OASIS AMQP Version 1.0
Part 5 : Security

Committee Specification Draft 02

29 May 2012

Specification URIs

This version:

http://docs.oasis-open.org/amqp/core/v1.0/csd02/amqp-core-security-v1.0-csd02.xml (Authoritative)

http://docs.oasis-open.org/amqp/core/v1.0/csd02/amqp-core-security-v1.0-csd02.html

http://docs.oasis-open.org/amqp/core/v1.0/csd02/amqp-core-complete-v1.0-csd02.pdf

Previous version:

http://docs.oasis-open.org/amqp/core/v1.0/csd01/amqp-core-security-v1.0-csd01.xml (Authoritative)

http://docs.oasis-open.org/amqp/core/v1.0/csd01/amqp-core-security-v1.0-csd01.html

http://docs.oasis-open.org/amqp/core/v1.0/csd01/amqp-core-complete-v1.0-csd01.pdf

Latest version:

http://docs.oasis-open.org/amqp/core/v1.0/amqp-core-security-v1.0.xml (Authoritative)

http://docs.oasis-open.org/amqp/core/v1.0/amqp-core-security-v1.0.html

http://docs.oasis-open.org/amqp/core/v1.0/amqp-core-complete-v1.0.pdf

Technical Committee:

OASIS AMQP Technical Committee

Chairs:

Ram Jeyaraman (Ram.Jeyaraman@microsoft.com), Microsoft

Angus Telfer (angus.telfer@inetco.com), INETCO Systems

Editors:

Robert Godfrey (robert.godfrey@jpmorgan.com), JPMorgan Chase & Co.

David Ingham (David.Ingham@microsoft.com), Microsoft

Rafael Schloming (rafaels@redhat.com), Red Hat

Additional artifacts:

This specification consists of the following documents:

·        Part 0: Overview - Overview of the AMQP specification

·        Part 1: Types - AMQP type system and encoding

·        Part 2: Transport - AMQP transport layer

·        Part 3: Messaging - AMQP Messaging Layer

·        Part 4: Transactions - AMQP Transactions Layer

·        Part 5: Security (this document) - AMQP Security Layers

·        XML Document Type Definition (DTD)

Related work:

This specification replaces or supersedes:

·        http://www.amqp.org/specification/1.0/amqp-org-download

Abstract:

The Advanced Message Queuing Protocol (AMQP) is an open internet protocol for business messaging. It defines a binary wire-level protocol that allows for the reliable exchange of business messages between two parties. AMQP has a layered architecture and the specification is organized as a set of parts that reflects that architecture. Part 1 defines the AMQP type system and encoding. Part 2 defines the AMQP transport layer, an efficient, binary, peer-to-peer protocol for transporting messages between two processes over a network. Part 3 defines the AMQP message format, with a concrete encoding. Part 4 defines how interactions can be grouped within atomic transactions. Part 5 defines the AMQP security layers.

Status:

This document was last revised or approved by the OASIS AMQP Technical Committee on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document.

Technical Committee members should send comments on this specification to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the "Send A Comment" button on the Technical Committee's web page at http://www.oasis-open.org/committees/amqp/.

For information on whether any patents have been disclosed that may be essential to implementing this specification, and any offers of patent licensing terms, please refer to the Intellectual Property Rights section of the Technical Committee web page (http://www.oasis-open.org/committees/amqp/ipr.php).

Citation format:

When referencing this specification the following citation format should be used:

[amqp-core-security-v1.0]

OASIS AMQP Version 1.0 Part 5 : Security. 29 May 2012. Committee Specification Draft 02. http://docs.oasis-open.org/amqp/core/v1.0/csd02/amqp-core-security-v1.0-csd02.html.


Notices

Copyright OASIS Open 2012. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

OASIS requests that any OASIS Party or any other party that believes it has patent claims that would necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard, to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification.

OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of any patent claims that would necessarily be infringed by implementations of this specification by a patent holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that produced this specification. OASIS may include such claims on its website, but disclaims any obligation to do so.

OASIS takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on OASIS' procedures with respect to rights in any document or deliverable produced by an OASIS Technical Committee can be found on the OASIS website. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this OASIS Committee Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no representation that any information or list of intellectual property rights will at any time be complete, or that any claims in such list are, in fact, Essential Claims.

The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be used only to refer to the organization and its official outputs. OASIS welcomes reference to, and implementation and use of, specifications, while reserving the right to enforce its marks against misleading uses. Please see http://www.oasis-open.org/who/trademark.php for above guidance.


Table of Contents



5.1 Security Layers
5.2 TLS
      5.2.1 Alternative Establishment
      5.2.2 Constant Definitions
5.3 SASL
      5.3.1 SASL Frames
      5.3.2 SASL Negotiation
      5.3.3 Security Frame Bodies
            5.3.3.1 Sasl Mechanisms
            5.3.3.2 Sasl Init
            5.3.3.3 Sasl Challenge
            5.3.3.4 Sasl Response
            5.3.3.5 Sasl Outcome
            5.3.3.6 Sasl Code
      5.3.4 Constant Definitions

5.1 Security Layers

Security layers are used to establish an authenticated and/or encrypted transport over which regular AMQP traffic can be tunneled. Security layers can be tunneled through one another (for instance a security layer used by the peers to do authentication might be tunneled through a security layer established for encryption purposes).

The framing and protocol definitions for security layers are expected to be defined externally to the AMQP specification as in the case of TLS [RFC5246]. An exception to this is the SASL [RFC4422] security layer which depends on its host protocol to provide framing. Therefore section 5.3 defines the frames necessary for SASL to function. When a security layer terminates (either before or after a secure tunnel is established), the TCP connection MUST be closed by first shutting down the outgoing stream and then reading the incoming stream until it is terminated.

5.2 TLS

To establish a TLS session, each peer MUST start by sending a protocol header before commencing with TLS negotiation. The protocol header consists of the upper case ASCII letters "AMQP" followed by a protocol id of two, followed by three unsigned bytes representing the major, minor, and revision of the specification version (currently 1 (TLS-MAJOR), 0 (TLS-MINOR), 0 (TLS-REVISION)). In total this is an 8-octet sequence:

Figure 5.1: Protocol Header for TLS Security Layer
4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET +----------+---------+---------+---------+----------+ | "AMQP" | %d2 | major | minor | revision | +----------+---------+---------+---------+----------+

Other than using a protocol id of two, the exchange of TLS protocol headers follows the same rules specified in the version negotiation section of the transport specification (See section 2.2).

The following diagram illustrates the interaction involved in creating a TLS security layer:

Figure 5.2: Establishing a TLS Security Layer
TCP Client TCP Server ========================================= AMQP%d2.1.0.0 ---------> <--------- AMQP%d2.1.0.0 : : <TLS negotiation> : : AMQP%d0.1.0.0 ---------> (over TLS secured connection) <--------- AMQP%d0.1.0.0 open ---------> <--------- open

When the use of the TLS security layer is negotiated, the following rules apply:

5.2.1 Alternative Establishment

In certain situations, such as connecting through firewalls, it might not be possible to establish a TLS security layer using the above procedure (for example, because a deep packet inspecting firewall sees the first few bytes of the connection 'as not being TLS').

As an alternative, implementations MAY run a pure TLS server, i.e., one that does not expect the initial TLS-invoking handshake. The IANA service name for this is amqps and the port is SECURE-PORT (5671). Implementations MAY also choose to run this pure TLS server on other ports, if this is operationally necessary (e.g., to tunnel through a legacy firewall that only expects TLS traffic on port 443).

5.2.2 Constant Definitions

TLS-MAJOR1major protocol version.
TLS-MINOR0minor protocol version.
TLS-REVISION0protocol revision.

5.3 SASL

To establish a SASL layer, each peer MUST start by sending a protocol header. The protocol header consists of the upper case ASCII letters "AMQP" followed by a protocol id of three, followed by three unsigned bytes representing the major, minor, and revision of the specification version (currently 1 (SASL-MAJOR), 0 (SASL-MINOR), 0 (SASL-REVISION)). In total this is an 8-octet sequence:

Figure 5.3: Protocol Header for SASL Security Layer
4 OCTETS 1 OCTET 1 OCTET 1 OCTET 1 OCTET +----------+---------+---------+---------+----------+ | "AMQP" | %d3 | major | minor | revision | +----------+---------+---------+---------+----------+

Other than using a protocol id of three, the exchange of SASL layer headers follows the same rules specified in the version negotiation section of the transport specification (See section 2.2).

The following diagram illustrates the interaction involved in creating a SASL security layer:

Figure 5.4: Establishing a SASL Security Layer
TCP Client TCP Server ========================================= AMQP%d3.1.0.0 ---------> <--------- AMQP%d3.1.0.0 : : <SASL negotiation> : : AMQP%d0.1.0.0 ---------> (over SASL secured connection) <--------- AMQP%d0.1.0.0 open ---------> <--------- open

5.3.1 SASL Frames

SASL performatives are framed as per section 2.3. A SASL frame has a type code of 0x01. Bytes 6 and 7 of the header are ignored. Implementations SHOULD set these to 0x00. The extended header is ignored. Implementations SHOULD therefore set DOFF to 0x02.

Figure 5.5: SASL Frame
type: 0x01 - SASL frame +0 +1 +2 +3 +-----------------------------------+ -. 0 | SIZE | | +-----------------------------------+ |---> Frame Header 4 | DOFF | TYPE | <IGNORED>*1 | | (8 bytes) +-----------------------------------+ -' +-----------------------------------+ -. 8 | ... | | . . |---> Extended Header . <IGNORED>*2 . | (DOFF * 4 - 8) bytes | ... | | +-----------------------------------+ -' +-----------------------------------+ -. 4*DOFF | | | . . | . . | . Sasl Mechanisms / Sasl Init . | . Sasl Challenge / Sasl Response . |---> Frame Body . Sasl Outcome . | (SIZE - DOFF * 4) bytes . . | . . | . ________| | | ... | | +--------------------------+ -' *1 SHOULD be set to 0x0000 *2 Ignored, so DOFF SHOULD be set to 0x02

The maximum size of a SASL frame is defined by MIN-MAX-FRAME-SIZE. There is no mechanism within the SASL negotiation to negotiate a different size. The frame body of a SASL frame MUST contain exactly one AMQP type, whose type encoding MUST have provides="sasl-frame" . Receipt of an empty frame is an irrecoverable error.

5.3.2 SASL Negotiation

The peer acting as the SASL server MUST announce supported authentication mechanisms using the sasl-mechanisms frame. The partner MUST then choose one of the supported mechanisms and initiate a sasl exchange.

Figure 5.6: SASL Exchange
SASL Client SASL Server ================================ <-- SASL-MECHANISMS SASL-INIT --> ... <-- SASL-CHALLENGE * SASL-RESPONSE --> ... <-- SASL-OUTCOME -------------------------------- * Note that the SASL challenge/response step can occur zero or more times depending on the details of the SASL mechanism chosen.

The peer playing the role of the SASL client and the peer playing the role of the SASL server MUST correspond to the TCP client and server respectively.

5.3.3 Security Frame Bodies

5.3.3.1 Sasl Mechanisms

Advertise available sasl mechanisms.

<type name="sasl-mechanisms" class="composite" source="list" provides="sasl-frame"> <descriptor name="amqp:sasl-mechanisms:list" code="0x00000000:0x00000040"/> <field name="sasl-server-mechanisms" type="symbol" multiple="true" mandatory="true"/> </type>

Advertises the available SASL mechanisms that can be used for authentication.

sasl-server-mechanismssupported sasl mechanismsmandatory symbol[]

A list of the sasl security mechanisms supported by the sending peer. It is invalid for this list to be null or empty. If the sending peer does not require its partner to authenticate with it, then it SHOULD send a list of one element with its value as the SASL mechanism ANONYMOUS. The server mechanisms are ordered in decreasing level of preference.

5.3.3.2 Sasl Init

Initiate sasl exchange.

<type name="sasl-init" class="composite" source="list" provides="sasl-frame"> <descriptor name="amqp:sasl-init:list" code="0x00000000:0x00000041"/> <field name="mechanism" type="symbol" mandatory="true"/> <field name="initial-response" type="binary"/> <field name="hostname" type="string"/> </type>

Selects the sasl mechanism and provides the initial response if needed.

mechanismselected security mechanismmandatory symbol

The name of the SASL mechanism used for the SASL exchange. If the selected mechanism is not supported by the receiving peer, it MUST close the connection with the authentication-failure close-code. Each peer MUST authenticate using the highest-level security profile it can handle from the list provided by the partner.

initial-responsesecurity response dataoptional binary

A block of opaque data passed to the security mechanism. The contents of this data are defined by the SASL security mechanism.

hostnamethe name of the target hostoptional string

The DNS name of the host (either fully qualified or relative) to which the sending peer is connecting. It is not mandatory to provide the hostname. If no hostname is provided the receiving peer SHOULD select a default based on its own configuration.

This field can be used by AMQP proxies to determine the correct back-end service to connect the client to, and to determine the domain to validate the client's credentials against.

This field might already have been specified by the server name indication extension as described in RFC-4366 [RFC4366], if a TLS layer is used, in which case this field SHOULD either be null or contain the same value. It is undefined what a different value to those already specified means.

5.3.3.3 Sasl Challenge

Security mechanism challenge.

<type name="sasl-challenge" class="composite" source="list" provides="sasl-frame"> <descriptor name="amqp:sasl-challenge:list" code="0x00000000:0x00000042"/> <field name="challenge" type="binary" mandatory="true"/> </type>

Send the SASL challenge data as defined by the SASL specification.

challengesecurity challenge datamandatory binary

Challenge information, a block of opaque binary data passed to the security mechanism.

5.3.3.4 Sasl Response

Security mechanism response.

<type name="sasl-response" class="composite" source="list" provides="sasl-frame"> <descriptor name="amqp:sasl-response:list" code="0x00000000:0x00000043"/> <field name="response" type="binary" mandatory="true"/> </type>

Send the SASL response data as defined by the SASL specification.

responsesecurity response datamandatory binary

A block of opaque data passed to the security mechanism. The contents of this data are defined by the SASL security mechanism.

5.3.3.5 Sasl Outcome

Indicates the outcome of the sasl dialog.

<type name="sasl-outcome" class="composite" source="list" provides="sasl-frame"> <descriptor name="amqp:sasl-outcome:list" code="0x00000000:0x00000044"/> <field name="code" type="sasl-code" mandatory="true"/> <field name="additional-data" type="binary"/> </type>

This frame indicates the outcome of the SASL dialog. Upon successful completion of the SASL dialog the security layer has been established, and the peers MUST exchange protocol headers to either start a nested security layer, or to establish the AMQP connection.

codeindicates the outcome of the sasl dialogmandatory sasl-code

A reply-code indicating the outcome of the SASL dialog.

additional-dataadditional data as specified in RFC-4422optional binary

The additional-data field carries additional data on successful authentication outcome as specified by the SASL specification [RFC4422]. If the authentication is unsuccessful, this field is not set.

5.3.3.6 Sasl Code

Codes to indicate the outcome of the sasl dialog.

<type name="sasl-code" class="restricted" source="ubyte"> <choice name="ok" value="0"/> <choice name="auth" value="1"/> <choice name="sys" value="2"/> <choice name="sys-perm" value="3"/> <choice name="sys-temp" value="4"/> </type>
ok0

Connection authentication succeeded.

auth1

Connection authentication failed due to an unspecified problem with the supplied credentials.

sys2

Connection authentication failed due to a system error.

sys-perm3

Connection authentication failed due to a system error that is unlikely to be corrected without intervention.

sys-temp4

Connection authentication failed due to a transient system error.

5.3.4 Constant Definitions

SASL-MAJOR1major protocol version.
SASL-MINOR0minor protocol version.
SASL-REVISION0protocol revision.

<< Part 4: Transactions