[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client
John Ruiz
jruiz at johnruiz.com
Fri Dec 30 19:52:51 GMT 2011
See this stackoverflow thread for more information:
http://stackoverflow.com/questions/8683006/this-erlang-code-throws-an-exception-and-i-dont-know-why
Since this is the way that Windows Domains operate out of the box, I
suggest that instead of writing the code such that it throws an
exception, it instead concatenates any CN strings it finds.
At least this way I could have created a "Users John Ruiz" or "John
Ruiz Users" user in RabbitMQ and it would work. With the
implementation as it stands today, I would need to create my own OU in
AD and then redirect the users container following this article:
http://support.microsoft.com/kb/324949.
The problem is the note at the bottom of that article:
"Some applications require specific security principals to be located
in default containers like CN=Users or CN=Computers. Verify that your
applications have such dependencies before you move them out of the
CN=users and CN=computes containers."
I have already discovered that I cannot move my service accounts
outside of the CN=users container or else many of my Constrained
Delegation scenarios no longer work. (More on constrained delegation
of kerberos credentials here: http://technet.microsoft.com/en-us/library/cc739587%28WS.10%29.aspx).
On Dec 30, 11:48 am, John Ruiz <jr... at johnruiz.com> wrote:
> I have a certificate with the following Subject:
> "CN=John Ruiz, CN=Users, DC=devexample, DC=com"
>
> When you look at rabbit_ssl.erl's find_by_type function, (this is my
> first time seeing erlang code, btw) I notice that there's a "<-
> lists:flatten(RDNs)" line. I don't know what the result of
> lists:flatten will be. This is probably why the connection suddenly
> ends... the user I've created for rabbit isn't matching what the cert
> says.
>
> Can anyone help me?
>
> On Dec 30, 11:19 am, John Ruiz <jr... at johnruiz.com> wrote:
>
>
>
>
>
>
>
> > Now that I have all of this working, I need to switch over from an
> > openssl-based CA to our production CA, which is Active Directory
> > Certificate Services. All certificates are issued by the subordinate
> > enterprise CA --> ISSUE01.devexample.com.
>
> > I have a certificate for myself in my personal store on
> > DC01.devexample.com (Windows Server).
>
> > The RabbitMQ Service runs as Local System on APP01.devexample.com
> > (Windows Server) so there's a certificate for APP01.devexample.com in
> > the Local Computer's Personal store.
>
> > The Root CA certificate is already in Trusted Root Certs on all
> > machines in the domain devexample.com. The ISSUE01 CA cert is in the
> > Intermediate Certification Authority store everywhere as well.
>
> > I have exported the Root CA cert to a DER file and then moved it to a
> > linux machine where I used openssl to convert it to PEM. I then moved
> > it back to APP01. Next, I exported APP01's cert (with private key) to
> > a PFX file, moved it to a linux machine and extracted the signed
> > public key cert and the private key cert.
>
> > # extract the private key (still password protected)
> > openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out
> > privateKey.pem
>
> > # extract the public cert
> > openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out
> > app01.pem
>
> > # remove the password protection
> > openssl.exe rsa -in privateKey.pem -out app01-private.pem
>
> > I moved all of these PEMs back to APP01 -- the CA's public cert,
> > APP01's public cert, and APP01's private key. Here is my
> > rabbitmq.config
>
> > [
> > {rabbit, [
> > {auth_mechanisms,['EXTERNAL']},
> > {ssl_listeners, [5671]},
> > {ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},
> > {certfile,"C:/Keys/app01.pem"},
> > {keyfile,"C:/Keys/app01-private.pem"},
> > {verify,verify_peer},
> > {fail_if_no_peer_cert,true}]}
> > ]}
> > ].
>
> > When I run the code that I've already listed in my blog post, I get
> > this exception:http://pastebin.com/9USFHWzf
>
> > In the rabbit log, I see this:http://pastebin.com/GsWsxLGV
>
> > As far as I can tell, I've done everything correctly. I've ensured
> > that my code references APP01.devexample.com, exactly as it appears on
> > the certificate (Subject: CN = APP01.devexample.com).
>
> > What should I do/try?
>
> > Please help!
>
> > On Dec 27, 4:22 pm, John Ruiz <jr... at johnruiz.com> wrote:
>
> > > I have figured it out. There were two issues.
>
> > > 1. Add the external mechanism factory to your connection factory's
> > > auth mechanisms
> > > i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
> > > ExternalMechanismFactory() };
>
> > > 2. Configure the server's auth_mechanisms variable in your
> > > rabbitmq.config.
> > > Here is my complete rabbitmq.config:
>
> > > [
> > > {rabbit, [
> > > {auth_mechanisms,['EXTERNAL']},
> > > {ssl_listeners, [5671]},
> > > {ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
> > > {certfile,"C:/Path/To/Your/cert.pem"},
> > > {keyfile,"C:/Path/To/Your/key.pem"},
> > > {verify,verify_peer},
> > > {fail_if_no_peer_cert,true}]}
> > > ]}
> > > ].
>
> > > On Dec 27, 1:16 pm, John Ruiz <jr... at johnruiz.com> wrote:
>
> > > > Hi All,
>
> > > > I've successfully followed the SSL tutorial and gotten my .NET client
> > > > to connect, send, and receive messages over SSL. See my blog for the
> > > > code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....
>
> > > > As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
> > > > and then re-installed the Windows Service. Then I re-ran the code I
> > > > have listed in my blog -- with the addition of a Console.ReadLine() at
> > > > the end of my using statements so I can see the connection details in
> > > > the management web app.
>
> > > > I am still connecting as guest. What do I need to do in order to
> > > > connect as the CN of the Subject on my certificate?
>
> > > > Thanks!
> > > > ~ jR
> > > > _______________________________________________
> > > > rabbitmq-discuss mailing list
> > > > rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> > > _______________________________________________
> > > rabbitmq-discuss mailing list
> > > rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> > _______________________________________________
> > rabbitmq-discuss mailing list
> > rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
More information about the rabbitmq-discuss
mailing list