Brian
Thank you for detailed explanation.
I don't believe you're doing anything wrong. We just need do add the feature
you describe (pulling credentials from certificate).
Would you mind creating JIRA ticket and if at all possible attach the sample
code that demonstrates exactly what you're trying to accomplish?
Cheers
Oleg
On Dec 10, 2016, at 03:52, Kiran
mailto:b.deep.internatio...@gmail.com>> wrote:
Hello,
I'm having a bit of trouble getting NiFi to talk to RabbitMQ using SSL. I've
created some certificates using the openssl and I have been successful in
sending messages to RabbitMQ when I specific an SSL context and a
username/password. In this scenario I can see a TLS 1.2 HTTPS connection form
between NiFi and RabbitMQ and the username and password used to then
authenticate successfully, so from this I know that the certs being used are
valid.
What I'm trying to achieve is for the RabbitMQ username to be pulled out of the
certificate COMMON_NAME so don't need to provide a username and password. I've
created a quick test application to confirm that I can connect successfully to
RabbitMQ using the certs I created and just the certificate CN name and this
worked, which means it must be something I've done wrong within my NiFi
processor configuration which is why I'm sending this email for help :)
The RabbitMQ configuration I'm using is:
* RabbitMQ 3.5.4
* Erlang 18.0
* rabbitmq_auth_mechanism_ssl plugin enabled
* Base OS is RHEL 6.5
My RabbitMQ.config contains the following:
[
{rabbit, [
{ssl_listeners, [5671]},
{loopback_users, []},
{auth_mechanisms, ['EXTERNAL', 'PLAIN']},
{ssl_options, [{cacertfile,"/home/data/openssl/brian_testca/cacert.pem"},
{certfile,"/home/data/openssl/brian_server/cert.pem"},
{keyfile,"/home/data/openssl/brian_server/key.pem"},
{verify,verify_peer},
{versions, ['tlsv1.2']},
{password, "MySecretPassword"},
{verify,verify_peer},
{ssl_cert_login_from, common_name},
{fail_if_no_peer_cert,true}]}
]}
].
The NiFi configuration I'm using is:
*
NiFi 0.7.1 (We are in the process of updating to NiFi 1.1.0 but there are some
dependencies on other projects so it will happen just not for a few months)
*
2 Clusters each made up of 1 NCM and 3 Nodes
*
In the PublishAMQP I've put the certificate CN name into the "username" field.
The client certificate I'm using to connect to RabbitMQ has a CN name of:
"rabbitmq_client". There is an entry for it in the RabbitMQ users with NO
PASSWORD set.
Error message in the rabbitmq log files:
=ERROR REPORT 7-Dec-2016::21:47:30 ===
closing AMQP connection <0.905.0> (192.168.137.1:54324 -> 192.168.137.128:5671):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'rabbitmq_client' -
invalid credentials",
'connection.start_ok'}}
Please can you tell me if there is something obvious that I'm missed out in my
NiFi configuration?
I did have a very brief look at the code and I was thinking that because the
USERNAME and PASSWORD were mandatory fields and always used to establish the
connection it could be that RabbitMQ prioritises those fields before trying to
pull out the CN name and using that for authentication. The reason I was
thinking this was in the test app I created I didn't specify the username or
password when setting up my ConnectionFactory but the RabbitMQ documentation
says even if you don't specify the username and password they default to
guest/guest so this could be a red herring.
Thanks in advance for the help,
Brian