Hello,
I'm having a bit of trouble getting NiFi to talk to RabbitMQ using SSL.
I've created some certificates using the openssl and I have been
successful in sending messages to RabbitMQ when I specific an SSL
context and a username/password. In this scenario I can see a TLS 1.2
HTTPS connection form between NiFi and RabbitMQ and the username and
password used to then authenticate successfully, so from this I know
that the certs being used are valid.
What I'm trying to achieve is for the RabbitMQ username to be pulled out
of the certificate COMMON_NAME so don't need to provide a username and
password. I've created a quick test application to confirm that I can
connect successfully to RabbitMQ using the certs I created and just the
certificate CN name and this worked, which means it must be something
I've done wrong within my NiFi processor configuration which is why I'm
sending this email for help :)
The RabbitMQ configuration I'm using is:
RabbitMQ 3.5.4Erlang 18.0rabbitmq_auth_mechanism_ssl plugin enabledBase
OS is RHEL 6.5
My RabbitMQ.config contains the following:
[
{rabbit, [
{ssl_listeners, [5671]},
{loopback_users, []},
{auth_mechanisms, ['EXTERNAL', 'PLAIN']},
{ssl_options,
[{cacertfile,"/home/data/openssl/brian_testca/cacert.pem"},
{certfile,"/home/data/openssl/brian_server/cert.pem"},
{keyfile,"/home/data/openssl/brian_server/key.pem"},
{verify,verify_peer},
{versions, ['tlsv1.2']},
{password, "MySecretPassword"},
{verify,verify_peer},
{ssl_cert_login_from, common_name},
{fail_if_no_peer_cert,true}]}
]}
].
The NiFi configuration I'm using is:
NiFi 0.7.1 (We are in the process of updating to NiFi 1.1.0 but there
are some dependencies on other projects so it will happen just not for a
few months)
2 Clusters each made up of 1 NCM and 3 Nodes
In the PublishAMQP I've put the certificate CN name into the "username"
field.
The client certificate I'm using to connect to RabbitMQ has a CN name
of: "rabbitmq_client". There is an entry for it in the RabbitMQ users
with NO PASSWORD set.
Error message in the rabbitmq log files:
=ERROR REPORT==== 7-Dec-2016::21:47:30 ===
closing AMQP connection <0.905.0> (192.168.137.1:54324 ->
192.168.137.128:5671):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user
'rabbitmq_client' - invalid credentials",
'connection.start_ok'}}
Please can you tell me if there is something obvious that I'm missed out
in my NiFi configuration?
I did have a very brief look at the code and I was thinking that because
the USERNAME and PASSWORD were mandatory fields and always used to
establish the connection it could be that RabbitMQ prioritises those
fields before trying to pull out the CN name and using that for
authentication. The reason I was thinking this was in the test app I
created I didn't specify the username or password when setting up my
ConnectionFactory but the RabbitMQ documentation says even if you don't
specify the username and password they default to guest/guest so this
could be a red herring.
Thanks in advance for the help,
Brian
