This post provides step by step instructions to enable SSL
with RabbitMQ; then use AMQPS connector with Mule ESB.
- I followed step by step instructions from here to set up the RabbitMQ https://www.rabbitmq.com/ssl.html with some twists that tailored to my own environment.
- I used this to implement Mule AMQPS https://github.com/mulesoft/mule-transport-amqp/blob/master/GUIDE.md
- I am installing on Windows 7 server.
Part I – Enable SSL on RabbitMQ
Finished view of the directories for the certificates:
I just want to give you an overview of directories of certificates. It may help you navigate the paths as you generate the certificates in the next few sections:
D:\MULE\ssl
├───client
├───server
└───testca
├───certs
└───private
CA: Certificate Authority
Download
openSSL if you haven’t done so. I used ftp://ftp.openssl.org/source/
Select
a working directory, I use “d:\mule\ssl”, you can pick your own.
The
instructions are a mirror of the online instructions followed by some extra
notes when necessary.
mkdir
testca
cd
testca
mkdir
certs private (create two directories)
chmod
700 private (no action on windows)
echo
01 > serial (create file with text editor, just put one line with “01”, no
extra contents)
touch
index.txt (create an empty index.txt file, no extra contents or blank lines,
otherwise, it would cause problems)
copy the content of the cnf file and put in
the following file:
set OPENSSL_CONF=D:\mule\ssl\testca\openssl.cnf
(very important step on Windows, otherwise, you’ll have many problems)
openssl req -x509 -config openssl.cnf -newkey
rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer
-outform DER
Server Certificates
cd .. (moves to your working directory)
mkdir server
cd
server
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem
-outform PEM -subj
/CN=meng04/O=server/ -nodes
cd
../testca
openssl ca -config openssl.cnf -in
../server/req.pem -out
../server/cert.pem -notext -batch -extensions server_ca_extensions
cd
../server
openssl pkcs12 -export -out keycert.p12 -in
cert.pem -inkey key.pem -passout pass:MySecretPassword
Client Certs
cd .. (move to your working directory)
mkdir client
cd
client
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out req.pem
-outform PEM -subj
/CN=meng04/O=client/ -nodes
cd ../testca
openssl ca -config openssl.cnf -in
../client/req.pem -out
../client/cert.pem -notext -batch -extensions client_ca_extensions
cd
../client
openssl pkcs12 -export -out keycert.p12 -in
cert.pem -inkey key.pem -passout pass:MySecretPassword
Create Keystore
keytool -import -alias meng04 -file d:/mule/ssl/server/cert.pem
-keystore d:/mule/ssl/client/trustStore.jks
Import CA Cert
I kind of do
not believe you need to run this step though!! You can experiment with this
step.
From command
line run “certmgr”
right click
root CA, import, D:\mule\ssl\testca\cacert.cer
RabbitMQ Config file
On Windows,
make sure you login as the user who installed RabbitMQ!
On command
prompt, run “set AppData” or “echo %AppData”, that should show you the default
path where RabbitMQ config and log files are: by default, it is under
%AppData%/RabbitMQ (example, c:\users\yourusername\Roaming\RabbitMQ).
Modify (create if needed) rabbitmq.config, put in
[
{rabbit, [
{tcp_listeners, []}},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"d:/mule/ssl/testca/cacert.pem"},
{certfile,"d:/mule/ssl/server/cert.pem"},
{keyfile,"d:/mule/ssl/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
{tcp_listeners, []}} will disable default
port 5672, take it out if you want both standard and SSL ports
Part II – Use AMQPS Connector
Assuming you
got your AMQP (without “S” at the end) working, here is what you need to do for
AMQPS:
Declaration
In your Mule
application XML file, add the following at the beginning of the namespace
section:
Schema prefix:
xmlns:amqps=http://www.mulesoft.org/schema/mule/amqps
Schema
location:
http://www.mulesoft.org/schema/mule/amqps
http://www.mulesoft.org/schema/mule/amqps/current/mule-amqps.xsd
AMQPS connector configuration
<amqps:connector
name="AMQP_0_9_ConnectorSSL" validateConnections="true"
doc:name="AMQP-0-9 Connector" virtualHost="/” host="myhost" password=”mypass"
port="5671" username=”myname" >
<amqps:ssl-key-store path="d:/mule/ssl/client/keycert.p12"
type="PKCS12"
algorithm="SunX509" keyPassword="MySecretPassword"
storePassword="MySecretPassword" />
<amqps:ssl-trust-store
path="d:/mule/ssl/client/trustStore.jks" type="JKS" -->
algorithm="SunX509"
storePassword="rabbitstore" />
</amqps:connector>
Endpoint
<amqps:inbound-endpoint queueName="my-Q" queueDurable="true"
responseTimeout="10000" doc:name="AMQP-0-9-subscribe-CDM"
connector-ref="AMQP_0_9_ConnectorSSL" />
That’s it.
When I get the chance, I’ll post up the source code.
I really appreciate information shared above. It’s of great help.
ReplyDeleteMulesoft online course hyderabad