[rabbitmq-discuss] Client certificate based authentication over SSL

Vinay Nayak Vinay.Nayak at edftrading.com
Thu Mar 27 14:47:07 GMT 2014


Hi there,

We are trying to configure client certificate based authentication over SSL on our rabbitmq server. However we have hit an issue which we are unable to get past.
Can someone please help us figure out the solution?

Our configuration steps are as follows:

1)    Our RabbitMQ version is:

2)    We would like to achieve password-less authentication using client certificate and LDAP authorisation.

3)    For client certificates, we installed a stand-alone microsoft pki certification authority on our windows server 2008 R2 machine

4)    We then issued a client certificate via the certificate manager web portal i.e.

(https://<servername>/certmgr<https://%3cservername%3e/certmgr> -> Request a certificate -> Advanced certificate request -> Create and submit a request to this CA -> Filled in the details (with Client Authentication Certificate option selected)-> Submitted the request -> Approved -> Installed.
            Please note the Name on the certificate was set as username at domain.com<mailto:username at domain.com> (which is the CN for the user name in AD)

5)    We then issued an SSL certificate via the certificate manager web portal i.e. the same steps as above but this time had the "Server Authentication Certificate" selected
Please note the Name on the certificate was set as machine at domain.com<mailto:machine at domain.com>

6)    Downloaded the CA root certificate in .cer format and converted it into .pem using openssl

7)    Downloaded the Server certificate (from step 5) in .pfx format. It was then separated into ServerCertificate.pem and ServerCertificateKey.pem using openssl

8)    Downloaded the Client certificate (from step 4) in .pfx format. It was then separated into Cert.pem/ Key.pem and then combined into ClientCertificate.p12 using openssl

9)    Our rabbitmq config is:

[{rabbit,

            [{auth_backends, [rabbit_auth_backend_ldap]},

            {auth_mechanisms, ['EXTERNAL']},

            {ssl_listeners, [{"0.0.0.0", 5671}]},

            {ssl_options,

                        [{cacertfile,"C:/Program Files (x86)/RabbitMQ Server/rabbitmq_server-3.2.3/certificates/pem/CARootCertificate.pem"},

        {certfile,"C:/Program Files (x86)/RabbitMQ Server/rabbitmq_server-3.2.3/certificates/pem/ServerCertificate.pem"},

        {keyfile,"C:/Program Files (x86)/RabbitMQ Server/rabbitmq_server-3.2.3/certificates/key/ServerCertificateKey.key"},

        {verify,verify_peer},

        {fail_if_no_peer_cert,true}]},

            {ssl_cert_login_from, common_name}]

},

{rabbitmq_auth_backend_ldap,

            [

            {servers,               ["xxxxxxx.yyyyy.com"]},

            {dn_lookup_attribute,   "userPrincipalName"},

            {dn_lookup_base,        "DC= yyyyy,DC=com"},

            {use_ssl,               true},

            {port,                  636},

    {log,                   network},

    {vhost_access_query,    {in_group,

                                                                                    "ou=${vhost}-users,ou=computers,dc= yyyyy,dc=com"}},

            {resource_access_query,

                        {for,

                                    [{permission, configure, {in_group, "cn=domain users,dc= yyyyy,dc=com"}},

                                    {permission, write,

              {for, [{resource, queue,    {in_group, "cn=domain users,dc= yyyyy,dc=com"}},

                                                            {resource, exchange, {constant, true}}]}},

             {permission, read,

              {for, [{resource, exchange, {in_group, "cn=domain users,dc= yyyyy,dc=com"}},

                     {resource, queue,    {constant, true}}]}}

            ]

                        }},

            {tag_queries,           [{administrator, {constant, true}},

                                                                                    {management,    {constant, true}}]}

   ]}].

10)  Our client code is:

            cf.Ssl.ServerName = <CN Name of the server certificate i.e. machine at domain.com<mailto:machine at domain.com>>

           cf.Ssl.CertPath = @"C:\Program Files (x86)\RabbitMQ Server\rabbitmq_server-3.2.3\certificates\p12\ClientCertificate.p12";

            cf.Ssl.CertPassphrase = "rabbitmq";

            cf.Ssl.Enabled = true;

            cf.Ssl.AcceptablePolicyErrors = System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch |

            System.Net.Security.SslPolicyErrors.RemoteCertificateChainErrors|

            System.Net.Security.SslPolicyErrors.RemoteCertificateNotAvailable;

11)  And following is our log:

=INFO REPORT==== 27-Mar-2014::14:35:23 ===

accepting AMQP connection <0.322.0> (a.b.c.d:2935 -> a.b.c.d:5671)



=INFO REPORT==== 27-Mar-2014::14:35:23 ===

LDAP CHECK: passwordless login for username at domain.com<mailto:username at domain.com>



=ERROR REPORT==== 27-Mar-2014::14:35:26 ===

closing AMQP connection <0.322.0> (a.b.c.d:2935 -> a.b.c.d:5671):

{handshake_error,starting,0,

    {exit,as_user_no_password,'connection.start_ok',

        [{rabbit_auth_backend_ldap,creds,2,[]},

         {rabbit_auth_backend_ldap,check_user_login,2,[]},

         {rabbit_access_control,'-check_user_login/2-fun-0-',4,[]},

         {lists,foldl,3,[{file,"lists.erl"},{line,1248}]},

         {rabbit_reader,auth_phase,2,[]},

         {rabbit_reader,handle_method0,3,[]},

         {rabbit_reader,handle_input,3,[]},

         {rabbit_reader,recvloop,2,[]}]}}



And the .net error is "Possibly caused by authentication failure"


Regards,
Vinay

________________________________
This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unless specifically indicated, this e-mail is not an offer to buy or sell or a solicitation to buy or sell any commodities, financial risk management products, or other physical or financial product or service, an official confirmation of any transaction, or an official statement of EDF Trading Limited, EDF Trading Markets Limited, EDF Trading North America, LLC, or any of the EDF Group family of companies. Any views or opinions presented are solely those of the author and do not necessarily represent those of the foregoing entities. EDF Trading Markets Limited is authorised and regulated by the Financial Conduct Authority. VAT number: GB 735 5479 07. EDF Trading Markets Limited and EDF Trading North America, LLC are members of the EDF Group of companies. EDF Trading Markets Limited maintains its registered office at 80 Victoria Street, 3rd Floor, Cardinal Place, London, SW1E 5JL. A Company registered in England No. 4255974. EDF Trading North America, LLC is headquartered in the United States at 4700 W. Sam Houston Pkwy., Suite 250, Houston, TX 77041

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140327/bb0fa4e9/attachment.html>


More information about the rabbitmq-discuss mailing list