Tuesday, August 18, 2015

Use Mule AMQPS (SSL) to Connect to RabbitMQ

This post provides step by step instructions to enable SSL with RabbitMQ; then use AMQPS connector with Mule ESB.


Part I – Enable SSL on RabbitMQ

Finished view of the directories for the certificates:

I just want to give you an overview of directories of certificates. It may help you navigate the paths as you generate the certificates in the next few sections:

D:\MULE\ssl
├───client
├───server
└───testca
    ├───certs

└───private

CA: Certificate Authority


Download openSSL if you haven’t done so. I used ftp://ftp.openssl.org/source/

Select a working directory, I use “d:\mule\ssl”, you can pick your own.
The instructions are a mirror of the online instructions followed by some extra notes when necessary.

 mkdir testca
 cd testca
 mkdir certs private (create two directories)
 chmod 700 private (no action on windows)
 echo 01 > serial (create file with text editor, just put one line with “01”, no extra contents)
 touch index.txt (create an empty index.txt file, no extra contents or blank lines, otherwise, it would cause problems)

copy the content of the cnf file and put in the following file:
set OPENSSL_CONF=D:\mule\ssl\testca\openssl.cnf (very important step on Windows, otherwise, you’ll have many problems)

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in cacert.pem -out cacert.cer -outform DER

Server Certificates


cd .. (moves to your working directory)
mkdir server
 cd server
 openssl genrsa -out key.pem 2048
 openssl req -new -key key.pem -out req.pem -outform PEM     -subj /CN=meng04/O=server/ -nodes

 cd ../testca
 openssl ca -config openssl.cnf -in ../server/req.pem -out     ../server/cert.pem -notext -batch -extensions server_ca_extensions

 cd ../server
 openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

Client Certs


cd .. (move to your working directory)
mkdir client
 cd client
 openssl genrsa -out key.pem 2048
 openssl req -new -key key.pem -out req.pem -outform PEM     -subj /CN=meng04/O=client/ -nodes

cd ../testca
 openssl ca -config openssl.cnf -in ../client/req.pem -out     ../client/cert.pem -notext -batch -extensions client_ca_extensions

 cd ../client
 openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

Create Keystore

keytool -import -alias meng04 -file d:/mule/ssl/server/cert.pem -keystore d:/mule/ssl/client/trustStore.jks

Import CA Cert

I kind of do not believe you need to run this step though!! You can experiment with this step.
From command line run “certmgr”
right click root CA, import, D:\mule\ssl\testca\cacert.cer

RabbitMQ Config file


On Windows, make sure you login as the user who installed RabbitMQ!
On command prompt, run “set AppData” or “echo %AppData”, that should show you the default path where RabbitMQ config and log files are: by default, it is under %AppData%/RabbitMQ (example, c:\users\yourusername\Roaming\RabbitMQ).

Modify  (create if needed)  rabbitmq.config, put in

[
  {rabbit, [
   {tcp_listeners, []}},
      {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"d:/mule/ssl/testca/cacert.pem"},
                    {certfile,"d:/mule/ssl/server/cert.pem"},
                    {keyfile,"d:/mule/ssl/server/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

   {tcp_listeners, []}} will disable default port 5672, take it out if you want both standard and SSL ports

Part II – Use AMQPS Connector


Assuming you got your AMQP (without “S” at the end) working, here is what you need to do for AMQPS:

Declaration


In your Mule application XML file, add the following at the beginning of the namespace section:
Schema prefix:
Schema location:
http://www.mulesoft.org/schema/mule/amqps http://www.mulesoft.org/schema/mule/amqps/current/mule-amqps.xsd

AMQPS connector configuration


<amqps:connector name="AMQP_0_9_ConnectorSSL" validateConnections="true" doc:name="AMQP-0-9 Connector" virtualHost="/”  host="myhost" password=”mypass" port="5671" username=”myname" >
        <amqps:ssl-key-store path="d:/mule/ssl/client/keycert.p12" type="PKCS12"
            algorithm="SunX509" keyPassword="MySecretPassword" storePassword="MySecretPassword" />
        <amqps:ssl-trust-store path="d:/mule/ssl/client/trustStore.jks" type="JKS" -->
            algorithm="SunX509" storePassword="rabbitstore" />          
</amqps:connector>   

Endpoint

   <amqps:inbound-endpoint queueName="my-Q" queueDurable="true" responseTimeout="10000" doc:name="AMQP-0-9-subscribe-CDM" connector-ref="AMQP_0_9_ConnectorSSL" />


That’s it. When I get the chance, I’ll post up the source code.

No comments:

Post a Comment