[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client

Simon MacMullen simon at rabbitmq.com
Mon Jan 9 16:32:38 GMT 2012


Windows Server 2003 apparently, but I'm very much not a Windows sysadmin...

If you're up for building plugins from source, the branch "bug24265" of 
rabbitmq_auth_mechanism_ssl contains my attempt at supporting DNs / 
concatenating multiple CNs.

Cheers, Simon

On 09/01/12 16:25, John Ruiz wrote:
> I wonder what version of Windows Server you're running?
>
> I installed Windows Server 2008 R2 Enterprise with Service Pack 1
>
> Then I installed the Active Directory Directory Services role and
> stood up my domain in a new forest.
>
> This is the setup that yields CN=Users,DC=example,DC=com
>
>
> On Jan 5, 5:38 am, Simon MacMullen<si... at rabbitmq.com>  wrote:
>> Somewhat weirdly that's not how our local AD server seems to be doing
>> things. But this is clearly a problem. I think
>> rabbitmq_auth_mechanism_ssl needs to switch to using DNs...
>>
>> Cheers, Simon
>>
>> On 30/12/11 19:52, John Ruiz wrote:
>>
>>
>>
>>
>>
>>> See this stackoverflow thread for more information:
>>
>>> http://stackoverflow.com/questions/8683006/this-erlang-code-throws-an...
>>
>>> Since this is the way that Windows Domains operate out of the box, I
>>> suggest that instead of writing the code such that it throws an
>>> exception, it instead concatenates any CN strings it finds.
>>
>>> At least this way I could have created a "Users John Ruiz" or "John
>>> Ruiz Users" user in RabbitMQ and it would work.  With the
>>> implementation as it stands today, I would need to create my own OU in
>>> AD and then redirect the users container following this article:
>>> http://support.microsoft.com/kb/324949.
>>
>>> The problem is the note at the bottom of that article:
>>
>>> "Some applications require specific security principals to be located
>>> in default containers like CN=Users or CN=Computers. Verify that your
>>> applications have such dependencies before you move them out of the
>>> CN=users and CN=computes containers."
>>
>>> I have already discovered that I cannot move my service accounts
>>> outside of the CN=users container or else many of my Constrained
>>> Delegation scenarios no longer work. (More on constrained delegation
>>> of kerberos credentials here:http://technet.microsoft.com/en-us/library/cc739587%28WS.10%29.aspx).
>>
>>> On Dec 30, 11:48 am, John Ruiz<jr... at johnruiz.com>    wrote:
>>>> I have a certificate with the following Subject:
>>>> "CN=John Ruiz, CN=Users, DC=devexample, DC=com"
>>
>>>> When you look at rabbit_ssl.erl's find_by_type function, (this is my
>>>> first time seeing erlang code, btw) I notice that there's a "<-
>>>> lists:flatten(RDNs)" line.  I don't know what the result of
>>>> lists:flatten will be.  This is probably why the connection suddenly
>>>> ends... the user I've created for rabbit isn't matching what the cert
>>>> says.
>>
>>>> Can anyone help me?
>>
>>>> On Dec 30, 11:19 am, John Ruiz<jr... at johnruiz.com>    wrote:
>>
>>>>> Now that I have all of this working, I need to switch over from an
>>>>> openssl-based CA to our production CA, which is Active Directory
>>>>> Certificate Services.  All certificates are issued by the subordinate
>>>>> enterprise CA -->    ISSUE01.devexample.com.
>>
>>>>> I have a certificate for myself in my personal store on
>>>>> DC01.devexample.com (Windows Server).
>>
>>>>> The RabbitMQ Service runs as Local System on APP01.devexample.com
>>>>> (Windows Server) so there's a certificate for APP01.devexample.com in
>>>>> the Local Computer's Personal store.
>>
>>>>> The Root CA certificate is already in Trusted Root Certs on all
>>>>> machines in the domain devexample.com.  The ISSUE01 CA cert is in the
>>>>> Intermediate Certification Authority store everywhere as well.
>>
>>>>> I have exported the Root CA cert to a DER file and then moved it to a
>>>>> linux machine where I used openssl to convert it to PEM.  I then moved
>>>>> it back to APP01.  Next, I exported APP01's cert (with private key) to
>>>>> a PFX file, moved it to a linux machine and extracted the signed
>>>>> public key cert and the private key cert.
>>
>>>>> # extract the private key (still password protected)
>>>>> openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out
>>>>> privateKey.pem
>>
>>>>> # extract the public cert
>>>>> openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out
>>>>> app01.pem
>>
>>>>> # remove the password protection
>>>>> openssl.exe rsa -in privateKey.pem -out app01-private.pem
>>
>>>>> I moved all of these PEMs back to APP01 -- the CA's public cert,
>>>>> APP01's public cert, and APP01's private key.  Here is my
>>>>> rabbitmq.config
>>
>>>>> [
>>>>>     {rabbit, [
>>>>>        {auth_mechanisms,['EXTERNAL']},
>>>>>        {ssl_listeners, [5671]},
>>>>>        {ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},
>>>>>                       {certfile,"C:/Keys/app01.pem"},
>>>>>                       {keyfile,"C:/Keys/app01-private.pem"},
>>>>>                       {verify,verify_peer},
>>>>>                       {fail_if_no_peer_cert,true}]}
>>>>>      ]}
>>>>> ].
>>
>>>>> When I run the code that I've already listed in my blog post, I get
>>>>> this exception:http://pastebin.com/9USFHWzf
>>
>>>>> In the rabbit log, I see this:http://pastebin.com/GsWsxLGV
>>
>>>>> As far as I can tell, I've done everything correctly.  I've ensured
>>>>> that my code references APP01.devexample.com, exactly as it appears on
>>>>> the certificate (Subject: CN = APP01.devexample.com).
>>
>>>>> What should I do/try?
>>
>>>>> Please help!
>>
>>>>> On Dec 27, 4:22 pm, John Ruiz<jr... at johnruiz.com>    wrote:
>>
>>>>>> I have figured it out.  There were two issues.
>>
>>>>>> 1. Add the external mechanism factory to your connection factory's
>>>>>> auth mechanisms
>>>>>>       i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
>>>>>> ExternalMechanismFactory() };
>>
>>>>>> 2. Configure the server's auth_mechanisms variable in your
>>>>>> rabbitmq.config.
>>>>>>       Here is my complete rabbitmq.config:
>>
>>>>>> [
>>>>>>     {rabbit, [
>>>>>>        {auth_mechanisms,['EXTERNAL']},
>>>>>>        {ssl_listeners, [5671]},
>>>>>>        {ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
>>>>>>                       {certfile,"C:/Path/To/Your/cert.pem"},
>>>>>>                       {keyfile,"C:/Path/To/Your/key.pem"},
>>>>>>                       {verify,verify_peer},
>>>>>>                       {fail_if_no_peer_cert,true}]}
>>>>>>      ]}
>>>>>> ].
>>
>>>>>> On Dec 27, 1:16 pm, John Ruiz<jr... at johnruiz.com>    wrote:
>>
>>>>>>> Hi All,
>>
>>>>>>> I've successfully followed the SSL tutorial and gotten my .NET client
>>>>>>> to connect, send, and receive messages over SSL.  See my blog for the
>>>>>>> code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....
>>
>>>>>>> As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
>>>>>>> and then re-installed the Windows Service.  Then I re-ran the code I
>>>>>>> have listed in my blog -- with the addition of a Console.ReadLine() at
>>>>>>> the end of my using statements so I can see the connection details in
>>>>>>> the management web app.
>>
>>>>>>> I am still connecting as guest.  What do I need to do in order to
>>>>>>> connect as the CN of the Subject on my certificate?
>>
>>>>>>> Thanks!
>>>>>>> ~ jR
>>>>>>> _______________________________________________
>>>>>>> rabbitmq-discuss mailing list
>>>>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>>>>> _______________________________________________
>>>>>> rabbitmq-discuss mailing list
>>>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>>>> _______________________________________________
>>>>> rabbitmq-discuss mailing list
>>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>>>> _______________________________________________
>>>> rabbitmq-discuss mailing list
>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>> _______________________________________________
>>> rabbitmq-discuss mailing list
>>> rabbitmq-disc... at lists.rabbitmq.com
>>> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>>
>> --
>> Simon MacMullen
>> RabbitMQ, VMware
>> _______________________________________________
>> rabbitmq-discuss mailing list
>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss- Hide quoted text -
>>
>> - Show quoted text -
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


-- 
Simon MacMullen
RabbitMQ, VMware


More information about the rabbitmq-discuss mailing list