[rabbitmq-discuss] Client certificate based authentication over SSL

Vinay Nayak virus.vinay at gmail.com
Thu Mar 27 14:56:56 GMT 2014



Hi there,


 We are trying to configure client certificate based authentication over 
SSL on our rabbitmq server. However we have hit an issue which we are 
unable to get past.


Can someone please help us figure out the solution?


Our configuration steps are as follows:


1)    Our RabbitMQ version is: 3.2.3 ErLang R16B03-1

2) We would like to achieve password-less authentication using client 
certificate and LDAP authorisation.

3) For client certificates, we installed a stand-alone microsoft pki 
certification authority on our windows server 2008 R2 machine

4) We then issued a client certificate via the certificate manager web 
portal i.e.

(https://<servername>/certmgr -> Request a certificate -> Advanced 
certificate request -> Create and submit a request to this CA -> Filled in 
the details (with Client Authentication Certificate option selected)-> 
Submitted the request -> Approved -> Installed.

Please note the Name on the certificate was set as username at domain.com 
(which is the CN for the user name in AD)

5) We then issued an SSL certificate via the certificate manager web portal 
i.e. the same steps as above but this time had the “Server Authentication 
Certificate” selected

Please note the Name on the certificate was set as machine at domain.com

6) Downloaded the CA root certificate in .cer format and converted it into 
.pem using openssl

7) Downloaded the Server certificate (from step 5) in .pfx format. It was 
then separated into ServerCertificate.pem and ServerCertificateKey.pem 
using openssl

8) Downloaded the Client certificate (from step 4) in .pfx format. It was 
then separated into Cert.pem/ Key.pem and then combined into 
ClientCertificate.p12 using openssl

9) Our rabbitmq config is:


[{rabbit,


            [{auth_backends, [rabbit_auth_backend_ldap]},


            {auth_mechanisms, ['EXTERNAL']},


            {ssl_listeners, [{"0.0.0.0", 5671}]},


            {ssl_options,


                        [{cacertfile,"C:/Program Files (x86)/RabbitMQ 
Server/rabbitmq_server-3.2.3/certificates/pem/CARootCertificate.pem"},


        {certfile,"C:/Program Files (x86)/RabbitMQ 
Server/rabbitmq_server-3.2.3/certificates/pem/ServerCertificate.pem"},


        {keyfile,"C:/Program Files (x86)/RabbitMQ 
Server/rabbitmq_server-3.2.3/certificates/key/ServerCertificateKey.key"},


        {verify,verify_peer},


        {fail_if_no_peer_cert,true}]},


            {ssl_cert_login_from, common_name}]


},


{rabbitmq_auth_backend_ldap,


            [


            {servers,               ["xxxxxxx.yyyyy.com"]},


            {dn_lookup_attribute,   "userPrincipalName"},


            {dn_lookup_base,        "DC= yyyyy,DC=com"},


            {use_ssl,               true},


            {port,                  636},


    {log,                   network},


    {vhost_access_query,    {in_group,


                                                                            
        "ou=${vhost}-users,ou=computers,dc= yyyyy,dc=com"}},


            {resource_access_query,


                        {for,


                                    [{permission, configure, {in_group, 
"cn=domain users,dc= yyyyy,dc=com"}},


                                    {permission, write,


              {for, [{resource, queue,    {in_group, "cn=domain users,dc= 
yyyyy,dc=com"}},


                                                            {resource, 
exchange, {constant, true}}]}},


             {permission, read,


              {for, [{resource, exchange, {in_group, "cn=domain users,dc= 
yyyyy,dc=com"}},


                     {resource, queue,    {constant, true}}]}}


            ]


                        }},


            {tag_queries,           [{administrator, {constant, true}},


                                                                            
        {management,    {constant, true}}]}


   ]}].


10) Our client code is:

            cf.Ssl.ServerName = <CN Name of the server certificate i.e. 
machine at domain.com>

            cf.Ssl.CertPath = @"C:\Program Files (x86)\RabbitMQ 
Server\rabbitmq_server-3.2.3\certificates\p12\ClientCertificate.p12";

            cf.Ssl.CertPassphrase = "rabbitmq";

            cf.Ssl.Enabled = true;

            cf.Ssl.AcceptablePolicyErrors = 
System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch |

            
System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors|

            
System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;


11) And following is our log:


=INFO REPORT==== 27-Mar-2014::14:35:23 ===


accepting AMQP connection <0.322.0> (a.b.c.d:2935 -> a.b.c.d:5671)


 


=INFO REPORT==== 27-Mar-2014::14:35:23 ===


LDAP CHECK: passwordless login for username at domain.com


 


=ERROR REPORT==== 27-Mar-2014::14:35:26 ===


closing AMQP connection <0.322.0> (a.b.c.d:2935 -> a.b.c.d:5671):


{handshake_error,starting,0,


    {exit,as_user_no_password,'connection.start_ok',


        [{rabbit_auth_backend_ldap,creds,2,[]},


         {rabbit_auth_backend_ldap,check_user_login,2,[]},


         {rabbit_access_control,'-check_user_login/2-fun-0-',4,[]},


         {lists,foldl,3,[{file,"lists.erl"},{line,1248}]},


         {rabbit_reader,auth_phase,2,[]},


         {rabbit_reader,handle_method0,3,[]},


         {rabbit_reader,handle_input,3,[]},


         {rabbit_reader,recvloop,2,[]}]}}


 


And the .net error is “Possibly caused by authentication failure”


 


Regards,


Vinay


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140327/5362c523/attachment.html>


More information about the rabbitmq-discuss mailing list