X509 Authentication Mechanism Error

213 views
Skip to first unread message

Sefa Teber

unread,
Nov 15, 2021, 3:04:52 AM11/15/21
to rabbitmq-users
Hi,

I want to authenticate with SSL certificate to the RabbitMQ server. followed https://www.rabbitmq.com/ssl.html page and built a Java Client.

Firstly i enabled rabbitmq_auth_mechanism_ssl plugin. Then i configured rabbitmq.conf file.

/** #rabbitmq.conf 
auth_mechanisms.1 = EXTERNAL

listeners.ssl.default = 5671

ssl_options.cacertfile = /etc/rabbitmq/sslcerts/myCA.pem
ssl_options.certfile = /etc/rabbitmq/sslcerts/server.pem
ssl_options.keyfile = /etc/rabbitmq/sslcerts/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

ssl_cert_login_from = common_name
**/

And my Java client:

/**
char[] keyPassphrase = "changeit".toCharArray();
        KeyStore ks = KeyStore.getInstance("PKCS12");
        ks.load(new FileInputStream(".../client.p12"), keyPassphrase);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, keyPassphrase);

        char[] trustPassphrase = "changeit".toCharArray();
        KeyStore tks = KeyStore.getInstance("JKS");
        tks.load(new FileInputStream(".../rabbitstore"), trustPassphrase);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(tks);

        SSLContext c = SSLContext.getInstance("TLSv1.2");
        c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        ConnectionFactory factory = new ConnectionFactory();

        factory.setHost("127.0.0.1");
        factory.setPort(5671);
        factory.useSslProtocol(c);
        factory.enableHostnameVerification();

        Connection conn = factory.newConnection();
**/

There is no error in certificates but client can't authenticate. Java client gives error:

No compatible authentication mechanisms found - server offered [EXTERNAL]

But in https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl page, it gives "auth_mechanisms.1 = EXTERNAL" config

What is the reason of this error or what is the wrong part of my code? 

Thanks.


Arnaud Cogoluègnes

unread,
Nov 15, 2021, 11:47:12 AM11/15/21
to rabbitmq-users
You need to set the SASL configuration to EXTERNAL, not PLAIN (the default), because the credentials are no longer a username and a password:

factory.setSaslConfig(DefaultSaslConfig.EXTERNAL);

Then you have to make sure the username extracted from the CN (ssl_cert_login_from = common_name in the broker configuration) has access to the virtual host and the permissions to do whatever the connection does.

Sefa Teber

unread,
Nov 16, 2021, 12:40:24 AM11/16/21
to rabbitmq-users
Thanks for help,

I also found commit belove:
15 Kasım 2021 Pazartesi tarihinde saat 19:47:12 UTC+3 itibarıyla Arnaud Cogoluègnes şunları yazdı:
Reply all
Reply to author
Forward
0 new messages