Use Mule AMQPS (SSL) to Connect to RabbitMQ

This post provides step by step instructions to enable SSL with RabbitMQ; then use AMQPS connector with Mule ESB.

• I followed step by step instructions from here to set up the RabbitMQ https://www.rabbitmq.com/ssl.html with some twists that tailored to my own environment.
• I used this to implement Mule AMQPS https://github.com/mulesoft/mule-transport-amqp/blob/master/GUIDE.md
• I am installing on Windows 7 server.

Part I – Enable SSL on RabbitMQ

Finished view of the directories for the certificates:

I just want to give you an overview of directories of certificates. It may help you navigate the paths as you generate the certificates in the next few sections:

D:\MULE\ssl

├───client

├───server

└───testca

    ├───certs

└───private

CA: Certificate Authority

Download openSSL if you haven’t done so. I used ftp://ftp.openssl.org/source/

Select a working directory, I use “d:\mule\ssl”, you can pick your own.

The instructions are a mirror of the online instructions followed by some extra notes when necessary.

 mkdir testca

 cd testca

 mkdir certs private (create two directories)

 chmod 700 private (no action on windows)

 echo 01 > serial (create file with text editor, just put one line with “01”, no extra contents)

 touch index.txt (create an empty index.txt file, no extra contents or blank lines, otherwise, it would cause problems)

copy the content of the cnf file and put in the following file:

set OPENSSL_CONF=D:\mule\ssl\testca\openssl.cnf (very important step on Windows, otherwise, you’ll have many problems)

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

openssl x509 -in cacert.pem -out cacert.cer -outform DER

Server Certificates

cd .. (moves to your working directory)

mkdir server

 cd server

 openssl genrsa -out key.pem 2048

 openssl req -new -key key.pem -out req.pem -outform PEM     -subj /CN=meng04/O=server/ -nodes

 cd ../testca

 openssl ca -config openssl.cnf -in ../server/req.pem -out     ../server/cert.pem -notext -batch -extensions server_ca_extensions

 cd ../server

 openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

Client Certs

cd .. (move to your working directory)

mkdir client

 cd client

 openssl genrsa -out key.pem 2048

 openssl req -new -key key.pem -out req.pem -outform PEM     -subj /CN=meng04/O=client/ -nodes

cd ../testca

 openssl ca -config openssl.cnf -in ../client/req.pem -out     ../client/cert.pem -notext -batch -extensions client_ca_extensions

 cd ../client

 openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

Create Keystore

keytool -import -alias meng04 -file d:/mule/ssl/server/cert.pem -keystore d:/mule/ssl/client/trustStore.jks

Import CA Cert

I kind of do not believe you need to run this step though!! You can experiment with this step.

From command line run “certmgr”

right click root CA, import, D:\mule\ssl\testca\cacert.cer

RabbitMQ Config file

On Windows, make sure you login as the user who installed RabbitMQ!

On command prompt, run “set AppData” or “echo %AppData”, that should show you the default path where RabbitMQ config and log files are: by default, it is under %AppData%/RabbitMQ (example, c:\users\yourusername\Roaming\RabbitMQ).

Modify  (create if needed)  rabbitmq.config, put in

[

  {rabbit, [

   {tcp_listeners, []}},

      {ssl_listeners, [5671]},

     {ssl_options, [{cacertfile,"d:/mule/ssl/testca/cacert.pem"},

                    {certfile,"d:/mule/ssl/server/cert.pem"},

                    {keyfile,"d:/mule/ssl/server/key.pem"},

                    {verify,verify_peer},

                    {fail_if_no_peer_cert,false}]}

   ]}

].

   {tcp_listeners, []}} will disable default port 5672, take it out if you want both standard and SSL ports

Part II – Use AMQPS Connector

Assuming you got your AMQP (without “S” at the end) working, here is what you need to do for AMQPS:

Declaration

In your Mule application XML file, add the following at the beginning of the namespace section:

Schema prefix:

xmlns:amqps=http://www.mulesoft.org/schema/mule/amqps

Schema location:

http://www.mulesoft.org/schema/mule/amqps http://www.mulesoft.org/schema/mule/amqps/current/mule-amqps.xsd

AMQPS connector configuration

<amqps:connector name="AMQP_0_9_ConnectorSSL" validateConnections="true" doc:name="AMQP-0-9 Connector" virtualHost="/”  host="myhost" password=”mypass" port="5671" username=”myname" >

        <amqps:ssl-key-store path="d:/mule/ssl/client/keycert.p12" type="PKCS12"

            algorithm="SunX509" keyPassword="MySecretPassword" storePassword="MySecretPassword" />

        <amqps:ssl-trust-store path="d:/mule/ssl/client/trustStore.jks" type="JKS" -->

            algorithm="SunX509" storePassword="rabbitstore" />          

</amqps:connector>   

Endpoint

   <amqps:inbound-endpoint queueName="my-Q" queueDurable="true" responseTimeout="10000" doc:name="AMQP-0-9-subscribe-CDM" connector-ref="AMQP_0_9_ConnectorSSL" />

That’s it. When I get the chance, I’ll post up the source code.