rabbitmq supports certificate based authentication using the rabbitmq-auth-mechanism-ssl plugin (https://github.com/rabbitmq/rabbitmq-auth-mechanism-ssl/blob/rabbitmq_v3_6_9/README.md). I was able to get the password-less authentication working for the AMQP protocol using this plugin.
However, I could not get the same certificate based (password-less) authentication working for the rabbitmq-management plugin that uses HTTP (for web UI). From the documentation it is not clear if this is supported.
Does rabbitmq-management support the cert based authentication ? If yes, please share the relevant links.
Found this site - it looks legitimate, but I haven't tried it yet myself.
http://www.gettingcirrius.com/2013/01/securing-rabbitmq-management-console.html
Quoting from the link:
Edit the rabbitmq.config file in the /etc/rabbitmq director.
Add a configuration entry:
[{listener,
[{port, 15672},
{ssl, true},
{ssl_opts,
[{cacertfile, "/etc/rabbitmq/ssl/ca/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/server/{hostname}.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/server/{hostname}.key.pem"}]}
]}
]}
].
Restart RabbitMQ.
sudo service rabbitmq-server start
Related
I am new to Apache Kafka, and here is what I have done so far,
Downloaded kafka_2.12-2.1.0
Make Batch file for Zookeeper to run zookeeper server:
start kafka_2.12-2.1.0.\bin\windows\zookeeper-server-start.bat kafka_2.12-2.1.0.\config\zookeeper.properties
Make Batch File for Apache Kafka server
start kafka_2.12-2.1.0\bin\windows\kafka-server-start.bat kafka_2.12-2.1.0\config\server.properties
Started A Producer using batch file.
start kafka_2.12-2.1.0.\bin\windows\kafka-console-producer.bat --broker-list localhost:9092 --topic 3drocket-player
It is running fine but now I am looking for authentication. As I have to implement a consumer with specific auth settings (requirement by the client). Like security protocol is SASL_SSL and SSL mechanism is GSSAPI.
For this reason, I tried to search and find confluet documentation but the problem is it is too abstract that how to take each and every step.
I am looking for detail configuration steps according to my setup. How to configure my kafka server with SASL SSL and GSSAPI protocol. Initially I found that GSSAPI/Keberos has a separate server then, do i need to install more server? Within Confluent Kafka is there any built-in solution.
Configure a SASL port in server.properties
e.g)
listeners=SASL_SSL://host.name:port
security.inter.broker.protocol=SASL_SSL
sasl.mechanism.inter.broker.protocol=GSSAPI
sasl.enabled.mechanisms=GSSAPI
sasl.kerberos.service.name=kafka
ssl.keystore.location=/path/to/keystore.jks
ssl.keystore.password=keystore_password
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=truststore_password
ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
https://kafka.apache.org/documentation/#security_configbroker
https://kafka.apache.org/documentation/#security_sasl_config
Client:
When you run the Kafka client, you need to set these properties.
security.protocol=SASL_SSL
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=truststore_password
sasl.mechanism=GSSAPI
sasl.kerberos.service.name=kafka
https://kafka.apache.org/documentation/#security_configclients
https://kafka.apache.org/documentation/#security_sasl_kerberos_clientconfig
Then configure the JAAS configuration
KafkaClient {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="path/to/kafka_client.keytab"
storeKey=true
useTicketCache=false
principal="kafka-client-1#EXAMPLE.COM";
};
...
SASL/GSSAPI is for organizations using Kerberos (for example, by using Active Directory). You don’t need to install a new server just for Apache Kafka®. Ask your Kerberos administrator for a principal for each Kafka broker in your cluster and for every operating system user that will access Kafka with Kerberos authentication (via clients and tools).
https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html#kafka-sasl-auth-gssapi
....
Has anyone been successful with using Letsencrypt SSL with a default jetty install? I can't seem to get it right.
More info:
OS: Ubuntu 16.04
Jetty Path: /opt/jetty
Only thing adjusted is enabling http on port 80 in start.ini.
Problems I have run into:
When I input --module-ssl into the start ini, I get the error
No default protocol for ServerConnector#48aca48b{null,[]}{0.0.0.0:8443}`
starting jetty and it fails.
I have tried inputting the SSL info into the ini, as well as editing the .xml files with the info.
I know this is an older question, but in-case people stumble across it on Google with a similar issue:
The SSL module in Jetty is just the base cryptographic functionality. You need to do something with it - i.e. also enable the https or http2 modules.
In other words, for standard https you actually need:
java -jar start.jar --add-to-startd=ssl,https
So it's not the best of error messages, but:
No default protocol for ServerConnector
Means just that - it didn't previously have a protocol (implementation) to use the ssl module with, because the https (or http2) modules hadn't been loaded.
I installed rabbit mq via docker image on a machine including the management and rabbitmq_auth_backend_ip_range plugins. I want to restrict access to the ports 5671/2 and 15672 to only allow certain IPs accessing them.
As 15672 is the web interface, I have not current solution for that. Any ideas on that?
For 5671/2 (which one is the secure one?) I want to use the plugin rabbitmq_auth_backend_ip_range because as far as I understood, that's its purpose.
My current rabbitmq.config looks like this:
[
{rabbit, [
{auth_backends, [{rabbit_auth_backend_ip_range}]}
]},
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'administrator', [<<"::FFFF:192.168.0.0/112">>]}]
}
]}
].
According to the documentation that allows access only for accounts tagged with administrator. But if I do a telnet nothing changed:
telnet ip-address 5672
I can access it. How do you pass over credentials via telnet? How is ip restriction done with rabbit mq?
rabbitmq-auth-backend-ip-range is only providing authentication mechanism to login/talk to rabbitmq server. That doesn't mean your 5672 port is not open.
You will still be able to telnet on 5672 but if some administrator user tries to connect particularly to RabbitMQ server than it should match with the given IP address otherwise authentication failed will return
For RabbitMQ Management you can define IP address something like this:
{rabbitmq_management, [
{listener, [{port, 15672}, {ip, "127.0.0.1"}]}
]}
Rabbitmq-auth-backend-ip-range link is community plugin for client authorization based on source IP address. With this community plugin, we can restrict access to client on the basis of IP address
Steps To configure plugin in rabbitmq version 3.6.X
wget https://dl.bintray.com/rabbitmq/community-plugins/3.6.x/rabbitmq_auth_backend_ip_range/rabbitmq_auth_backend_ip_range-20180116-3.6.x.zip
unzip content to /usr/lib/rabbitmq/lib/rabbitmq_server-3.x/plugins
Enable plugin:rabbitmq-plugins enable rabbitmq_auth_backend_ip_range
Set a custom tag to which this plugin will block for certain IP address
rabbitmqctl set_user_tags custom_user custom_tag
Configure rabbitmqctl configuration file
vi /etc/rabbitmq/rabbitmq.config
[
{rabbit, [
{tcp_listeners, [5672]},
{auth_backends, [
{rabbit_auth_backend_internal,
[rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]
}
]
}
]},
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'customtag', [<<"::FFFF:172.xx.xx.xxx">>]}]},
{default_masks, [<<"::0/0">>]}
]}
].
this configuration will effect in such a way that the user with tag customtag will able to connect to rabbitmq server with IP address 172.xx.xx.xxx and all other tags can access from any IP address
sudo service rabbitmq-server restart
PS: As there is no valid link online to configure the rabbitmq_auth_backend_ip_range plugin, so I answered this question with the configuration steps
I am trying to connect from a windows computer to a ubuntu linux server, It is about cvs, I want to do a checkout. I use smartcvs 7.1.9.
I get this error when I try to connect to the server: (Project > Checkout > Next)
Authentication Failed: You could not get authenticated by the
CVS-server. Details: I/O-Exception: Failed to negotiate a transport
component [diffie-hellman-group-exchange-sha1]
[diffie-hellman-group14-sha1]
Anybody ideas what I can do?
This is a cvs server issue.
SmartCVS uses the diffie-hellman key exchange method for authentication which is known to have security issues. Therefore it has been disabled by default in current standard openssh(d) server configurations.
If you know what you are doing and don't care about the security implications, just add the following lines to sshd_config:
starts here
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256#libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm#openssh.com,aes256-gcm#openssh.com,chacha20-poly1305#openssh.com,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
ends here
If you're on linux.. recreate the keys and restart the opensshd service:
dpkg-reconfigure openssh-server
/etc/init.d/ssh restart
Regards
Erwin
I am using latest RabbitMq 3.5.6 with Erlang 18.1 on Ubuntu.
I want to secure communication with TLS. So I bought a wildcard certificate (AlphaSSL) which comes with an Intermediate cert chain.
(Removed Certs)
I am using the same certificate to secure Nginx and Apache2. The cert works there.
But in RabbitMq, I dont know how to get it working properly. At some stage of my testing, I had "Verfiy Ok" when testing with openssl -sclient... Then switched to browser, but management Interface doesn't even load: SSL_SEC_ERR in Chrome...
This is the config of the management section:
UPDATE: This config works. After doing apt-get install erlang-ssl --reinstall it suddenly works as expected. Make sure to use latest Erlang 18.1 Version from http://erlang-solutions.com/downloads/download-erlang-otp which contains some TLS related fixes
rabbitmq.config:
{rabbitmq_management,
{listener, [{port, 15672},
{ssl, true},
{ssl_opts, [{cacertfile, "/etc/rabbitmq/ssl/Intermediate_CA_Bundle.crt"},
{certfile, "/etc/rabbitmq/ssl/domain.crt"},
{keyfile, "/etc/rabbitmq/ssl/domain.key"},
{depth, 2},
{verify, verify_none},
{fail_if_no_peer_cert, false}]}]}
mablae
This config works. After doing apt-get install erlang-ssl --reinstall it suddenly works as expected. Make sure to use latest Erlang 18.1 Version from http://erlang-solutions.com/downloads/download-erlang-otp which contains some TLS related fixes