Friday, January 8, 2016

RabbitMQ - WSO2 ESB 4.9.0 Secure Communication Channel Implementation part 2

In this post, let's consider on configuring the WSO2 ESB to communicate using SSL. I assume You have followed previous post which is linked to this post and able to configure RabbitMQ with the similar rabbitmq.config file.

Please look closely at sample rabbitmq.config file in the previous post and you can see there following configuration.

{fail_if_no_peer_cert,false} option, we state that we're prepared to accept clients which don't have a certificate to send us, but through the {verify,verify_peer} option, we state that if the client does send us a certificate, we must be able to establish a chain of trust to it.

 {verify, verify_none},   
 {fail_if_no_peer_cert,false},

If we have set "fail_if_no_peer_cert" value to false, then we can configure WSO2 ESB in minimal configurations.

When "fail_if_no_peer_cert" value set to false

 If fail_if_no_peer_cert is set to false in the RabbitMQ broker configuration, then you only need to specify <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>

    <!-- ================================================= -->
    <!--             Transport Ins (Listeners)                                                            -->
    <!-- ================================================= -->

 <transportReceiver name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQListener">  
    <parameter name="AMQPConnectionFactory" locked="false">  
         <parameter name="rabbitmq.server.host.name" locked="false">localhost</parameter>  
         <parameter name="rabbitmq.server.port" locked="false">5671</parameter>  
         <parameter name="rabbitmq.server.user.name" locked="false">user</parameter>  
         <parameter name="rabbitmq.server.password" locked="false">user123</parameter>  
         <parameter name="rabbitmq.connection.retry.interval" locked="false">10000</parameter>  
         <parameter name="rabbitmq.connection.retry.count" locked="false">5</parameter>  
         <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>  
    </parameter>  
 </transportReceiver>

When "fail_if_no_peer_cert" value set to true

Where fail_if_no_peer_cert is set to true, you need to provide keystore and truststore information.

    <!-- ================================================= -->
    <!--             Transport Ins (Listeners)                                                            -->
    <!-- ================================================= -->

    <transportReceiver name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQListener">  
           <parameter name="AMQPConnectionFactory" locked="false">  
           <parameter name="rabbitmq.server.host.name" locked="false">localhost</parameter>  
           <parameter name="rabbitmq.server.port" locked="false">5671</parameter>  
           <parameter name="rabbitmq.server.user.name" locked="false">user</parameter>  
           <parameter name="rabbitmq.server.password" locked="false">user123</parameter>  
           <parameter name="rabbitmq.connection.retry.interval" locked="false">10000</parameter>  
           <parameter name="rabbitmq.connection.retry.count" locked="false">5</parameter>  
           <parameter name="rabbitmq.connection.ssl.enabled" locked="false">true</parameter>  
           <parameter name="rabbitmq.connection.ssl.version" locked="false">TLSv1.2</parameter>  
           <parameter name="rabbitmq.connection.ssl.keystore.location" locked="false">/home/krishan/wso2_workspace/support_issues_setups/ INGTURKEYDEV-16/client/keycert.p12</parameter>  
           <parameter name="rabbitmq.connection.ssl.keystore.type" locked="false">PKCS12</parameter>  
           <parameter name="rabbitmq.connection.ssl.keystore.password" locked="false">MySecretPassword</parameter>  
           <parameter name="rabbitmq.connection.ssl.truststore.location" locked="false">/home/krishan/wso2_workspace/support_issues_setups/INGTURKEYDEV-16/wso2esb-4.9.0/repository/resources/security/client-truststore.jks</parameter>  
           <parameter name="rabbitmq.connection.ssl.truststore.type" locked="false">JKS</parameter>  
           <parameter name="rabbitmq.connection.ssl.truststore.password" locked="false">wso2carbon</parameter>  
      </parameter>  
      </transportReceiver>


rabbitmq.connection.ssl.keystore.location - We need to provide client key store location. In earlier post we created a separate folder called client, inside that folder you can find keycert.p12 keystore.

rabbitmq.connection.ssl.keystore.password - We need to provide the password of the keystore.

rabbitmq.connection.ssl.truststore.location -  We can use the default truststore ships with the WSO2 ESB. But we need to import the rabbitmq server certificate to the truststore. So we need to import .pem certificate to .jks truststore.

First, convert your certificate in a DER format :

openssl x509 -outform der -in certificate.pem -out certificate.der
And after, import it in the keystore :

keytool -import -alias your-alias -keystore cacerts -file certificate.der

 rabbitmq.connection.ssl.truststore.password - default password for the truststore is wso2carbon


We can define the SSL protocol version from the following parameter.
<parameter name="rabbitmq.connection.ssl.version"locked="false">SSL</parameter>
The parameters which you can specify are listed below.
  • TLSv1
  • TLSv1.1
  • TLSv1.2
But RabbitMQ Documentation mentioned that for TLS support we need to install Erlang 17.5 or later version.

Also, don't forget to add transport sender configuration to the axis2.xml.

    <!-- ================================================= -->
    <!--             Transport Outs (Senders)                                                           -->
    <!-- ================================================= -->

 <transportSender name="rabbitmq" class="org.apache.axis2.transport.rabbitmq.RabbitMQSender"/>

That's all in configuring Wso2 ESB 4.9.0, then you can follow this post and deploy consumer proxy. It is same as normal consumer proxy which use the above connection factory.

Sample SSL enabled producer proxy service looks like below. You need to change the query parameters of the endpoint url in order to get this work.


 <?xml version="1.0" encoding="UTF-8"?>  
 <proxy xmlns="http://ws.apache.org/ns/synapse"  
     name="SSLrabitMQProducer"  
     transports="https,http"  
     statistics="disable"  
     trace="disable"  
     startOnLoad="true">  
   <target>  
    <inSequence>  
      <property name="FORCE_SC_ACCEPTED"  
           value="true"  
           scope="axis2"  
           type="STRING"/>  
      <property name="OUT_ONLY" value="true" scope="default" type="STRING"/>  
        <send description="send message to AMQP queue">  
       <endpoint name="RABBIT">  
         <address uri="rabbitmq:/PublishRabbitMQ?rabbitmq.queue.exclusive=false&amp;rabbitmq.queue.auto.delete=false&amp;rabbitmq.queue.routing.key=destination&amp;rabbitmq.server.host.name=localhost&amp;rabbitmq.server.port=5671&amp;rabbitmq.server.user.name=guest&amp;rabbitmq.server.password=guest&amp;rabbitmq.queue.name=queue1&amp;rabbitmq.exchange.name=amq.direct&amp;rabbitmq.connection.ssl.enabled=true&amp;rabbitmq.connection.ssl.version=SSL&amp;rabbitmq.connection.ssl.keystore.location=/home/krishan/rabbitcerts/client/keycert.p12&amp;rabbitmq.connection.ssl.keystore.type=PKCS12&amp;rabbitmq.connection.ssl.keystore.password=MySecretPassword&amp;rabbitmq.connection.ssl.truststore.location=/home/krishan/wso2esb-4.9.0/repository/resources/security/client-truststore.jks&amp;rabbitmq.connection.ssl.truststore.type=JKS&amp;rabbitmq.connection.ssl.truststore.password=wso2carbon"/>  
       </endpoint>  
      </send>  
    </inSequence>  
    <outSequence/>  
   </target>  
   <description/>  
 </proxy>




Then restart the WSO2 ESB server with JVM parameters like the follow.

 ./wso2server.sh -Djavax.net.debug=ssl

Then you can See SSL logs like below.

 rabbitmq-Worker-1, WRITE: TLSv1.2 Change Cipher Spec, length = 1  
 *** Finished  
 verify_data: { 118, 108, 34, 38, 213, 148, 67, 35, 86, 77, 78, 36 }  
 ***  
 rabbitmq-Worker-1, WRITE: TLSv1.2 Handshake, length = 80  
 rabbitmq-Worker-1, READ: TLSv1.2 Change Cipher Spec, length = 1  
 rabbitmq-Worker-1, READ: TLSv1.2 Handshake, length = 80  
 *** Finished  
 verify_data: { 55, 201, 154, 129, 204, 176, 84, 154, 232, 100, 160, 92 }  
 ***  
 %% Cached client session: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA256]  
 rabbitmq-Worker-1, WRITE: TLSv1.2 Application Data, length = 64  
 AMQP Connection 127.0.0.1:5671, READ: TLSv1.2 Application Data, length = 544  
 rabbitmq-Worker-1, WRITE: TLSv1.2 Application Data, length = 432  
 AMQP Connection 127.0.0.1:5671, READ: TLSv1.2 Application Data, length = 80  
 rabbitmq-Worker-1, setSoTimeout(15000) called






Posted by at

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )