[rabbitmq-discuss] RabbitMQ clustering with SSL
ramviv.123 at gmail.com
ramviv.123 at gmail.com
Tue Aug 13 22:41:30 BST 2013
On Tuesday, August 13, 2013 12:00:57 PM UTC-4, ramvi... at gmail.com wrote:
>
> Hi,
>
> We are setting up a RabbitMQ env with clustering on the LAN and
> federated on the WAN. We also intend to use consistent hash on the
> receiver side. We were able to successfully setup a federated
> configuration with ssl enabled. But we are having issues trying to setup
> ssl with clusters. We are using RabbitMQ 3.1.3 with erlang
> version 5.9.3.1. We have setup the erlang config based on
> http://www.erlang.org/doc/apps/ssl/ssl_distribution.html. I am able
> connect tru an erlang client server program to send data back and forth and
> so I know the ssl with erlang works. But when I bring RabbitMQ with
> clusters and take a TCP dump of the packets, the data transfer seem to be
> clear text. Is there a way to check if the clusters are configured for ssl
> by any other means. Also, would appreciate if someone can point out what
> am I doing wrong here. Here is the env file (rabbitmq-env.conf)
>
> SERVER_START_ARGS="-boot /usr/lib64/erlang/releases/R15B03/start_ssl
> -proto_dist inet_tls"
> #SERVER_START_ARGS="${SERVER_START_ARGS} -pa
> /usr/lib64/erlang/lib/ssl-5.1.2/ebin"
> #SERVER_START_ARGS="${SERVER_START_ARGS}
> /usr/lib64/erlang/lib/asn1-1.8/ebin"
> #SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_portprogram_dir
> /usr/lib64/erlang/lib/ssl-5.1.2/ebin"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_cacertfile
> /etc/openssl/all_cacerts.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_certfile
> /etc/openssl/nn-vmrh5/cert.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_keyfile
> /etc/openssl/nn-vmrh5/key.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_verify 1"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
> server_fail_if_no_peer_cert true"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
> server_secure_renegotiate true"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_cacertfile
> /etc/openssl/all_cacerts.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_certfile
> /etc/openssl/nn-vmrh5/cert.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_keyfile
> /etc/openssl/nn-vmrh5/key.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_verify 1"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
> client_secure_renegotiate true"
> #echo SERVER_START_ARGS: ${SERVER_START_ARGS}
>
> Here is the rabbitmq.config for clustering and ssl option set for other
> modes.
>
>
> [nn-vmrh5: /etc/rabbitmq]vi rabbitmq.config
> [
> {rabbit, [
> {default_vhost, <<"alert">>},
> {tcp_listeners, [5672]},
> {ssl_listeners, [5671]},
> {rabbitmq_tracing, [{username, "guest"}]},
> {cluster_nodes, ['rabbit at nn-vmrh5','rabbit at nn-vmrh5g']},
> {ssl_options, [{cacertfile,"/etc/openssl/all_cacerts.pem"},
> {certfile,"/etc/openssl/nn-vmrh5/cert.pem"},
> {keyfile,"/etc/openssl/nn-vmrh5/key.pem"},
> {verify,verify_peer},
> {fail_if_no_peer_cert,true}] },
> {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
> {ssl_cert_login_from, common_name},
> {log_levels, [{connection, info}]}
> ] }
> ].
>
> Would really appreciate any help on this.
>
> Thanks
> Venkat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130813/9c32f990/attachment.htm>
More information about the rabbitmq-discuss
mailing list