyarek, tao, zkraus
Target Milestone: 3.0Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-0.22-4.el6, qpid-cpp-0.22-4.el5 Doc Type: Enhancement
Doc Text:
The MRG Messaging Broker is now able to require SSL connections. This feature is required to allow customers to comply with some security policies. The MRG Messaging Broker can now be prohibited from listening for regular TCP connections by specifying `--listen-disable tcp` on the broker command line, or by using the equivalent configuration file option.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-24 15:01:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Issue Tracker 2010-05-03 20:15:11 UTC
Escalated to Bugzilla from IssueTracker

Comment 1 Issue Tracker 2010-05-03 20:15:12 UTC
Event posted on 04-16-2010 08:23am EDT by rrajaram

Customer #1105962 is a government customer and he requires this feature to comply with  IA policies for accreditation of the server.

Needed to comply with IA policies for accreditation of the server.
This event sent from IssueTracker by cww  [SEG - Feature Request]
 issue 773053

Comment 2 Issue Tracker 2010-05-03 20:15:14 UTC
Event posted on 04-16-2010 08:32am EDT by RFE-tool

1) Customer Name:
Account #1105962 Stephen Duke

2) Nature Of Problem:
Customer is implementing MRG-M. He has enabled SSL for this broker. By
default the broker listen's to both SSL and non ssl port. Customer would
prefer the borker to listen only on ssl port. Currently there are no
options available which will prevent the broker from listening on non ssl
port.

Customer needs to comply with IA policies for accreditation of the server

3) Business Requirements Satisfied By Request:
Customer can comply with IA policies for accreditation of the server

4) Functional Requirements That Are Not Presently Possible:
Broker listens to both ssl and non ssl ports. No options to prevent the
broker from listening on non ssl port

5) What Will Success Look Like:
Current netstat -anp | grep qpidd

tcp        0      0 0.0.0.0:5671                0.0.0.0:*                 
 LISTEN      7797/qpidd
tcp        0      0 0.0.0.0:5672                0.0.0.0:*                 
 LISTEN      7797/qpidd

5671 is the SSL port and 5672 is the non ssl port

Success would like

tcp        0      0 0.0.0.0:5671                0.0.0.0:*                 
 LISTEN      7797/qpidd

6) Desired Release Vehicle:
MRG 1.3

7) Request Meets The Rhel Inclusion Criteria:
Yes

8) Affected Packages:
qpidc

9) Sales Sponsor:


10) Rh Business Opportunity With Customer:
Customer is a TAM customer and seems to implementing MRG-M. Brad Maxwell
is the TAM

11) Status And Risk To Contract If Not Satisfied:


12) If this request is vendor specific, has the customer engaged the
partner as well?:
Not Applicable




RFE-tool assigned to issue for SEG - Feature Request.

This event sent from IssueTracker by cww  [SEG - Feature Request]
 issue 773053

Comment 4 Justin Ross 2013-02-26 15:43:00 UTC
Andrew, any thoughts?

Comment 5 Andrew Stitcher 2013-02-26 17:28:09 UTC
We still have no way to turn off the tcp connection, in theory the code would allow you to not listen using plain tcp.

There is some support for minimum allowable encryption strengths but I don't think it applies to plain tcp with no sasl so perhaps this would be the way to disallow unencrypted tcp (tcp sasl connections can be encrypted)

Comment 6 Andrew Stitcher 2013-05-02 19:22:23 UTC
This feature is now available on the trunk of the qpid release in r1478398.

You can turn tcp listening off with the option --listen-disable tcp

This will be available in the upstream 0.24 release (but could be backported if necessary)

Comment 7 Leonid Zhaldybin 2013-08-27 08:13:10 UTC
Tested on RHEL6 (both i386 and x86_64). This new feature is implemented and works as expected.

Packages used for testing:

python-qpid-0.22-4.el6
python-qpid-qmf-0.22-9.el6
qpid-cpp-client-0.22-11.el6
qpid-cpp-client-devel-0.22-11.el6
qpid-cpp-client-devel-docs-0.22-11.el6
qpid-cpp-client-ssl-0.22-11.el6
qpid-cpp-server-0.22-11.el6
qpid-cpp-server-devel-0.22-11.el6
qpid-cpp-server-ssl-0.22-11.el6
qpid-cpp-server-store-0.22-11.el6
qpid-cpp-server-xml-0.22-11.el6
qpid-java-client-0.22-5.el6
qpid-java-common-0.22-5.el6
qpid-java-example-0.22-5.el6
qpid-jca-0.22-1.el6
qpid-jca-xarecovery-0.22-1.el6
qpid-proton-c-0.4-2.2.el6
qpid-qmf-0.22-9.el6
qpid-tools-0.22-3.el6

-> VERIFIED

Comment 18 errata-xmlrpc 2014-09-24 15:01:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-1296.html