You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Paul Colby <pa...@colby.id.au> on 2011/11/17 04:08:26 UTC

broker clustering with SSL?

Hi,

I have a cluster of two Qpidd brokers - both C++ v0.12 (on CentOS 5.5).

Both brokers have been clustering very happily so far :)

Now, I've enabled both SASL and SSL on both brokers.

I have several client applications I've written that can authenticate, and
use SSL to talk successfully to either broker.  However, I can't get the
two brokers to cluster anymore (unless I disable SSL).

Specifically, if I start one broker, then everything is happy (clients
connect / send / receive etc).

But when I try to start a second broker, the second broker begins to start
up ok, but then stops after reporting "error Rejected un-encrypted
connection", and then shutting down the catch-up connection.

Is there something I need to do to tell the brokers to use SSL for their
catch-up connections?  Or is require-encryption=yes incompatible with
clustering?

Thanks!! :)

pc
----
http://colby.id.au

Re: broker clustering with SSL?

Posted by Paul Colby <pa...@colby.id.au>.

Thanks Gordon, those options look exactly like what I need to dig into :)

I'll have a play and report back my results :)

Thanks again,

pc
----
http://colby.id.au


On Fri, Nov 18, 2011 at 3:51 AM, Gordon Sim <gs...@redhat.com> wrote:

> On 11/17/2011 03:08 AM, Paul Colby wrote:
>
>> I have a cluster of two Qpidd brokers - both C++ v0.12 (on CentOS 5.5).
>>
>> Both brokers have been clustering very happily so far :)
>>
>> Now, I've enabled both SASL and SSL on both brokers.
>>
>> I have several client applications I've written that can authenticate, and
>> use SSL to talk successfully to either broker.  However, I can't get the
>> two brokers to cluster anymore (unless I disable SSL).
>>
>> Specifically, if I start one broker, then everything is happy (clients
>> connect / send / receive etc).
>>
>> But when I try to start a second broker, the second broker begins to start
>> up ok, but then stops after reporting "error Rejected un-encrypted
>> connection", and then shutting down the catch-up connection.
>>
>> Is there something I need to do to tell the brokers to use SSL for their
>> catch-up connections?  Or is require-encryption=yes incompatible with
>> clustering?
>>
>
> This is just a suggestion, but you could try setting --cluster-url to
> amqps://<fqdn>:<port>, e.g. amqps://myhost.mydomain.com:**5671<http://myhost.mydomain.com:5671>.
> The idea there is to get the update client (which I think is what is
> failing) to use SSL.
>
> An alternative might be to set --cluster-mechanism to DIGEST-MD5 along
> with a valid --cluster-username and --cluster-password. The idea there is
> to use a SASL encryption layer on the update client so as to avoid being
> excluded by the require-encryption=yes setting.
>
> I haven't verified either of these myself however...
>
>
> ------------------------------**------------------------------**---------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.**apache.org<us...@qpid.apache.org>
>
>

Re: broker clustering with SSL?

Posted by Gordon Sim <gs...@redhat.com>.

On 11/18/2011 05:02 AM, Paul Colby wrote:
> The trick, as you suggested, was to set the --cluster-url option on both
> brokers, however the URL format is a little different to what you
> suggested.

Oops, sorry I forgot the correct URL syntax there.

> For anyone else trying the same thing (or something similar),
> the format is like follows:
>
> cluster-url=amqp:ssl:<server-hostname-or-ip-address>:5671
>
> (note, the argument may be a comma separated list, allowing the local
> broker to have more than one URL if appropriate).

Delighted to hear you got it working; thanks for reporting back!

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: broker clustering with SSL?

Posted by Paul Colby <pa...@colby.id.au>.

Thanks Gordon,

You definitely pointed me in the right direction! :)

The trick, as you suggested, was to set the --cluster-url option on both
brokers, however the URL format is a little different to what you
suggested.  For anyone else trying the same thing (or something similar),
the format is like follows:

cluster-url=amqp:ssl:<server-hostname-or-ip-address>:5671

(note, the argument may be a comma separated list, allowing the local
broker to have more than one URL if appropriate).

Thanks again!  Qpid rocks!!

pc
----
http://colby.id.au


On Fri, Nov 18, 2011 at 3:51 AM, Gordon Sim <gs...@redhat.com> wrote:

> On 11/17/2011 03:08 AM, Paul Colby wrote:
>
>> I have a cluster of two Qpidd brokers - both C++ v0.12 (on CentOS 5.5).
>>
>> Both brokers have been clustering very happily so far :)
>>
>> Now, I've enabled both SASL and SSL on both brokers.
>>
>> I have several client applications I've written that can authenticate, and
>> use SSL to talk successfully to either broker.  However, I can't get the
>> two brokers to cluster anymore (unless I disable SSL).
>>
>> Specifically, if I start one broker, then everything is happy (clients
>> connect / send / receive etc).
>>
>> But when I try to start a second broker, the second broker begins to start
>> up ok, but then stops after reporting "error Rejected un-encrypted
>> connection", and then shutting down the catch-up connection.
>>
>> Is there something I need to do to tell the brokers to use SSL for their
>> catch-up connections?  Or is require-encryption=yes incompatible with
>> clustering?
>>
>
> This is just a suggestion, but you could try setting --cluster-url to
> amqps://<fqdn>:<port>, e.g. amqps://myhost.mydomain.com:**5671<http://myhost.mydomain.com:5671>.
> The idea there is to get the update client (which I think is what is
> failing) to use SSL.
>
> An alternative might be to set --cluster-mechanism to DIGEST-MD5 along
> with a valid --cluster-username and --cluster-password. The idea there is
> to use a SASL encryption layer on the update client so as to avoid being
> excluded by the require-encryption=yes setting.
>
> I haven't verified either of these myself however...
>
>
> ------------------------------**------------------------------**---------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.**apache.org<us...@qpid.apache.org>
>
>

Re: broker clustering with SSL?

Posted by Gordon Sim <gs...@redhat.com>.

On 11/17/2011 03:08 AM, Paul Colby wrote:
> I have a cluster of two Qpidd brokers - both C++ v0.12 (on CentOS 5.5).
>
> Both brokers have been clustering very happily so far :)
>
> Now, I've enabled both SASL and SSL on both brokers.
>
> I have several client applications I've written that can authenticate, and
> use SSL to talk successfully to either broker.  However, I can't get the
> two brokers to cluster anymore (unless I disable SSL).
>
> Specifically, if I start one broker, then everything is happy (clients
> connect / send / receive etc).
>
> But when I try to start a second broker, the second broker begins to start
> up ok, but then stops after reporting "error Rejected un-encrypted
> connection", and then shutting down the catch-up connection.
>
> Is there something I need to do to tell the brokers to use SSL for their
> catch-up connections?  Or is require-encryption=yes incompatible with
> clustering?

This is just a suggestion, but you could try setting --cluster-url to 
amqps://<fqdn>:<port>, e.g. amqps://myhost.mydomain.com:5671. The idea 
there is to get the update client (which I think is what is failing) to 
use SSL.

An alternative might be to set --cluster-mechanism to DIGEST-MD5 along 
with a valid --cluster-username and --cluster-password. The idea there 
is to use a SASL encryption layer on the update client so as to avoid 
being excluded by the require-encryption=yes setting.

I haven't verified either of these myself however...

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: broker clustering with SSL?

Posted by Paul Colby <pa...@colby.id.au>.

Hi Hamid,

Sorry, I've only used Qpid+SSL on Linux so far - there the SSL cert details
are specified via environment variables, but not on Windows.

Have a read of this thread -
http://apache-qpid-users.2158936.n2.nabble.com/SSL-and-C-client-anyone-have-a-complete-example-td4030718.html
(search
the text for "Windows").

Specifcally, Steve Huston wrote:

"The Windows SSL support is via built-in SSL support in Windows, not
via NSS as the Linux version is. So the Windows certificate handling
is used.

Try this...

On your Windows system, start IE (not another browser) and connect to <your
qpid broker>:5671 (assuming your broker is listening for SSL on port 5671.

You'll probably get a certificate error from IE. Follow the prompts to
import it.

Now try your client.

-Steve"

Hope that helps.

pc.

On Fri, Nov 18, 2011 at 2:38 AM, Hamid.Shahid <ha...@hotmail.com> wrote:

> Hi Paul,
>
> I am running a broker on my windows machine and I am trying to make a Qpidd
> client in C++ on windows environment. I want to implement enable SSL on my
> client and I am not yet able to find out how to pass the certificate
> information to the connection object. I am doing something like following,
> can you please let me know, where should I bind the SSL certificate?
>
>    ... . . . . ..
>    Connection connection(broker);
>    connection.setOption("transport", "ssl");
>    connection.setOption("sasl_mechanisms", "EXTERNAL");
>    try {
>        std::cout << "Opening connection" << std::endl;
>        connection.open();
>        std::cout << "Creating a session" << std::endl;
>        Session session = connection.createSession();
>        .. .. . . .. . .
>
>
> Thank you.
>
> regards,
> Hamid.
>
> --
> View this message in context:
> http://apache-qpid-users.2158936.n2.nabble.com/broker-clustering-with-SSL-tp7002671p7004506.html
> Sent from the Apache Qpid users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>

Re: broker clustering with SSL?

Posted by "Hamid.Shahid" <ha...@hotmail.com>.

Hi Paul,

I am running a broker on my windows machine and I am trying to make a Qpidd
client in C++ on windows environment. I want to implement enable SSL on my
client and I am not yet able to find out how to pass the certificate
information to the connection object. I am doing something like following,
can you please let me know, where should I bind the SSL certificate?

    ... . . . . .. 
    Connection connection(broker);
    connection.setOption("transport", "ssl");
    connection.setOption("sasl_mechanisms", "EXTERNAL");
    try {
        std::cout << "Opening connection" << std::endl;
        connection.open();
        std::cout << "Creating a session" << std::endl;
        Session session = connection.createSession();
        .. .. . . .. . . 


Thank you.

regards, 
Hamid.

--
View this message in context: http://apache-qpid-users.2158936.n2.nabble.com/broker-clustering-with-SSL-tp7002671p7004506.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org