[rabbitmq-discuss] Problems with rabbitmq-auth-mechanism-ssl

Simon MacMullen simon at rabbitmq.com
Tue Feb 22 10:47:25 GMT 2011


On 22/02/11 10:17, Jiri Krutil wrote:
> I have upgraded my server and Java client to 2.3.1 and I'm trying the
> new SASL EXTERNAL authentication mechanism using
> rabbitmq-auth-mechanism-ssl plugin.
>
> My rabbitmq.config contains:
> [
> {rabbit, [
> {ssl_listeners, [{"0.0.0.0",5671}]},
> {ssl_options, [
> {cacertfile,"/home/alpha/ssl/ca/cacert.pem"},
> {certfile,"/home/alpha/ssl/server/servercert.pem"},
> {keyfile,"/home/alpha/ssl/server/serverkey.pem"},
> {verify,verify_peer},
> {fail_if_no_peer_cert,true},
> {auth_mechanisms,['EXTERNAL']}
> ]}
> ]}
> ].

This certainly looks like it should work.

> I'm connecting from a Java client using a client certificate. The SSL
> handshake seems to work, but I can't seem to get the cert-based
> authentication working. My client cert has subject= /CN=CXAPI001
>
> Not sure what should I do on the client side. Something like
> connectionFactory.setSaslConfig(new DefaultSaslConfig())?

This should not be needed. The DefaultSaslConfig is used by default :) 
and will use Sun's standard algorithm for selecting a mechanism 
(whatever that is, but in practice it's always selected EXTERNAL for me 
when possible).

> This is what I'm getting in the server log:

> =ERROR REPORT==== 22-Feb-2011::10:22:08 ===
> exception on TCP connection <0.325.0> from 172.20.12.132:1940
> {channel0_error,starting,
> {amqp_error,access_refused,
> "PLAIN login refused: user 'guest' - invalid credentials",
> 'connection.start_ok'}}

But this is deeply suspicious. If you've specified 
{auth_mechanisms,['EXTERNAL']} in your configuration, it should not be 
possible to even start PLAIN authentication - that item specifies the 
entire list of mechanisms to offer. I therefore wonder if your 
configuration isn't getting picked up?

Do you have the mgmt plugin installed? If so, Overview > (node name) > 
Registry > Authentication Mechanisms will show you which mechanisms are 
installed and enabled.

If not, and you're able to compile the Java client (or run it in a 
debugger), checking the value of the "mechanisms" variable around line 
267 of AMQConnection.java will tell you what mechanisms the client is 
being offered.

Cheers, Simon

-- 
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware



More information about the rabbitmq-discuss mailing list