[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client

John Ruiz jruiz at johnruiz.com
Mon Jan 9 16:25:46 GMT 2012


I wonder what version of Windows Server you're running?

I installed Windows Server 2008 R2 Enterprise with Service Pack 1

Then I installed the Active Directory Directory Services role and
stood up my domain in a new forest.

This is the setup that yields CN=Users,DC=example,DC=com


On Jan 5, 5:38 am, Simon MacMullen <si... at rabbitmq.com> wrote:
> Somewhat weirdly that's not how our local AD server seems to be doing
> things. But this is clearly a problem. I think
> rabbitmq_auth_mechanism_ssl needs to switch to using DNs...
>
> Cheers, Simon
>
> On 30/12/11 19:52, John Ruiz wrote:
>
>
>
>
>
> > See this stackoverflow thread for more information:
>
> >http://stackoverflow.com/questions/8683006/this-erlang-code-throws-an...
>
> > Since this is the way that Windows Domains operate out of the box, I
> > suggest that instead of writing the code such that it throws an
> > exception, it instead concatenates any CN strings it finds.
>
> > At least this way I could have created a "Users John Ruiz" or "John
> > Ruiz Users" user in RabbitMQ and it would work.  With the
> > implementation as it stands today, I would need to create my own OU in
> > AD and then redirect the users container following this article:
> >http://support.microsoft.com/kb/324949.
>
> > The problem is the note at the bottom of that article:
>
> > "Some applications require specific security principals to be located
> > in default containers like CN=Users or CN=Computers. Verify that your
> > applications have such dependencies before you move them out of the
> > CN=users and CN=computes containers."
>
> > I have already discovered that I cannot move my service accounts
> > outside of the CN=users container or else many of my Constrained
> > Delegation scenarios no longer work. (More on constrained delegation
> > of kerberos credentials here:http://technet.microsoft.com/en-us/library/cc739587%28WS.10%29.aspx).
>
> > On Dec 30, 11:48 am, John Ruiz<jr... at johnruiz.com>  wrote:
> >> I have a certificate with the following Subject:
> >> "CN=John Ruiz, CN=Users, DC=devexample, DC=com"
>
> >> When you look at rabbit_ssl.erl's find_by_type function, (this is my
> >> first time seeing erlang code, btw) I notice that there's a "<-
> >> lists:flatten(RDNs)" line.  I don't know what the result of
> >> lists:flatten will be.  This is probably why the connection suddenly
> >> ends... the user I've created for rabbit isn't matching what the cert
> >> says.
>
> >> Can anyone help me?
>
> >> On Dec 30, 11:19 am, John Ruiz<jr... at johnruiz.com>  wrote:
>
> >>> Now that I have all of this working, I need to switch over from an
> >>> openssl-based CA to our production CA, which is Active Directory
> >>> Certificate Services.  All certificates are issued by the subordinate
> >>> enterprise CA -->  ISSUE01.devexample.com.
>
> >>> I have a certificate for myself in my personal store on
> >>> DC01.devexample.com (Windows Server).
>
> >>> The RabbitMQ Service runs as Local System on APP01.devexample.com
> >>> (Windows Server) so there's a certificate for APP01.devexample.com in
> >>> the Local Computer's Personal store.
>
> >>> The Root CA certificate is already in Trusted Root Certs on all
> >>> machines in the domain devexample.com.  The ISSUE01 CA cert is in the
> >>> Intermediate Certification Authority store everywhere as well.
>
> >>> I have exported the Root CA cert to a DER file and then moved it to a
> >>> linux machine where I used openssl to convert it to PEM.  I then moved
> >>> it back to APP01.  Next, I exported APP01's cert (with private key) to
> >>> a PFX file, moved it to a linux machine and extracted the signed
> >>> public key cert and the private key cert.
>
> >>> # extract the private key (still password protected)
> >>> openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out
> >>> privateKey.pem
>
> >>> # extract the public cert
> >>> openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out
> >>> app01.pem
>
> >>> # remove the password protection
> >>> openssl.exe rsa -in privateKey.pem -out app01-private.pem
>
> >>> I moved all of these PEMs back to APP01 -- the CA's public cert,
> >>> APP01's public cert, and APP01's private key.  Here is my
> >>> rabbitmq.config
>
> >>> [
> >>>    {rabbit, [
> >>>       {auth_mechanisms,['EXTERNAL']},
> >>>       {ssl_listeners, [5671]},
> >>>       {ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},
> >>>                      {certfile,"C:/Keys/app01.pem"},
> >>>                      {keyfile,"C:/Keys/app01-private.pem"},
> >>>                      {verify,verify_peer},
> >>>                      {fail_if_no_peer_cert,true}]}
> >>>     ]}
> >>> ].
>
> >>> When I run the code that I've already listed in my blog post, I get
> >>> this exception:http://pastebin.com/9USFHWzf
>
> >>> In the rabbit log, I see this:http://pastebin.com/GsWsxLGV
>
> >>> As far as I can tell, I've done everything correctly.  I've ensured
> >>> that my code references APP01.devexample.com, exactly as it appears on
> >>> the certificate (Subject: CN = APP01.devexample.com).
>
> >>> What should I do/try?
>
> >>> Please help!
>
> >>> On Dec 27, 4:22 pm, John Ruiz<jr... at johnruiz.com>  wrote:
>
> >>>> I have figured it out.  There were two issues.
>
> >>>> 1. Add the external mechanism factory to your connection factory's
> >>>> auth mechanisms
> >>>>      i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
> >>>> ExternalMechanismFactory() };
>
> >>>> 2. Configure the server's auth_mechanisms variable in your
> >>>> rabbitmq.config.
> >>>>      Here is my complete rabbitmq.config:
>
> >>>> [
> >>>>    {rabbit, [
> >>>>       {auth_mechanisms,['EXTERNAL']},
> >>>>       {ssl_listeners, [5671]},
> >>>>       {ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
> >>>>                      {certfile,"C:/Path/To/Your/cert.pem"},
> >>>>                      {keyfile,"C:/Path/To/Your/key.pem"},
> >>>>                      {verify,verify_peer},
> >>>>                      {fail_if_no_peer_cert,true}]}
> >>>>     ]}
> >>>> ].
>
> >>>> On Dec 27, 1:16 pm, John Ruiz<jr... at johnruiz.com>  wrote:
>
> >>>>> Hi All,
>
> >>>>> I've successfully followed the SSL tutorial and gotten my .NET client
> >>>>> to connect, send, and receive messages over SSL.  See my blog for the
> >>>>> code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....
>
> >>>>> As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
> >>>>> and then re-installed the Windows Service.  Then I re-ran the code I
> >>>>> have listed in my blog -- with the addition of a Console.ReadLine() at
> >>>>> the end of my using statements so I can see the connection details in
> >>>>> the management web app.
>
> >>>>> I am still connecting as guest.  What do I need to do in order to
> >>>>> connect as the CN of the Subject on my certificate?
>
> >>>>> Thanks!
> >>>>> ~ jR
> >>>>> _______________________________________________
> >>>>> rabbitmq-discuss mailing list
> >>>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> >>>> _______________________________________________
> >>>> rabbitmq-discuss mailing list
> >>>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> >>> _______________________________________________
> >>> rabbitmq-discuss mailing list
> >>> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> >> _______________________________________________
> >> rabbitmq-discuss mailing list
> >> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
> > _______________________________________________
> > rabbitmq-discuss mailing list
> > rabbitmq-disc... at lists.rabbitmq.com
> >https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> --
> Simon MacMullen
> RabbitMQ, VMware
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss- Hide quoted text -
>
> - Show quoted text -


More information about the rabbitmq-discuss mailing list