[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client

• Previous message: [rabbitmq-discuss] Building RabbitMQ for AMQP 1.0 (?)
• Next message: [rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Somewhat weirdly that's not how our local AD server seems to be doing 
things. But this is clearly a problem. I think 
rabbitmq_auth_mechanism_ssl needs to switch to using DNs...

Cheers, Simon

On 30/12/11 19:52, John Ruiz wrote:
> See this stackoverflow thread for more information:
>
> http://stackoverflow.com/questions/8683006/this-erlang-code-throws-an-exception-and-i-dont-know-why
>
> Since this is the way that Windows Domains operate out of the box, I
> suggest that instead of writing the code such that it throws an
> exception, it instead concatenates any CN strings it finds.
>
> At least this way I could have created a "Users John Ruiz" or "John
> Ruiz Users" user in RabbitMQ and it would work.  With the
> implementation as it stands today, I would need to create my own OU in
> AD and then redirect the users container following this article:
> http://support.microsoft.com/kb/324949.
>
> The problem is the note at the bottom of that article:
>
> "Some applications require specific security principals to be located
> in default containers like CN=Users or CN=Computers. Verify that your
> applications have such dependencies before you move them out of the
> CN=users and CN=computes containers."
>
> I have already discovered that I cannot move my service accounts
> outside of the CN=users container or else many of my Constrained
> Delegation scenarios no longer work. (More on constrained delegation
> of kerberos credentials here: http://technet.microsoft.com/en-us/library/cc739587%28WS.10%29.aspx).
>
> On Dec 30, 11:48 am, John Ruiz<jr... at johnruiz.com>  wrote:
>> I have a certificate with the following Subject:
>> "CN=John Ruiz, CN=Users, DC=devexample, DC=com"
>>
>> When you look at rabbit_ssl.erl's find_by_type function, (this is my
>> first time seeing erlang code, btw) I notice that there's a "<-
>> lists:flatten(RDNs)" line.  I don't know what the result of
>> lists:flatten will be.  This is probably why the connection suddenly
>> ends... the user I've created for rabbit isn't matching what the cert
>> says.
>>
>> Can anyone help me?
>>
>> On Dec 30, 11:19 am, John Ruiz<jr... at johnruiz.com>  wrote:
>>
>>
>>
>>
>>
>>
>>
>>> Now that I have all of this working, I need to switch over from an
>>> openssl-based CA to our production CA, which is Active Directory
>>> Certificate Services.  All certificates are issued by the subordinate
>>> enterprise CA -->  ISSUE01.devexample.com.
>>
>>> I have a certificate for myself in my personal store on
>>> DC01.devexample.com (Windows Server).
>>
>>> The RabbitMQ Service runs as Local System on APP01.devexample.com
>>> (Windows Server) so there's a certificate for APP01.devexample.com in
>>> the Local Computer's Personal store.
>>
>>> The Root CA certificate is already in Trusted Root Certs on all
>>> machines in the domain devexample.com.  The ISSUE01 CA cert is in the
>>> Intermediate Certification Authority store everywhere as well.
>>
>>> I have exported the Root CA cert to a DER file and then moved it to a
>>> linux machine where I used openssl to convert it to PEM.  I then moved
>>> it back to APP01.  Next, I exported APP01's cert (with private key) to
>>> a PFX file, moved it to a linux machine and extracted the signed
>>> public key cert and the private key cert.
>>
>>> # extract the private key (still password protected)
>>> openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out
>>> privateKey.pem
>>
>>> # extract the public cert
>>> openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out
>>> app01.pem
>>
>>> # remove the password protection
>>> openssl.exe rsa -in privateKey.pem -out app01-private.pem
>>
>>> I moved all of these PEMs back to APP01 -- the CA's public cert,
>>> APP01's public cert, and APP01's private key.  Here is my
>>> rabbitmq.config
>>
>>> [
>>>    {rabbit, [
>>>       {auth_mechanisms,['EXTERNAL']},
>>>       {ssl_listeners, [5671]},
>>>       {ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},
>>>                      {certfile,"C:/Keys/app01.pem"},
>>>                      {keyfile,"C:/Keys/app01-private.pem"},
>>>                      {verify,verify_peer},
>>>                      {fail_if_no_peer_cert,true}]}
>>>     ]}
>>> ].
>>
>>> When I run the code that I've already listed in my blog post, I get
>>> this exception:http://pastebin.com/9USFHWzf
>>
>>> In the rabbit log, I see this:http://pastebin.com/GsWsxLGV
>>
>>> As far as I can tell, I've done everything correctly.  I've ensured
>>> that my code references APP01.devexample.com, exactly as it appears on
>>> the certificate (Subject: CN = APP01.devexample.com).
>>
>>> What should I do/try?
>>
>>> Please help!
>>
>>> On Dec 27, 4:22 pm, John Ruiz<jr... at johnruiz.com>  wrote:
>>
>>>> I have figured it out.  There were two issues.
>>
>>>> 1. Add the external mechanism factory to your connection factory's
>>>> auth mechanisms
>>>>      i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
>>>> ExternalMechanismFactory() };
>>
>>>> 2. Configure the server's auth_mechanisms variable in your
>>>> rabbitmq.config.
>>>>      Here is my complete rabbitmq.config:
>>
>>>> [
>>>>    {rabbit, [
>>>>       {auth_mechanisms,['EXTERNAL']},
>>>>       {ssl_listeners, [5671]},
>>>>       {ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
>>>>                      {certfile,"C:/Path/To/Your/cert.pem"},
>>>>                      {keyfile,"C:/Path/To/Your/key.pem"},
>>>>                      {verify,verify_peer},
>>>>                      {fail_if_no_peer_cert,true}]}
>>>>     ]}
>>>> ].
>>
>>>> On Dec 27, 1:16 pm, John Ruiz<jr... at johnruiz.com>  wrote:
>>
>>>>> Hi All,
>>
>>>>> I've successfully followed the SSL tutorial and gotten my .NET client
>>>>> to connect, send, and receive messages over SSL.  See my blog for the
>>>>> code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....
>>
>>>>> As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
>>>>> and then re-installed the Windows Service.  Then I re-ran the code I
>>>>> have listed in my blog -- with the addition of a Console.ReadLine() at
>>>>> the end of my using statements so I can see the connection details in
>>>>> the management web app.
>>
>>>>> I am still connecting as guest.  What do I need to do in order to
>>>>> connect as the CN of the Subject on my certificate?
>>
>>>>> Thanks!
>>>>> ~ jR
>>>>> _______________________________________________
>>>>> rabbitmq-discuss mailing list
>>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>>> _______________________________________________
>>>> rabbitmq-discuss mailing list
>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>> _______________________________________________
>>> rabbitmq-discuss mailing list
>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


-- 
Simon MacMullen
RabbitMQ, VMware

• Previous message: [rabbitmq-discuss] Building RabbitMQ for AMQP 1.0 (?)
• Next message: [rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]