[rabbitmq-discuss] RabbitMQ clustering with SSL

ramviv.123 at gmail.com ramviv.123 at gmail.com
Tue Aug 13 22:41:30 BST 2013 


On Tuesday, August 13, 2013 12:00:57 PM UTC-4, ramvi... at gmail.com wrote:
>
> Hi,
>
>     We are setting up a RabbitMQ env with clustering on the LAN and 
> federated on the WAN.  We also intend to use consistent hash on the 
> receiver side.  We were able to successfully setup a federated 
> configuration with ssl enabled.  But we are having issues trying to setup 
> ssl with clusters.  We are using RabbitMQ 3.1.3 with erlang 
> version  5.9.3.1.  We have setup the erlang config based on 
> http://www.erlang.org/doc/apps/ssl/ssl_distribution.html.   I am able 
> connect tru an erlang client server program to send data back and forth and 
> so I know the ssl with erlang works.  But when I bring RabbitMQ with 
> clusters and take a TCP dump of the packets, the data transfer seem to be 
> clear text.  Is there a way to check if the clusters are configured for ssl 
> by any other means.  Also, would appreciate if someone can point out what 
> am I doing wrong here.  Here is the env file (rabbitmq-env.conf)
>
> SERVER_START_ARGS="-boot /usr/lib64/erlang/releases/R15B03/start_ssl 
> -proto_dist inet_tls"
> #SERVER_START_ARGS="${SERVER_START_ARGS} -pa 
> /usr/lib64/erlang/lib/ssl-5.1.2/ebin"
> #SERVER_START_ARGS="${SERVER_START_ARGS} 
> /usr/lib64/erlang/lib/asn1-1.8/ebin"
> #SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_portprogram_dir 
> /usr/lib64/erlang/lib/ssl-5.1.2/ebin"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_cacertfile 
> /etc/openssl/all_cacerts.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_certfile 
> /etc/openssl/nn-vmrh5/cert.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_keyfile 
> /etc/openssl/nn-vmrh5/key.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_verify 1"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt 
> server_fail_if_no_peer_cert true"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt 
> server_secure_renegotiate true"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_cacertfile 
> /etc/openssl/all_cacerts.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_certfile 
> /etc/openssl/nn-vmrh5/cert.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_keyfile 
> /etc/openssl/nn-vmrh5/key.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_verify 1"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt 
> client_secure_renegotiate true"
> #echo SERVER_START_ARGS: ${SERVER_START_ARGS}
>
> Here is the rabbitmq.config for clustering and ssl option set for other 
> modes.
>
>
> [nn-vmrh5: /etc/rabbitmq]vi rabbitmq.config
> [
>     {rabbit, [
>         {default_vhost, <<"alert">>},
>         {tcp_listeners, [5672]},
>         {ssl_listeners, [5671]},
>         {rabbitmq_tracing, [{username, "guest"}]},
>         {cluster_nodes, ['rabbit at nn-vmrh5','rabbit at nn-vmrh5g']},
>         {ssl_options, [{cacertfile,"/etc/openssl/all_cacerts.pem"},
>                        {certfile,"/etc/openssl/nn-vmrh5/cert.pem"},
>                        {keyfile,"/etc/openssl/nn-vmrh5/key.pem"},
>                        {verify,verify_peer},
>                        {fail_if_no_peer_cert,true}] },
>         {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
>         {ssl_cert_login_from, common_name},
>         {log_levels, [{connection, info}]}
>     ] }
> ].
>
>    Would really appreciate any help on this.
>
> Thanks
> Venkat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130813/9c32f990/attachment.htm>

More information about the rabbitmq-discuss mailing list