Rabbit MQ set up in my organization uses LDAP for Authenticaton and Authorization.
How can I configure NServiceBus (or RabbitMQ) to use the credentials that the service is running under (- like integrated security for SQL Connections).
Rabbmit MQ Configuration
[
{rabbit,
[{auth_backends, [rabbit_auth_backend_ldap]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ad.xxxx.xxx"]},
{dn_lookup_attribute, "userPrincipalName"},
{dn_lookup_base, "OU=xxxx Users,DC=ad,DC=xxxx,DC=xxx"},
{log, true},
{group_lookup_base, "OU=xxxx Users,DC=ad,DC=xxxx,DC=xxx"},
{tag_queries, [{administrator, {in_group, "CN=GRP_Name,OU=XXXX Users,DC=ad,DC=XXXX,DC=XXX"}},
{management, {in_group, in_group, "CN=GRP_Name,OU=XXXX Users,DC=ad,DC=XXXX,DC=XXX"}}]}
]
}
].
NServiceBus Code:
var endpointConfiguration = new EndpointConfiguration("Receiver.Service");
var transport = endpointConfiguration.UseTransport<RabbitMQTransport>();
transport.UseConventionalRoutingTopology();
transport.ConnectionString("host=rabbitmq.sb.xxxx.xxx");
RabbitMQ's LDAP support requires that client applications pass a username and password. There is no equivalent to SQL's integrated security.
In your case, user's must have a DN whose value ends with OU=xxxx Users,DC=ad,DC=xxxx,DC=xxx. Your NServiceBus application will have to pass a username and password of an account with the expected DN.
https://www.rabbitmq.com/ldap.html
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
Related
I'm trying to implement HA policy for messaging on domain, but I have a problem with the slave-host.
This is the log:
"WFLYCTL0030: No resource definition is registered for address [
(\"subsystem\" => \"messaging-activemq\"),
(\"server\" => \"clustermqfse\"),
(\"jms-topic\" => \"test2\")
]"
The host-master, on the other hand, is ok. I saw the host.xml of both and are egual.
How could I resolve the issue?
Have you defined a topic with the name=test2 under the activemq subsystem config of the ha profile in domain.xml?
What I am trying to do is -
For Clients to Broker communication - use OAUTHBEARER authentication
For Broker to Broker communication - use PLAIN authentication
I Have following JAAS configuration:
{
KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="inter"
password="inter-secret"
user_inter="inter-secret"
user_admin="YvNzcbmqhA0DfxjP";
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="zookeeper"
password="zookeeper-secret";
};
}
And I have following configs in server.properties:
sasl.enabled.mechanisms=PLAIN,OAUTHBEARER
sasl.mechanism.inter.broker.protocol=PLAIN
sasl.server.callback.handler.class=br.com.jairsjunior.security.oauthbearer.OauthAuthenticateValidatorCallbackHandler
But if start the kafka service I am seeing the error like below:
used by: java.lang.IllegalArgumentException: Must supply exactly 1 non-null JAAS mechanism configuration (size was 2)
at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler.configure(OAuthBearerUnsecuredValidatorCallbackHandler.java:114)
at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:122)
... 17 more
which indicates kafka is not allowing to specify multiple JAAS mechanism configurations.
So how can I specify multiple JAAS configs, and setup authentication mechanisms like below:
CLient to Broker ----> OAUTHBEARER
Broker to Broker ----> PLAIN
Thanks!
I am currently also working on the problem to use plain and oauthbearer simultaniously, which I have not solved yet but I solved your specific question in the following way.
This is my Jaas Configuration:
internal.KafkaServer {
org.apache.kafka.common.security.plain.PlainLoginModule required
username="admin"
password="admin-secret"
user_admin="admin-secret"
user_test="test";
};
external.KafkaServer {
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="username"
password="pw";
};
Then I set the setting in the server.properties the following way:
inter.broker.listener.name: INTERNAL
sasl.mechanism.inter.broker.protocol: PLAIN
listener.security.protocol.map: INTERNAL:SASL_PLAINTEXT,EXTERNAL:SASL_SSL
listeners: "INTERNAL://0.0.0.0:9092,EXTERNAL://0.0.0.0:19092"
sasl.enabled.mechanisms: PLAIN,OAUTHBEARER
listener.name.external.oauthbearer.sasl.server.callback.handler.class: my.module.kafka.security.oauthbearer.OauthAuthenticateValidatorCallbackHandler
listener.name.external.oauthbearer.sasl.login.callback.handler.class: my.module.kafka.security.oauthbearer.OauthAuthenticateLoginCallbackHandler
When you it this way you won't get your error. Sadly I get another error when the broker want to set up the external connection:
javax.security.auth.callback.UnsupportedCallbackException: Unrecognized SASL Login callback
at org.apache.kafka.common.security.authenticator.AbstractLogin$DefaultLoginCallbackHandler.handle(AbstractLogin.java:105)
at org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule.identifyToken(OAuthBearerLoginModule.java:316)
at org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule.login(OAuthBearerLoginModule.java:301)
... 32 more
It seems like the kafka brokers are ignoring oauthbearer callbackhandler. This is a bit strange because external is working perfectly when I configure it as the only listener.
I hope it helps you with your problem!
I have an instance of RabbitMQ 3.7.7-management image running. It has the rabbitmq-management plugin enabled and configured to use HTTPS as per the documentation:
management.listener.port = 15671
management.listener.ssl = true
management.listener.ssl_opts.cacertfile = /path/to/cacert.pem
management.listener.ssl_opts.certfile = /path/to/cert.pem
management.listener.ssl_opts.keyfile = /path/to/key.pem
management.listener.ssl_opts.fail_if_no_peer_cert = false
management.listener.ssl_opts.versions.1 = tlsv1.2
When I evaluate the TLS setup with testssl.sh testing tool, a test for SWEET32 vulnerability fails:
Testing vulnerabilities
...
SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers
...
OpenVAS framework also complains:
Vulnerability Detection Result
'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)
Solution type: Mitigation
The configuration of this services should be changed so that it does not accept the listed cipher suites anymore.
Is it possible to configure what cipher suites will be used by the RabbitMQ Management Plugin? For RabbitMQ it is possible, but looking at rabbitmq_management.schema it seems that for the Management Plugin it's impossible. Or is there a different way to fix the vulnerability?
You will have to use the advanced.config file to do so. I'm assuming that you have already created /etc/rabbitmq/rabbitmq.conf with the settings you show. Create the /etc/rabbitmq/advanced.config file with these contents and re-start RabbitMQ:
[
{rabbitmq_management, [
{listener, [
{ssl_opts, [
{ciphers, [
%% CIPHERS GO HERE
]}
]}
]}
]}
].
The setting should be merged into what is specified in rabbitmq.conf. You can check the generated config files in /var/lib/rabbitmq/...
If this does not work, please follow up on the mailing list.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
I tried to connect to a particular RabbitMq machine using following code using MassTransit
var bus = ServiceBusFactory.New(x =>
{
x.UseRabbitMq();
x.ReceiveFrom("rabbitmq://admin:admin#<IP Address>/somequeue");
moreInitialization(x);
});
I have create a user as admin in vhost "\" with administrator privileges.
cmd:> rabbitmqctl list_permissions
Listing permissions in vhost "/" ...
admin .* .* .*
I have removed the "guest" user. Even though I user the below code, I can see in rabbitmq log as below
=ERROR REPORT==== 21-Jun-2015::12:19:22 ===
closing AMQP connection <0.391.0> (192.168.6.1:7000 -> 192.168.6.131:5672):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'guest' - invalid credentials",
'connection.start_ok'}}
At application side I am getting the below error
Exception:Thrown: "ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile." (RabbitMQ.Client.Exceptions.AuthenticationFailureException)
A RabbitMQ.Client.Exceptions.AuthenticationFailureException was thrown: "ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile."
Do I need to change any configuration in rabbitmq.config file? I am using RabbitMq Server version 3.5.3
Thanks for helping
To specify credentials, you need to configure the host explicitly. The # syntax is no longer supported, due to leakage of security credentials.
For example:
var bus = ServiceBusFactory.New(sbc =>
{
sbc.UseRabbitMq(r => r.ConfigureHost(new Uri("rabbitmq://actual-server-name/queue-name"), h =>
{
h.SetUsername("username");
h.SetPassword("password");
}));
sbc.ReceiveFrom("rabbitmq://actual-server-name/queue-name");
});
With the following rabbitmq config
[ {mnesia, [{dump_log_write_threshold, 100}]},
{rabbit, [{vm_memory_high_watermark, 0.4}]},
{rabbitmq_shovel,
[{shovels,
[{devShovel,
[{sources, [{broker, "amqp://shoveluser:shoveluser#server2:5672"}]},
{destinations, [{broker, "amqp://shoveluser:shoveluser#localhost:5672"}]},
{queue, <<"queue">>},
{publish_fields,[{exchange,<<"DataExchange">>}]}
]
}]
}]
}
].
and all of the relevant queues / exchanges declared I am able to start my rabbitmq server. However, when I check the shovel management, the plugin always displays starting as the state of the shovel. What causes this and is there any way to get more info ?
Make sure to check the user is setup correctly on the brokers.