Malan's Tech Thoughts: January 2016

Run these commands on the command line to do a quick install: Assume you have installed the oracle JDK 1.7 or later. (Open JDK is also supported)

sudo apt-get install fop

sudo apt-get install libncurses5-dev

sudo apt-get install unixodbc-dev

sudo apt-get install g++

sudo apt-get install libssl-dev

Download Erlang OTP source file using http://www.erlang.org/download.html . Make sure it is OTP source.

Let assume you downloaded the otp_src_18.2.1.tar.gz file.

Then run following commands.

tar -zxf otp_src_18.2.1.tar.gz

cd otp_src_18.2.1

./configure

make

sudo make install

Should be ready to go now!

Troubleshooting

What happens at each step if the prerequisite packages are not installed first

If you download, extract and try to configure Erlang without installing the prerequisites first, this is what you will see:

./configure

...

configure: error: No curses library functions found

configure: error: /bin/bash '/usr/local/src/otp_src_R14B02/erts/configure' failed for erts

So now you do this:

sudo apt-get install libncurses5-dev

Now let's try it again:

./configure

....

*********************************************************************

********************** APPLICATIONS DISABLED **********************

*********************************************************************

crypto : No usable OpenSSL found

jinterface : No Java compiler found

odbc : ODBC library - link check failed

orber : No C++ compiler found

ssh : No usable OpenSSL found

ssl : No usable OpenSSL found

*********************************************************************

********************** APPLICATIONS INFORMATION *******************

*********************************************************************

wx : wxWidgets not found, wx will NOT be usable

*********************************************************************

********************** DOCUMENTATION INFORMATION ******************

*********************************************************************

documentation :

fop is missing.

Using fakefop to generate placeholder PDF files.

*********************************************************************

ok that is better, but lets knock off some of these missing items.

Run the following at the command line:

sudo apt-get install fop

sudo apt-get install libssl-dev

sudo apt-get install unixodbc-dev

sudo apt-get install g++

./configure

....

*********************************************************************

********************** APPLICATIONS INFORMATION *******************

*********************************************************************

wx : wxWidgets not found, wx will NOT be usable

*********************************************************************

ok - looking better

Now lets run these:

sudo apt-get install libwxbase2.8

sudo apt-get install libwxgtk2.8-dev

sudo apt-get install libgtk2.0-dev

sudo apt-get install libqt4-opengl-dev

./configure

...

configure: creating ./config.status

...

ah, good nothing missing and no errors

time to run make

make

Ok that passed, now run make install:

sudo make install

Ok, now where is erlang going to run from:

which erl

/usr/local/bin/erl

good, this will override /usr/bin/erl

Now time to do a little test of erlang:

erl

Erlang R14B02 (erts-5.8.3) [source] [64-bit] [smp:2:2] [rq:2] [async-threads:0] [kernel-poll:false]

Eshell V5.8.3 (abort with ^G)

1> wx:demo().

{wx_ref,35,wxFrame,<0.34.0>}

If you get the wxErlang widgets panel, then things are probably ready to go.

References - How to Install Erlang on Ubuntu 10.10

In this post, let's consider on configuring the WSO2 ESB to communicate using SSL. I assume You have followed previous post which is linked to this post and able to configure RabbitMQ with the similar rabbitmq.config file.

Please look closely at sample rabbitmq.config file in the previous post and you can see there following configuration.

{fail_if_no_peer_cert,false} option, we state that we're prepared to accept clients which don't have a certificate to send us, but through the {verify,verify_peer} option, we state that if the client does send us a certificate, we must be able to establish a chain of trust to it.

 {verify, verify_none},   
 {fail_if_no_peer_cert,false},

If we have set "fail_if_no_peer_cert" value to false, then we can configure WSO2 ESB in minimal configurations.

When "fail_if_no_peer_cert" value set to false

If fail_if_no_peer_cert is set to false in the RabbitMQ broker configuration, then you only need to specify <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>

 <transportReceiver name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQListener">  
    <parameter name="AMQPConnectionFactory" locked="false">  
         <parameter name="rabbitmq.server.host.name" locked="false">localhost</parameter>  
         <parameter name="rabbitmq.server.port" locked="false">5671</parameter>  
         <parameter name="rabbitmq.server.user.name" locked="false">user</parameter>  
         <parameter name="rabbitmq.server.password" locked="false">user123</parameter>  
         <parameter name="rabbitmq.connection.retry.interval" locked="false">10000</parameter>  
         <parameter name="rabbitmq.connection.retry.count" locked="false">5</parameter>  
         <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>  
    </parameter>  
 </transportReceiver>

When "fail_if_no_peer_cert" value set to true

Where fail_if_no_peer_cert is set to true, you need to provide keystore and truststore information.

    <transportReceiver name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQListener">  
           <parameter name="AMQPConnectionFactory" locked="false">  
           <parameter name="rabbitmq.server.host.name" locked="false">localhost</parameter>  
           <parameter name="rabbitmq.server.port" locked="false">5671</parameter>  
           <parameter name="rabbitmq.server.user.name" locked="false">user</parameter>  
           <parameter name="rabbitmq.server.password" locked="false">user123</parameter>  
           <parameter name="rabbitmq.connection.retry.interval" locked="false">10000</parameter>  
           <parameter name="rabbitmq.connection.retry.count" locked="false">5</parameter>  
           <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>  
           <parameter name="rabbitmq.connection.ssl.version" locked="false">TLSv1.2</parameter>  
           <parameter name="rabbitmq.connection.ssl.keystore.location" locked="false">/home/krishan/wso2_workspace/support_issues_setups/ INGTURKEYDEV-16/client/keycert.p12</parameter>  
           <parameter name="rabbitmq.connection.ssl.keystore.type" locked="false">PKCS12</parameter>  
           <parameter name="rabbitmq.connection.ssl.keystore.password" locked="false">MySecretPassword</parameter>  
           <parameter name="rabbitmq.connection.ssl.truststore.location" locked="false">/home/krishan/wso2_workspace/support_issues_setups/INGTURKEYDEV-16/wso2esb-4.9.0/repository/resources/security/client-truststore.jks</parameter>  
           <parameter name="rabbitmq.connection.ssl.truststore.type" locked="false">JKS</parameter>  
           <parameter name="rabbitmq.connection.ssl.truststore.password" locked="false">wso2carbon</parameter>  
      </parameter>  
      </transportReceiver>

rabbitmq.connection.ssl.keystore.location - We need to provide client key store location. In earlier post we created a separate folder called client, inside that folder you can find keycert.p12 keystore.

rabbitmq.connection.ssl.keystore.password - We need to provide the password of the keystore.

rabbitmq.connection.ssl.truststore.location - We can use the default truststore ships with the WSO2 ESB. But we need to import the rabbitmq server certificate to the truststore. So we need to import .pem certificate to .jks truststore.

First, convert your certificate in a DER format :

openssl x509 -outform der -in certificate.pem -out certificate.der

And after, import it in the keystore :

keytool -import -alias your-alias -keystore cacerts -file certificate.der

rabbitmq.connection.ssl.truststore.password - default password for the truststore is wso2carbon

We can define the SSL protocol version from the following parameter.
<parameter name="rabbitmq.connection.ssl.version"locked="false">SSL</parameter>
The parameters which you can specify are listed below.

TLSv1
TLSv1.1
TLSv1.2

But RabbitMQ Documentation mentioned that for TLS support we need to install Erlang 17.5 or later version.

Also, don't forget to add transport sender configuration to the axis2.xml.

 <transportSender name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQSender"/>

That's all in configuring Wso2 ESB 4.9.0, then you can follow this post and deploy consumer proxy. It is same as normal consumer proxy which use the above connection factory.

Sample SSL enabled producer proxy service looks like below. You need to change the query parameters of the endpoint url in order to get this work.

 <?xml version="1.0" encoding="UTF-8"?>  
 <proxy xmlns="http://ws.apache.org/ns/synapse"  
     name="SSLrabitMQProducer"  
     transports="https,http"  
     statistics="disable"  
     trace="disable"  
     startOnLoad="true">  
   <target>  
    <inSequence>  
      <property name="FORCE_SC_ACCEPTED"  
           value="true"  
           scope="axis2"  
           type="STRING"/>  
      <property name="OUT_ONLY" value="true" scope="default" type="STRING"/>  
        <send description="send message to AMQP queue">  
       <endpoint name="RABBIT">  
         <address uri="rabbitmq:/PublishRabbitMQ?rabbitmq.queue.exclusive=false&amp;rabbitmq.queue.auto.delete=false&amp;rabbitmq.queue.routing.key=destination&amp;rabbitmq.server.host.name=localhost&amp;rabbitmq.server.port=5671&amp;rabbitmq.server.user.name=guest&amp;rabbitmq.server.password=guest&amp;rabbitmq.queue.name=queue1&amp;rabbitmq.exchange.name=amq.direct&amp;rabbitmq.connection.ssl.enabled=true&amp;rabbitmq.connection.ssl.version=SSL&amp;rabbitmq.connection.ssl.keystore.location=/home/krishan/rabbitcerts/client/keycert.p12&amp;rabbitmq.connection.ssl.keystore.type=PKCS12&amp;rabbitmq.connection.ssl.keystore.password=MySecretPassword&amp;rabbitmq.connection.ssl.truststore.location=/home/krishan/wso2esb-4.9.0/repository/resources/security/client-truststore.jks&amp;rabbitmq.connection.ssl.truststore.type=JKS&amp;rabbitmq.connection.ssl.truststore.password=wso2carbon"/>  
       </endpoint>  
      </send>  
    </inSequence>  
    <outSequence/>  
   </target>  
   <description/>  
 </proxy>

Then restart the WSO2 ESB server with JVM parameters like the follow.

 ./wso2server.sh -Djavax.net.debug=ssl

Then you can See SSL logs like below.

 rabbitmq-Worker-1, WRITE: TLSv1.2 Change Cipher Spec, length = 1  
 *** Finished  
 verify_data: { 118, 108, 34, 38, 213, 148, 67, 35, 86, 77, 78, 36 }  
 ***  
 rabbitmq-Worker-1, WRITE: TLSv1.2 Handshake, length = 80  
 rabbitmq-Worker-1, READ: TLSv1.2 Change Cipher Spec, length = 1  
 rabbitmq-Worker-1, READ: TLSv1.2 Handshake, length = 80  
 *** Finished  
 verify_data: { 55, 201, 154, 129, 204, 176, 84, 154, 232, 100, 160, 92 }  
 ***  
 %% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]  
 rabbitmq-Worker-1, WRITE: TLSv1.2 Application Data, length = 64  
 AMQP Connection 127.0.0.1:5671, READ: TLSv1.2 Application Data, length = 544  
 rabbitmq-Worker-1, WRITE: TLSv1.2 Application Data, length = 432  
 AMQP Connection 127.0.0.1:5671, READ: TLSv1.2 Application Data, length = 80  
 rabbitmq-Worker-1, setSoTimeout(15000) called

Malan's Tech Thoughts

Saturday, January 9, 2016

Installing Erlang OTP 18.2.1 from source on Ubuntu 15.04

Troubleshooting

What happens at each step if the prerequisite packages are not installed first

Friday, January 8, 2016

RabbitMQ - WSO2 ESB 4.9.0 Secure Communication Channel Implementation part 2

When "fail_if_no_peer_cert" value set to false

When "fail_if_no_peer_cert" value set to true