RabbitMQTests

GitHub

This page has information and instructions on how to setup a rabbitMQ server using SSL. As of this writing, a test certificate authority is used over a standard one.

SSL

Most of the information for this page used rabbitMQ's tutorial located here and for trouble shooting, here

A few notes:

  • Erlang before R13B02, does not properly refuse connections if client does not provide a certificate
  • The default config file location is /etc/rabbitmq/rabbitmq.config
  • The default log file location is /var/log/rabbitmq/rabbit@$(HOST_MACHINE).log (example: /var/log/rabbitmq/rabbit@elephant70.log)

rabbitMQ config file

To setup ssl the rabbitMQ server with ssl, the config file must be edited and the server restarted. The rabbitMQ tutorial provides this as a default config file.

[ {rabbit, [ {ssl_listeners, [5671]}, {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"}, {certfile,"/path/to/server/cert.pem"}, {keyfile,"/path/to/server/key.pem"}, {verify,verify_peer}, {fail_if_no_peer_cert,false}]} ]} ].

This uses erlang syntax so punctuation is important here (note the trailing . ).

This config file will set the server called rabbit (default name) to:

  • open an ssl listener on port 5671
  • use the certificate authority certificate file at the specified location
  • use the certfile signed by the CA specified in previous line
  • use the private key specified
  • ask clients to provide SSL certificates but will allow clients to make connections without certificates
    • if client provides a badly formed certificate or one not signed by the CA the connection will be refused
    • setting fail_if_no_peer_cert to true will force certificates to provided Note: this option does not work pre Erlang R13B01

If the log file and certificates/keys are setup properly, the rabbitMQ log file will have a line for starting SSL listener on the specified port.

Command line testing configuration

Using openssl, the connection can be verified. Provided that the client cert and key are correct and signed by the CA, this command:

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem

will connect to the amqp server and allow additional input (providing anything other than an AMQP header will cause rabbitMQ to close the connection).

If a non-valid or no key is provided like this:

openssl s_client -connect localhost:5671

The connection will be refused. The following is rabbitMQ's log file when running these commands sequentially.

First connection with valid certs and keys

INFO REPORT=== 17-Sep-2013::15:16:38 = accepted TCP connection on [::]:5671 from 127.0.0.1:56525

INFO REPORT=== 17-Sep-2013::15:16:38 = starting TCP connection <0.2463.0> from 127.0.0.1:56525

INFO REPORT=== 17-Sep-2013::15:16:38 = upgraded TCP connection <0.2463.0> to SSL

Fails here because "Not a valid AMQP header" was sent to the server

ERROR REPORT=== 17-Sep-2013::15:16:45 = exception on TCP connection <0.2463.0> from 127.0.0.1:56525 {bad_header,<<"Not a va">>}

INFO REPORT=== 17-Sep-2013::15:16:45 = closing TCP connection <0.2463.0> from 127.0.0.1:56525

Connection without a cert

INFO REPORT=== 17-Sep-2013::15:16:57 = accepted TCP connection on [::]:5671 from 127.0.0.1:56526

INFO REPORT=== 17-Sep-2013::15:16:57 = starting TCP connection <0.2468.0> from 127.0.0.1:56526

Connection terminated because the SSL was not correct

ERROR REPORT=== 17-Sep-2013::15:16:57 = SSL: certify_certificate: ./ssl_connection.erl:490:Fatal error: handshake failure

ERROR REPORT=== 17-Sep-2013::15:16:57 = error on TCP connection <0.2468.0>:{ssl_upgrade_error,esslaccept}

INFO REPORT=== 17-Sep-2013::15:16:57 = closing TCP connection <0.2468.0>

Future Grid Setup Notes

As of this writing, the rabbitMQ tests require: python2.7, rabbitMQ-sever, and pika. This section does not go into a detailed step-by step guide on how to set all these dependencies up as the creators of these libraries/tools have relatively simple setup guides on their respective homepages. This section instead focuses on problems that arose when trying to install all these services on future grid.

Installing from sources on github using git is relatively easy however if git clone returns http error 403, that is caused by using an outdated version of git. Update git to solve this issue.

Installing python2.7 is a pain on many distros; the easiest default distribution on future grid I found to install python2.7 on was ubuntu 9.04. Installing from source is relatively easy and just requires some other default libraries that can easily be obtained with apt-get.

Pika requires setuptools which is a bit of a pain to get. The site here: https://pypi.python.org/pypi/setuptools/ provides instructions on how to install setuptools using a script they provide. This script fails when attempting to download the setup tar file. The script will download an improper tar file and if the script is run again, will complain that it can't open that tar file. To fix this, download the tar file manually using wget with the option "--no-check-certificate". The ez_install script can be modified to use this tarfile instead of attempting to redownload it. Open the script and scroll down to near the very bottom to the main function.

def main(version=DEFAULT_VERSION):
    """Install or upgrade setuptools and EasyInstall"""
    options = _parse_args()
    tarball = download_setuptools(download_base=options.download_base,
        downloader_factory=options.downloader_factory)
    return _install(tarball, _build_install_args(options))

remove the tarball = lines and replace them with the following line tarball = "pathToSetupToolsTarFile" if you would rather use a relative path, use tarball = os.path.abspath("./setuptools-1.1.6.tar.gz") changing the argument to match the version of setuptools being used.

def main(version=DEFAULT_VERSION):
    """Install or upgrade setuptools and EasyInstall"""
    options = _parse_args()
    #tarball = download_setuptools(download_base=options.download_base,
    #    downloader_factory=options.downloader_factory)
    tarball = os.path.abspath("./setuptools-1.1.6.tar.gz")
    return _install(tarball, _build_install_args(options))

It is now possible to install pika either from source or using pip. Pip is a tool for installing python packages that also relies on setuptools. If setuptools has properly been installed pip is trivial to get and can be done following the guide here: http://www.pip-installer.org/en/latest/installing.html .

After getting pip, installing pika is just one line: pip install pika.

-- RobertPrior - 2013-09-17

Edit | Attach | Watch | Print version | History: r9 | r4 < r3 < r2 < r1 | Backlinks | Raw View | More topic actions...
Topic revision: r2 - 2013-09-19 - rprior
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback