RabbitMQ SSL connection Using RabbitMQ Event Adpter in WSO2 CEP- Part 1

Hi all,

I am writing this blog by assuming you are familiar with RabbitMQ Broker. Here I mainly focus on Securing the connection between RabbirMQ Message Broker and WSO2 CEP. That means how to receive secure messages from RabbitMQ Broker from WSO2 CEP Receiver. The use case here going to explain is, CEP is going to act as a consumer and consumes messages from RabbitMQ server. So simply CEP will act as a Client and RabbitMQ Server Will act as the Server.

 Introduction to RabbitMQ SSL connection

In normal connection we send messages without secure. But some confidential information like credit card number, we can not send without secure. For that purpose, we use SSL. SSL stands for Secure Sockets Layer. SSL allows sensitive information to be transmitted securely. This layer ensures that all data passed between the server and client remain private and integral. SSL is an industry standard. SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

Steps 

1.  As First Step we need to create own certificate Authority.
   
   • For that in terminal and go to specific folder (location) by using cd command.
   • Then use below commands.
   • $ mkdir testca
   • $ cd testca
   • $ mkdir certs private
   • $ chmod 700 private
   • $ echo 01 > serial
   • $ touch index.txt
   • Then create a new file using the following command, inside the tesca directory.  
   • $ gedit openssl.cnf
     
     When we using this commanda file will open in gedit. So copy and paste following thing and save it.
     
     

     [ ca ]
     default_ca = testca
     
     [ testca ]
     dir = .
     certificate = $dir/cacert.pem
     database = $dir/index.txt
     new_certs_dir = $dir/certs
     private_key = $dir/private/cakey.pem
     serial = $dir/serial
     
     default_crl_days = 7
     default_days = 365
     default_md = sha256
     
     policy = testca_policy
     x509_extensions = certificate_extensions
     
     [ testca_policy ]
     commonName = supplied
     stateOrProvinceName = optional
     countryName = optional
     emailAddress = optional
     organizationName = optional
     organizationalUnitName = optional
     
     [ certificate_extensions ]
     basicConstraints = CA:false
     
     [ req ]
     default_bits = 2048
     default_keyfile = ./private/cakey.pem
     default_md = sha256
     prompt = yes
     distinguished_name = root_ca_distinguished_name
     x509_extensions = root_ca_extensions
     
     [ root_ca_distinguished_name ]
     commonName = hostname
     
     [ root_ca_extensions ]
     basicConstraints = CA:true
     keyUsage = keyCertSign, cRLSign
     
     [ client_ca_extensions ]
     basicConstraints = CA:false
     keyUsage = digitalSignature
     extendedKeyUsage = 1.3.6.1.5.5.7.3.2
     
     [ server_ca_extensions ]
     basicConstraints = CA:false
     keyUsage = keyEncipherment
     extendedKeyUsage = 1.3.6.1.5.5.7.3.1
     

     • Now we can generate the key and certificates that our test Certificate Authority will use. Still within the testca directory:

       $ openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes

       $ openssl x509 -in cacert.pem -out cacert.cer -outform DER

   
   
2.  Generating certificate and key for the Server
• Apply following commands. (Assuming you are still in testca folder)

• $ cd ..
  $ ls
  testca
  $ mkdir server
  $ cd server
  $ openssl genrsa -out key.pem 2048
  $ openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
  $ cd ../testca
  $ openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
  $ cd ../server
  $ openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

   
3.  Generating certificate and key for the client
•  Apply following commands.

• $ cd ..
  $ ls
  server testca
  $ mkdir client
  $ cd client
  $ openssl genrsa -out key.pem 2048
  $ openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes
  $ cd ../testca
  $ openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
  $ cd ../client
  $ openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

   
4. Configuring RabbitMQ Server
   To enable the SSL support in RabbitMQ, we need to provide to RabbitMQ the location of the root certificate, the server's certificate file, and the server's key. We also need to tell it to listen on a socket that is going to be used for SSL connections, and we need to tell it whether it should ask for clients to present certificates, and if the client does present a certificate, whether we should accept the certificate if we can't establish a chain of trust to it.
   
   For that we need to create file inside "/etc/rabbitmq". You have to name the file as "rabbitmq.config". Inside the file copy and paste following configuration.
   
   

   [
     {rabbit, [
        {ssl_listeners, [5671]},
        {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"},
                       {certfile,"/path/to/server/cert.pem"},
                       {keyfile,"/path/to/server/key.pem"},
                       {verify,verify_peer},
                       {fail_if_no_peer_cert,false}]}
      ]}
   ].

5. Trust the Client's Root CA
   Use the following command.

   $ cat testca/cacert.pem >> all_cacerts.pem

   To validating certificate use below command.

   keytool -import -alias server1 -file /path/to/server/cert.pem -keystore /path/to/rabbitstore

   
   If you want study more about this configuration, go to this link. Now we have finished configuration in server side and created certificates. In my next blog, I will continue this blog by specifying CEP side Configuration. :)