[rabbitmq-discuss] RabbitMQ clustering with SSL
ramviv.123 at gmail.com
ramviv.123 at gmail.com
Tue Aug 13 17:00:57 BST 2013
Hi,
We are setting up a RabbitMQ env with clustering on the LAN and
federated on the WAN. We also intend to use consistent hash on the
receiver side. We were able to successfully setup a federated
configuration with ssl enabled. But we are having issues trying to setup
ssl with clusters. We are using RabbitMQ 3.1.3 with erlang
version 5.9.3.1. We have setup the erlang config based on
http://www.erlang.org/doc/apps/ssl/ssl_distribution.html. I am able
connect tru an erlang client server program to send data back and forth and
so I know the ssl with erlang works. But when I bring RabbitMQ with
clusters and take a TCP dump of the packets, the data transfer seem to be
clear text. Is there a way to check if the clusters are configured for ssl
by any other means. Also, would appreciate if someone can point out what
am I doing wrong here. Here is the env file (rabbitmq-env.conf)
SERVER_START_ARGS="-boot /usr/lib64/erlang/releases/R15B03/start_ssl
-proto_dist inet_tls"
#SERVER_START_ARGS="${SERVER_START_ARGS} -pa
/usr/lib64/erlang/lib/ssl-5.1.2/ebin"
#SERVER_START_ARGS="${SERVER_START_ARGS}
/usr/lib64/erlang/lib/asn1-1.8/ebin"
#SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_portprogram_dir
/usr/lib64/erlang/lib/ssl-5.1.2/ebin"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_cacertfile
/etc/openssl/all_cacerts.pem"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_certfile
/etc/openssl/nn-vmrh5/cert.pem"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_keyfile
/etc/openssl/nn-vmrh5/key.pem"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_verify 1"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
server_fail_if_no_peer_cert true"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
server_secure_renegotiate true"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_cacertfile
/etc/openssl/all_cacerts.pem"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_certfile
/etc/openssl/nn-vmrh5/cert.pem"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_keyfile
/etc/openssl/nn-vmrh5/key.pem"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_verify 1"
SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
client_secure_renegotiate true"
#echo SERVER_START_ARGS: ${SERVER_START_ARGS}
Here is the rabbitmq.config for clustering and ssl option set for other
modes.
[nn-vmrh5: /etc/rabbitmq]vi rabbitmq.config
[
{rabbit, [
{default_vhost, <<"alert">>},
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{rabbitmq_tracing, [{username, "guest"}]},
{cluster_nodes, ['rabbit at nn-vmrh5','rabbit at nn-vmrh5g']},
{ssl_options, [{cacertfile,"/etc/openssl/all_cacerts.pem"},
{certfile,"/etc/openssl/nn-vmrh5/cert.pem"},
{keyfile,"/etc/openssl/nn-vmrh5/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}] },
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
{ssl_cert_login_from, common_name},
{log_levels, [{connection, info}]}
] }
].
Would really appreciate any help on this.
Thanks
Venkat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130813/18a98126/attachment.htm>
More information about the rabbitmq-discuss
mailing list