[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client

192 views
Skip to first unread message

John Ruiz

unread,
Dec 27, 2011, 1:16:00 PM12/27/11
to rabbitmq...@lists.rabbitmq.com
Hi All,

I've successfully followed the SSL tutorial and gotten my .NET client
to connect, send, and receive messages over SSL. See my blog for the
code: http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbitmq.html.

As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
and then re-installed the Windows Service. Then I re-ran the code I
have listed in my blog -- with the addition of a Console.ReadLine() at
the end of my using statements so I can see the connection details in
the management web app.

I am still connecting as guest. What do I need to do in order to
connect as the CN of the Subject on my certificate?

Thanks!
~ jR
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq...@lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

John Ruiz

unread,
Dec 27, 2011, 4:22:16 PM12/27/11
to rabbitmq...@lists.rabbitmq.com
I have figured it out. There were two issues.

1. Add the external mechanism factory to your connection factory's
auth mechanisms
i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
ExternalMechanismFactory() };

2. Configure the server's auth_mechanisms variable in your
rabbitmq.config.
Here is my complete rabbitmq.config:

[
{rabbit, [
{auth_mechanisms,['EXTERNAL']},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
{certfile,"C:/Path/To/Your/cert.pem"},
{keyfile,"C:/Path/To/Your/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}
]}
].

On Dec 27, 1:16 pm, John Ruiz <jr...@johnruiz.com> wrote:
> Hi All,
>
> I've successfully followed the SSL tutorial and gotten my .NET client
> to connect, send, and receive messages over SSL.  See my blog for the

> code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....


>
> As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
> and then re-installed the Windows Service.  Then I re-ran the code I
> have listed in my blog -- with the addition of a Console.ReadLine() at
> the end of my using statements so I can see the connection details in
> the management web app.
>
> I am still connecting as guest.  What do I need to do in order to
> connect as the CN of the Subject on my certificate?
>
> Thanks!
> ~ jR
> _______________________________________________
> rabbitmq-discuss mailing list

> rabbitmq-disc...@lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

John Ruiz

unread,
Dec 30, 2011, 11:19:27 AM12/30/11
to rabbitmq...@lists.rabbitmq.com
Now that I have all of this working, I need to switch over from an
openssl-based CA to our production CA, which is Active Directory
Certificate Services. All certificates are issued by the subordinate
enterprise CA --> ISSUE01.devexample.com.

I have a certificate for myself in my personal store on
DC01.devexample.com (Windows Server).

The RabbitMQ Service runs as Local System on APP01.devexample.com
(Windows Server) so there's a certificate for APP01.devexample.com in
the Local Computer's Personal store.

The Root CA certificate is already in Trusted Root Certs on all
machines in the domain devexample.com. The ISSUE01 CA cert is in the
Intermediate Certification Authority store everywhere as well.

I have exported the Root CA cert to a DER file and then moved it to a
linux machine where I used openssl to convert it to PEM. I then moved
it back to APP01. Next, I exported APP01's cert (with private key) to
a PFX file, moved it to a linux machine and extracted the signed
public key cert and the private key cert.

# extract the private key (still password protected)
openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out
privateKey.pem

# extract the public cert
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out
app01.pem

# remove the password protection
openssl.exe rsa -in privateKey.pem -out app01-private.pem

I moved all of these PEMs back to APP01 -- the CA's public cert,
APP01's public cert, and APP01's private key. Here is my
rabbitmq.config

[
{rabbit, [
{auth_mechanisms,['EXTERNAL']},
{ssl_listeners, [5671]},

{ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},
{certfile,"C:/Keys/app01.pem"},
{keyfile,"C:/Keys/app01-private.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,true}]}
]}
].

When I run the code that I've already listed in my blog post, I get
this exception: http://pastebin.com/9USFHWzf

In the rabbit log, I see this: http://pastebin.com/GsWsxLGV

As far as I can tell, I've done everything correctly. I've ensured
that my code references APP01.devexample.com, exactly as it appears on
the certificate (Subject: CN = APP01.devexample.com).

What should I do/try?

Please help!

John Ruiz

unread,
Dec 30, 2011, 11:48:41 AM12/30/11
to rabbitmq...@lists.rabbitmq.com
I have a certificate with the following Subject:
"CN=John Ruiz, CN=Users, DC=devexample, DC=com"

When you look at rabbit_ssl.erl's find_by_type function, (this is my
first time seeing erlang code, btw) I notice that there's a "<-
lists:flatten(RDNs)" line. I don't know what the result of
lists:flatten will be. This is probably why the connection suddenly
ends... the user I've created for rabbit isn't matching what the cert
says.

Can anyone help me?

John Ruiz

unread,
Dec 30, 2011, 2:52:51 PM12/30/11
to rabbitmq...@lists.rabbitmq.com
See this stackoverflow thread for more information:

http://stackoverflow.com/questions/8683006/this-erlang-code-throws-an-exception-and-i-dont-know-why

Since this is the way that Windows Domains operate out of the box, I
suggest that instead of writing the code such that it throws an
exception, it instead concatenates any CN strings it finds.

At least this way I could have created a "Users John Ruiz" or "John
Ruiz Users" user in RabbitMQ and it would work. With the
implementation as it stands today, I would need to create my own OU in
AD and then redirect the users container following this article:
http://support.microsoft.com/kb/324949.

The problem is the note at the bottom of that article:

"Some applications require specific security principals to be located
in default containers like CN=Users or CN=Computers. Verify that your
applications have such dependencies before you move them out of the
CN=users and CN=computes containers."

I have already discovered that I cannot move my service accounts
outside of the CN=users container or else many of my Constrained
Delegation scenarios no longer work. (More on constrained delegation
of kerberos credentials here: http://technet.microsoft.com/en-us/library/cc739587%28WS.10%29.aspx).

Simon MacMullen

unread,
Jan 5, 2012, 5:38:27 AM1/5/12
to rabbitmq...@lists.rabbitmq.com
Somewhat weirdly that's not how our local AD server seems to be doing
things. But this is clearly a problem. I think
rabbitmq_auth_mechanism_ssl needs to switch to using DNs...

Cheers, Simon


--
Simon MacMullen
RabbitMQ, VMware

John Ruiz

unread,
Jan 9, 2012, 11:25:46 AM1/9/12
to rabbitmq...@lists.rabbitmq.com
I wonder what version of Windows Server you're running?

I installed Windows Server 2008 R2 Enterprise with Service Pack 1

Then I installed the Active Directory Directory Services role and
stood up my domain in a new forest.

This is the setup that yields CN=Users,DC=example,DC=com


On Jan 5, 5:38 am, Simon MacMullen <si...@rabbitmq.com> wrote:
> Somewhat weirdly that's not how our local AD server seems to be doing
> things. But this is clearly a problem. I think
> rabbitmq_auth_mechanism_ssl needs to switch to using DNs...
>
> Cheers, Simon
>
> On 30/12/11 19:52, John Ruiz wrote:
>
>
>
>
>
> > See this stackoverflow thread for more information:
>

> >http://stackoverflow.com/questions/8683006/this-erlang-code-throws-an...

> > rabbitmq-disc...@lists.rabbitmq.com


> >https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> --
> Simon MacMullen
> RabbitMQ, VMware
> _______________________________________________
> rabbitmq-discuss mailing list

> rabbitmq-disc...@lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss- Hide quoted text -
>
> - Show quoted text -

Simon MacMullen

unread,
Jan 9, 2012, 11:32:38 AM1/9/12
to rabbitmq...@lists.rabbitmq.com
Windows Server 2003 apparently, but I'm very much not a Windows sysadmin...

If you're up for building plugins from source, the branch "bug24265" of
rabbitmq_auth_mechanism_ssl contains my attempt at supporting DNs /
concatenating multiple CNs.

Cheers, Simon

rabbitmq...@lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

Reply all
Reply to author
Forward
0 new messages