Thursday, August 18, 2016

RabbitMQ SSL connection Using RabbitMQ Event Adpter in WSO2 CEP- Part 1

Hi all,

I am writing this blog by assuming you are familiar with RabbitMQ Broker. Here I mainly focus on Securing the connection between RabbirMQ Message Broker and WSO2 CEP. That means how to receive secure messages from RabbitMQ Broker from WSO2 CEP Receiver. The use case here going to explain is, CEP is going to act as a consumer and consumes messages from RabbitMQ server. So simply CEP will act as a Client and RabbitMQ Server Will act as the Server.

 Introduction to RabbitMQ SSL connection

In normal connection we send messages without secure. But some confidential information like credit card number, we can not send without secure. For that purpose, we use SSL. SSL stands for Secure Sockets Layer. SSL allows sensitive information to be transmitted securely. This layer ensures that all data passed between the server and client remain private and integral. SSL is an industry standard. SSL is a security protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.

Steps 

  1.  As First Step we need to create own certificate Authority.
    • For that in terminal and go to specific folder (location) by using cd command.
    • Then use below commands.
      • $ mkdir testca
      • $ cd testca
      • $ mkdir certs private
      • $ chmod 700 private
      • $ echo 01 > serial
      • $ touch index.txt
    • Then create a new file using the following command, inside the tesca directory.  
      • $ gedit openssl.cnf

        When we using this commanda file will open in gedit. So copy and paste following thing and save it.

        [ ca ]
        default_ca = testca
        
        [ testca ]
        dir = .
        certificate = $dir/cacert.pem
        database = $dir/index.txt
        new_certs_dir = $dir/certs
        private_key = $dir/private/cakey.pem
        serial = $dir/serial
        
        default_crl_days = 7
        default_days = 365
        default_md = sha256
        
        policy = testca_policy
        x509_extensions = certificate_extensions
        
        [ testca_policy ]
        commonName = supplied
        stateOrProvinceName = optional
        countryName = optional
        emailAddress = optional
        organizationName = optional
        organizationalUnitName = optional
        
        [ certificate_extensions ]
        basicConstraints = CA:false
        
        [ req ]
        default_bits = 2048
        default_keyfile = ./private/cakey.pem
        default_md = sha256
        prompt = yes
        distinguished_name = root_ca_distinguished_name
        x509_extensions = root_ca_extensions
        
        [ root_ca_distinguished_name ]
        commonName = hostname
        
        [ root_ca_extensions ]
        basicConstraints = CA:true
        keyUsage = keyCertSign, cRLSign
        
        [ client_ca_extensions ]
        basicConstraints = CA:false
        keyUsage = digitalSignature
        extendedKeyUsage = 1.3.6.1.5.5.7.3.2
        
        [ server_ca_extensions ]
        basicConstraints = CA:false
        keyUsage = keyEncipherment
        extendedKeyUsage = 1.3.6.1.5.5.7.3.1
        
        • Now we can generate the key and certificates that our test Certificate Authority will use. Still within the testca directory:
          $ openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyTestCA/ -nodes
          $ openssl x509 -in cacert.pem -out cacert.cer -outform DER

  2.  Generating certificate and key for the Server
    • Apply following commands. (Assuming you are still in testca folder)
      • $ cd ..
        $ ls
        testca
        $ mkdir server
        $ cd server
        $ openssl genrsa -out key.pem 2048
        $ openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
        $ cd ../testca
        $ openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
        $ cd ../server
        $ openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword
         
  3.  Generating certificate and key for the client
    •  Apply following commands.
      • $ cd ..
        $ ls
        server testca
        $ mkdir client
        $ cd client
        $ openssl genrsa -out key.pem 2048
        $ openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes
        $ cd ../testca
        $ openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
        $ cd ../client
        $ openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword
         
  4. Configuring RabbitMQ Server
    To enable the SSL support in RabbitMQ, we need to provide to RabbitMQ the location of the root certificate, the server's certificate file, and the server's key. We also need to tell it to listen on a socket that is going to be used for SSL connections, and we need to tell it whether it should ask for clients to present certificates, and if the client does present a certificate, whether we should accept the certificate if we can't establish a chain of trust to it.

    For that we need to create file inside "/etc/rabbitmq". You have to name the file as "rabbitmq.config". Inside the file copy and paste following configuration.

    [
      {rabbit, [
         {ssl_listeners, [5671]},
         {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"},
                        {certfile,"/path/to/server/cert.pem"},
                        {keyfile,"/path/to/server/key.pem"},
                        {verify,verify_peer},
                        {fail_if_no_peer_cert,false}]}
       ]}
    ].
  5. Trust the Client's Root CA
    Use the following command.
    $ cat testca/cacert.pem >> all_cacerts.pem
     
    To validating certificate use below command.
     
    keytool -import -alias server1 -file /path/to/server/cert.pem -keystore /path/to/rabbitstore

    If you want study more about this configuration, go to this link. Now we have finished configuration in server side and created certificates. In my next blog, I will continue this blog by specifying CEP side Configuration. :)

No comments:

Post a Comment