[rabbitmq-discuss] RabbitMQ clustering with SSL
ramviv.123 at gmail.com
ramviv.123 at gmail.com
Wed Aug 14 04:01:02 BST 2013
To clarify on the setup, we removed federated setup to narrow down the
cluster issue. The federated setup is between two sets of clusters, each
with two nodes on either side of the WAN. So, when I took the tcp dump it
was only with the cluster setup and no federatd setup. I was filtering out
packets based on the host name of the other cluster hosts, not just by the
port and analyzing the packets. We were able to successfully configure
the federated using AMQPS so we removed the federation configuration.
Also, the federation would not be between the two hosts that I am
analyzing.
-Venkat
On Tuesday, August 13, 2013 12:00:57 PM UTC-4, ramvi... at gmail.com wrote:
>
> Hi,
>
> We are setting up a RabbitMQ env with clustering on the LAN and
> federated on the WAN. We also intend to use consistent hash on the
> receiver side. We were able to successfully setup a federated
> configuration with ssl enabled. But we are having issues trying to setup
> ssl with clusters. We are using RabbitMQ 3.1.3 with erlang
> version 5.9.3.1. We have setup the erlang config based on
> http://www.erlang.org/doc/apps/ssl/ssl_distribution.html. I am able
> connect tru an erlang client server program to send data back and forth and
> so I know the ssl with erlang works. But when I bring RabbitMQ with
> clusters and take a TCP dump of the packets, the data transfer seem to be
> clear text. Is there a way to check if the clusters are configured for ssl
> by any other means. Also, would appreciate if someone can point out what
> am I doing wrong here. Here is the env file (rabbitmq-env.conf)
>
> SERVER_START_ARGS="-boot /usr/lib64/erlang/releases/R15B03/start_ssl
> -proto_dist inet_tls"
> #SERVER_START_ARGS="${SERVER_START_ARGS} -pa
> /usr/lib64/erlang/lib/ssl-5.1.2/ebin"
> #SERVER_START_ARGS="${SERVER_START_ARGS}
> /usr/lib64/erlang/lib/asn1-1.8/ebin"
> #SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_portprogram_dir
> /usr/lib64/erlang/lib/ssl-5.1.2/ebin"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_cacertfile
> /etc/openssl/all_cacerts.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_certfile
> /etc/openssl/nn-vmrh5/cert.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_keyfile
> /etc/openssl/nn-vmrh5/key.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt server_verify 1"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
> server_fail_if_no_peer_cert true"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
> server_secure_renegotiate true"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_cacertfile
> /etc/openssl/all_cacerts.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_certfile
> /etc/openssl/nn-vmrh5/cert.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_keyfile
> /etc/openssl/nn-vmrh5/key.pem"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt client_verify 1"
> SERVER_START_ARGS="${SERVER_START_ARGS} -ssl_dist_opt
> client_secure_renegotiate true"
> #echo SERVER_START_ARGS: ${SERVER_START_ARGS}
>
> Here is the rabbitmq.config for clustering and ssl option set for other
> modes.
>
>
> [nn-vmrh5: /etc/rabbitmq]vi rabbitmq.config
> [
> {rabbit, [
> {default_vhost, <<"alert">>},
> {tcp_listeners, [5672]},
> {ssl_listeners, [5671]},
> {rabbitmq_tracing, [{username, "guest"}]},
> {cluster_nodes, ['rabbit at nn-vmrh5','rabbit at nn-vmrh5g']},
> {ssl_options, [{cacertfile,"/etc/openssl/all_cacerts.pem"},
> {certfile,"/etc/openssl/nn-vmrh5/cert.pem"},
> {keyfile,"/etc/openssl/nn-vmrh5/key.pem"},
> {verify,verify_peer},
> {fail_if_no_peer_cert,true}] },
> {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
> {ssl_cert_login_from, common_name},
> {log_levels, [{connection, info}]}
> ] }
> ].
>
> Would really appreciate any help on this.
>
> Thanks
> Venkat
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130813/631dc640/attachment.htm>
More information about the rabbitmq-discuss
mailing list