WEB stomp client Authentication using certificate

Vinay Dighade

unread,

Jun 5, 2019, 8:21:00 AM6/5/19

to rabbitmq-users

Hi ,
I want to know how I can use X509 certificate to authenticate over web stomp instead of using username and password.

My concern passing credentials directly will fail in security check. Is there any alternative ?

Thanks

Luke Bakken

unread,

Jun 5, 2019, 5:05:48 PM6/5/19

to rabbitmq-users

Hi Vinay,

You can enable TLS for your web stomp connection and then use a username and password, which will be encrypted.

If your TLS settings include verify_peer, your client will be required to present a certificate signed by a CA that RabbitMQ has access to.

Since STOMP doesn't support X509 certificate authentication, Web STOMP won't either, but the combination of requiring a client certificate along with username / password is practically the same thing.

Thanks,

Luke

Vinay Dighade

unread,

Jun 6, 2019, 1:08:29 AM6/6/19

to rabbitmq-users

Thanks Luke . I will do that .

Luke Bakken

unread,

Jun 6, 2019, 10:31:27 AM6/6/19

to rabbitmq-users

Great.

I should also mention that you should set fail_if_no_peer_cert to true -

https://github.com/rabbitmq/rabbitmq-server/blob/v3.7.15/priv/schema/rabbit.schema#L132-L139

That way if a client does not present a certificate, the TLS handshake will fail.

Thanks,

Luke

Rama Krishna Meesala

unread,

Sep 20, 2019, 9:59:47 AM9/20/19

to rabbitmq-users

HI,

i am also doing same thing please help me how to do it..

Configuration :

[{rabbit,          [
                    {ssl_options, [{cacertfile, "/path/to/tls/ca_certificate.pem"},
                                   {certfile,   "/path/to/tls/server_certificate.pem"},
                                   {keyfile,    "/path/to/tls/server_key.pem"},
                                   {verify,     verify_peer},
                                   {fail_if_no_peer_cert, true}]}
                   ]},
  {rabbitmq_stomp, [{tcp_listeners, [61613]},
                    {ssl_listeners, [61614]}]},

{rabbitmq_web_stomp,
      [{ssl_config, [{port,       15673},
                     {backlog,    1024},
                     {cacertfile, "/path/to/ca_certificate.pem"},
                     {certfile,   "/path/to/server_certificate.pem"},
                     {keyfile,    "/path/to/server_key.pem"},
                     %% needed when private key has a passphrase
                     {password,   "changeme"}]}]}
].

i am using client is : https://stomp-js.github.io/guide/ng2-stompjs/2018/11/04/ng2-stomp-with-angular7.html

please help me how to connect .

My Certificate ca name is my Username .

Thanks ,

RK

Luke Bakken

unread,

Sep 20, 2019, 10:44:54 AM9/20/19

to rabbitmq-users

Hi Rama,

Please take the time to read and do the troubleshooting outlined here: https://www.rabbitmq.com/troubleshooting-ssl.html

If you continue to have problems, provide the following information -

RabbitMQ and Erlang version
Operating system and version
A transcript of all the commands you ran, and the output. Please attach in a separate file.
The output or exceptions that your application is returning.

Thanks,

Luke

Rama Krishna Meesala

unread,

Sep 20, 2019, 10:55:33 AM9/20/19

to rabbitmq-users

Hi Luke,

Thank you very much prompt reply.

RabbitmQ Version : rabbitmq-server-3.6.10.exe

Erlang :: otp_win64_19.3.exe

Operating System : Windows 10( My Server machine)

Actualy i am trying to connect Secure connection :wss://localhost:15673/ws it's working when i passed username and password but i want to omit the username and password connecting from self signed certificate .my user name should be my certificate CA name .

please guide me how can i connect Certificate authentication using web-stomp.

thanks,

RK

rabbitmq.config

Michael Klishin

unread,

Sep 21, 2019, 9:47:39 AM9/21/19

to rabbitmq-users

Please start a separate thread. This list uses a "one question per thread" policy.

RabbitMQ 3.6.x has been out of support for well over one year. Please upgrade first [1][2][3].

Once you move to 3.7, you would be able to use the new style configuration format which current

doc guides use more often than not.

There is a guide on Troublshooting TLS [4]. Please follow it in order to narrow down the issue. Please post

server logs and client output with *actual complete error messages*. We cannot suggest anything

with a one sentence problem definition as there are too many things that can be off with TLS.

1. https://www.rabbitmq.com/upgrade.html

2. https://www.rabbitmq.com/versions.html

3. https://www.rabbitmq.com/which-erlang.html

4. https://www.rabbitmq.com/troubleshooting-ssl.html

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/813115fa-fb43-4b69-b3e8-36e8525c18bb%40googlegroups.com.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

Reply all

Reply to author

Forward