Rabbitmq ssl secure connection process
1 Generate a certificate
git clone https://github.com/michaelklishin/tls-gen tls-gen
Execute the generate command
cd tls-gen/basic to
execute the make command (if the make command does not exist, please install python3, and make sure that openssl already exists. You can use the openssl command. If you enter the command line, it means it exists. 123456 is the subsequent loading service The password of the client certificate and the client certificate)
make PASSWORD=123456 After
executing the command, the four folders as shown in the figure appear.
Execute the make verify command. If ok appears, it indicates that the client certificate matches the server certificate.
cd result
can be seen in the result directory.
Use four files: ca_certificate.pem, server_certificate.pem, server_key.pem, client_key.p12. The rabbitmq server uses the three certificates ca_certificate.pem, server_certificate.pem, and server_key.pem, and the
client (java) uses the truststore file generated by server_certificate.pem and the two certificates client_key.p12
The default validity period of the certificate is 5 years, and the validity period can be modified. Open the openssl.cnf file in the basic directory of tls-gen and
modify the default_days to modify the validity period. Then execute the above command again to regenerate the certificate.
Generate java client truststore
keytool -import -alias server1 -file /path/to/server_certificate.pem -keystore /path/to/rabbitstore The
keytool command is a command that comes with jdk. If there is no such command, please install jdk1.8
server1 as The name of the certificate in the trust store needs to be changed to the name you want. The name can be any
/path/to/server_certificate.pem is the location of the current server_certificate.pem certificate, and
/path/to/rabbitstore is the location where the truststore is finally generated and Name, the name is rabbitstore
2 Configure the server
ca_certificate.pem, server_certificate.pem, server_key.pem, transfer these three certificates to the rabbitmq/ssl directory
Edit configuration file (old version)
[
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/ca_certificate.pem"},
{ certfile, “/etc/rabbitmq/ssl/server_certificate.pem”},
{keyfile, “/etc/rabbitmq/ssl/server_key.pem”},
{verify,verify_peer},
{fail_if_no_peer_cert, true},
{password, “123456 ”}
]}
]}
].
Note: there is a dot at the end
Edit the configuration file (new version)
listeners.tcp.default = 5672 #The
password of the default user
default_pass = 123456 #The
default account is admin
default_user = admin
#The key configuration of ssl login must open port 5671, and subsequent clients must connect to port 5671
listeners. ssl.default = 5671
#Three rabbitmq server certificates, here is the path in the container, do not modify, the corresponding is the /etc/rabbitmq/ssl directory on the host, just put these three certificates in the host /etc/rabbitmq/ssl directory, then it can be loaded here to
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server_certificate.pem
ssl_options.keyfile = /etc /rabbitmq/ssl/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true #The
password when the make command is executed
ssl_options.password = 123456
ssl_options.versions.1 = tlsv1.2
ssl_options.versions.2 = tlsv1.1
Restart the rabbitmq service, use port 15672, log in to the console, and check the
display and monitor port 5671, then the startup is successful
3 Edit the java client
Introduce pom dependency
<dependency>
<groupId>com.rabbitmq</groupId>
<artifactId>amqp-client</artifactId>
<version>5.7.0</version>
</dependency>
ConnectionFactory factory = new ConnectionFactory();
//Set ip, set according to the actual situation
factory.setHost("localhost");
//Port, ssl port is 5671, cannot be modified
factory.setPort(5671);
//123456 is generated For the certificate, the password when the make is executed
char[] keyPassphrase = “123456”.toCharArray();
KeyStore ks = KeyStore.getInstance(“PKCS12”);
//After executing the make command, the generated client_key in the result directory. p12 file, fill in
ks.load(new FileInputStream("/etc/rabbitmq/ssl/client_key.p12"), keyPassphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, keyPassphrase ) according to the actual situation );
//The password required to enter the keytool command, fill in
char[] trustPassphrase = "123456".toCharArray();
KeyStore tks = KeyStore.getInstance("JKS");
//The truststore file generated after executing the keytool command, fill in
tks.load(new FileInputStream("/etc/rabbitmq/ssl/rabbitstore"), trustPassphrase) according to the actual situation ;
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(tks);
SSLContext c = SSLContext.getInstance("TLSv1.2");
c.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
factory.useSslProtocol(c);
Connection conn = factory.newConnection();
Channel channel = conn.createChannel();
channel.queueDeclare("rabbitmq -test", false, true, true, null);
channel.basicPublish("", "rabbitmq -test", null, "rabbitmq via SSL".getBytes());
GetResponse chResponse = channel.basicGet("rabbitmq-test", false);
if (chResponse == null)
{
System.out.println("No message retrieved");
}
else
{
byte[] body = chResponse.getBody();
System.out.println("Recieved: " + new String(body));
}
channel.close();
conn.close();
Print rabbitmq via SSL, it means the connection is successful
Note:
After testing, rabbitmq-server 3.7.4+Erlang20.2.3 version does not support ssl, erlang cannot load the server certificate, causing the connection to fail, so the version after this combination must be used for
verification, rabbitmq-server 3.7.18+Erlang22 .3.4.11 version supports ssl, the configuration file needs to use the old version of the configuration file format