[rabbitmq-discuss] SASL authentication HTTP (management console / REST API)

Tim Watson tim at rabbitmq.com
Tue Nov 12 10:00:31 GMT 2013


See http://hg.rabbitmq.com/rabbitmq-management/raw-file/rabbitmq_v3_2_1/priv/www/api/index.html, specifically this part:

    "all URIs will serve only resources of type application/json, and will require HTTP basic authentication"

So you've got the TLS layer (i.e., SSL) is using a cert, and that's what the configuration in the rabbitmq_management section is for. Plus, you've also got HTTP (application) layer authentication, which requires basic auth. The cert is only used for fire traffic, not AAA. Hope that makes sense.

Cheers,
Tim

On 10 Nov 2013, at 15:05, Aryan S wrote:

> Hi,
> 
> I am trying to get the HTTP API (REST calls ) and the management console to work without prompting for user name and password.
> 
> 1.) Now first thing I am trying is accessing :- https://10.31.52.204:15672 from my browser ( I have imported the certificates in the browser.)
> 
> I get a prompt to select the certificate and after that it takes me to the username/password page. Can you help me in understanding what I am missing ? Shouldnt' it authenticate based on the client certificate and take me in or fail (since I have fail_if_no_peer_cert, true & verify, verify_peer)
> 
> 2.) Even for the REST API calls , say for example -  https://10.31.52.204:15672/api/users, I still get a prompt for username and password. How do I prevent this ?
> 
> (Basically I am trying the last part in http://www.rabbitmq.com/mochiweb.html)
> 
> The following is my rabbitmq.config file : -
> 
>   {rabbit, [
>     {heartbeat, 30},
>     {auth_mechanisms,     ['EXTERNAL']},
>     {ssl_listeners,       [15671]},
>     {ssl_cert_login_from, common_name},
>     {ssl_options, [{cacertfile, "/home/test/certificates/cert/testca/cacert.pem"},
>                     {certfile, "/home/test/certificates/cert/server/cert.pem"},
>                     {keyfile, "/home/test/certificates/cert/server/key.pem"},
>                     {verify, verify_peer},
>                     {fail_if_no_peer_cert, true}]}
>            ]
>   },
> {rabbitmq_management,
>   [{listener, [{port, 15672},
>                {ssl,  true},
>                {ssl_opts, [{cacertfile, "/home/test/certificates/cert/testca/cacert.pem"},
>                            {certfile,   "/home/test/certificates/cert/server/cert.pem"},
>                            {keyfile,    "/home/test/certificates/cert/server/key.pem"},
>                            {verify, verify_peer},
>                            {fail_if_no_peer_cert, true}]}
>               ]}
>   ]}
> ].
> 
> Regards,
> Aryan
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20131112/17bda1db/attachment.htm>


More information about the rabbitmq-discuss mailing list