You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@nifi.apache.org by Kiran <b....@gmail.com> on 2016/12/13 21:13:58 UTC
Re[2]: NiFi PlublishAMQP using cert CN as username
Oleg,
Sorry for the delay, I've created the following JIRA ticket:
https://issues.apache.org/jira/browse/NIFI-3193
If you need anything else added to the ticket give me a bell.
I'll attach my test application to the JIRA ticket this weekend.
Thanks,
Kiran
------ Original Message ------
From: "Oleg Zhurakousky" <oz...@hortonworks.com>
To: "users@nifi.apache.org" <us...@nifi.apache.org>; "Kiran"
<b....@gmail.com>
Sent: 10/12/2016 13:21:41
Subject: Re: NiFi PlublishAMQP using cert CN as username
>Brian
>
>Thank you for detailed explanation.
>I don't believe you're doing anything wrong. We just need do add the
>feature you describe (pulling credentials from certificate).
>
>Would you mind creating JIRA ticket and if at all possible attach the
>sample code that demonstrates exactly what you're trying to accomplish?
>
>Cheers
>Oleg
>
>
>On Dec 10, 2016, at 03:52, Kiran <b....@gmail.com>
>wrote:
>
>>Hello,
>>
>>I'm having a bit of trouble getting NiFi to talk to RabbitMQ using
>>SSL. I've created some certificates using the openssl and I have been
>>successful in sending messages to RabbitMQ when I specific an SSL
>>context and a username/password. In this scenario I can see a TLS 1.2
>>HTTPS connection form between NiFi and RabbitMQ and the username and
>>password used to then authenticate successfully, so from this I know
>>that the certs being used are valid.
>>
>>What I'm trying to achieve is for the RabbitMQ username to be pulled
>>out of the certificate COMMON_NAME so don't need to provide a username
>>and password. I've created a quick test application to confirm that I
>>can connect successfully to RabbitMQ using the certs I created and
>>just the certificate CN name and this worked, which means it must be
>>something I've done wrong within my NiFi processor configuration which
>>is why I'm sending this email for help :)
>>
>>The RabbitMQ configuration I'm using is:
>>RabbitMQ 3.5.4 Erlang 18.0 rabbitmq_auth_mechanism_ssl plugin enabled
>>Base OS is RHEL 6.5
>>My RabbitMQ.config contains the following:
>>[
>> {rabbit, [
>> {ssl_listeners, [5671]},
>> {loopback_users, []},
>> {auth_mechanisms, ['EXTERNAL', 'PLAIN']},
>> {ssl_options,
>>[{cacertfile,"/home/data/openssl/brian_testca/cacert.pem"},
>>
>>{certfile,"/home/data/openssl/brian_server/cert.pem"},
>>
>>{keyfile,"/home/data/openssl/brian_server/key.pem"},
>> {verify,verify_peer},
>> {versions, ['tlsv1.2']},
>> {password, "MySecretPassword"},
>> {verify,verify_peer},
>> {ssl_cert_login_from, common_name},
>> {fail_if_no_peer_cert,true}]}
>> ]}
>>].
>>
>>The NiFi configuration I'm using is:
>>NiFi 0.7.1 (We are in the process of updating to NiFi 1.1.0 but there
>>are some dependencies on other projects so it will happen just not for
>>a few months)
>>2 Clusters each made up of 1 NCM and 3 Nodes
>>In the PublishAMQP I've put the certificate CN name into the
>>"username" field.
>>The client certificate I'm using to connect to RabbitMQ has a CN name
>>of: "rabbitmq_client". There is an entry for it in the RabbitMQ users
>>with NO PASSWORD set.
>>
>>Error message in the rabbitmq log files:
>>
>>=ERROR REPORT==== 7-Dec-2016::21:47:30 ===
>>closing AMQP connection <0.905.0> (192.168.137.1:54324 ->
>>192.168.137.128:5671):
>>{handshake_error,starting,0,
>> {amqp_error,access_refused,
>> "PLAIN login refused: user
>>'rabbitmq_client' - invalid credentials",
>> 'connection.start_ok'}}
>>
>>Please can you tell me if there is something obvious that I'm missed
>>out in my NiFi configuration?
>>
>>I did have a very brief look at the code and I was thinking that
>>because the USERNAME and PASSWORD were mandatory fields and always
>>used to establish the connection it could be that RabbitMQ prioritises
>>those fields before trying to pull out the CN name and using that for
>>authentication. The reason I was thinking this was in the test app I
>>created I didn't specify the username or password when setting up my
>>ConnectionFactory but the RabbitMQ documentation says even if you
>>don't specify the username and password they default to guest/guest so
>>this could be a red herring.
>>
>>Thanks in advance for the help,
>>
>>Brian
Re: NiFi PlublishAMQP using cert CN as username
Posted by Oleg Zhurakousky <oz...@hortonworks.com>.
Kiran
No problems. I’ve just assign it to myself. Will do our best to have it in next release.
Cheers
Oleg
On Dec 13, 2016, at 4:13 PM, Kiran <b....@gmail.com>> wrote:
Oleg,
Sorry for the delay, I've created the following JIRA ticket: https://issues.apache.org/jira/browse/NIFI-3193
If you need anything else added to the ticket give me a bell.
I'll attach my test application to the JIRA ticket this weekend.
Thanks,
Kiran
------ Original Message ------
From: "Oleg Zhurakousky" <oz...@hortonworks.com>>
To: "users@nifi.apache.org<ma...@nifi.apache.org>" <us...@nifi.apache.org>>; "Kiran" <b....@gmail.com>>
Sent: 10/12/2016 13:21:41
Subject: Re: NiFi PlublishAMQP using cert CN as username
Brian
Thank you for detailed explanation.
I don't believe you're doing anything wrong. We just need do add the feature you describe (pulling credentials from certificate).
Would you mind creating JIRA ticket and if at all possible attach the sample code that demonstrates exactly what you're trying to accomplish?
Cheers
Oleg
On Dec 10, 2016, at 03:52, Kiran <b....@gmail.com>> wrote:
Hello,
I'm having a bit of trouble getting NiFi to talk to RabbitMQ using SSL. I've created some certificates using the openssl and I have been successful in sending messages to RabbitMQ when I specific an SSL context and a username/password. In this scenario I can see a TLS 1.2 HTTPS connection form between NiFi and RabbitMQ and the username and password used to then authenticate successfully, so from this I know that the certs being used are valid.
What I'm trying to achieve is for the RabbitMQ username to be pulled out of the certificate COMMON_NAME so don't need to provide a username and password. I've created a quick test application to confirm that I can connect successfully to RabbitMQ using the certs I created and just the certificate CN name and this worked, which means it must be something I've done wrong within my NiFi processor configuration which is why I'm sending this email for help :)
The RabbitMQ configuration I'm using is:
* RabbitMQ 3.5.4
* Erlang 18.0
* rabbitmq_auth_mechanism_ssl plugin enabled
* Base OS is RHEL 6.5
My RabbitMQ.config contains the following:
[
{rabbit, [
{ssl_listeners, [5671]},
{loopback_users, []},
{auth_mechanisms, ['EXTERNAL', 'PLAIN']},
{ssl_options, [{cacertfile,"/home/data/openssl/brian_testca/cacert.pem"},
{certfile,"/home/data/openssl/brian_server/cert.pem"},
{keyfile,"/home/data/openssl/brian_server/key.pem"},
{verify,verify_peer},
{versions, ['tlsv1.2']},
{password, "MySecretPassword"},
{verify,verify_peer},
{ssl_cert_login_from, common_name},
{fail_if_no_peer_cert,true}]}
]}
].
The NiFi configuration I'm using is:
*
NiFi 0.7.1 (We are in the process of updating to NiFi 1.1.0 but there are some dependencies on other projects so it will happen just not for a few months)
*
2 Clusters each made up of 1 NCM and 3 Nodes
*
In the PublishAMQP I've put the certificate CN name into the "username" field.
The client certificate I'm using to connect to RabbitMQ has a CN name of: "rabbitmq_client". There is an entry for it in the RabbitMQ users with NO PASSWORD set.
Error message in the rabbitmq log files:
=ERROR REPORT==== 7-Dec-2016::21:47:30 ===
closing AMQP connection <0.905.0> (192.168.137.1:54324 -> 192.168.137.128:5671):
{handshake_error,starting,0,
{amqp_error,access_refused,
"PLAIN login refused: user 'rabbitmq_client' - invalid credentials",
'connection.start_ok'}}
Please can you tell me if there is something obvious that I'm missed out in my NiFi configuration?
I did have a very brief look at the code and I was thinking that because the USERNAME and PASSWORD were mandatory fields and always used to establish the connection it could be that RabbitMQ prioritises those fields before trying to pull out the CN name and using that for authentication. The reason I was thinking this was in the test app I created I didn't specify the username or password when setting up my ConnectionFactory but the RabbitMQ documentation says even if you don't specify the username and password they default to guest/guest so this could be a red herring.
Thanks in advance for the help,
Brian