You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by MartiN Beneš <ma...@gmail.com> on 2012/01/18 19:17:55 UTC
c++ broker federation over ssl
Hello,
I've been playing with c++ broker federation recently and have some
questions.
I am trying to setup a push exchange federation from source broker to
destination broker.
The brokers are both version 0.10
the federation is set up using similar command as:
$ qpid-route route add dst_broker:1888 admin/1234@src_broker:1889 -s -d -t
ssl "my.exchange" "#"
This setup seems alright. Messages are passing through, however:
1) when I stop the destination broker and start it again, the following log
messages starts to apper in cca 2s interval:
the destination broker:
2012-01-18 18:50:36 info SASL: Mechanism list: PLAIN
2012-01-18 18:50:36 warning Client closed connection with 541:
internal-error: Sasl error: SASL(-4): no mechanism available: No worthy
mechs found (qpid/SaslFactory.cpp:280)
2012-01-18 18:50:38 info SASL: Mechanism list: PLAIN
2012-01-18 18:50:38 warning Client closed connection with 541:
internal-error: Sasl error: SASL(-4): no mechanism available: No worthy
mechs found (qpid/SaslFactory.cpp:280)
2012-01-18 18:50:40 info SASL: Mechanism list: PLAIN
source broker:
2012-01-18 18:50:56 info Inter-broker link established to dst_broker:1888
2012-01-18 18:50:56 info Inter-broker link disconnected from
dst_broker:1888 Closed by peer
The link never gets reconnected until i restart the source broker also.
After that everything works well again..
2) when I try to remove the route using following command:
$ qpid-route route del dst_broker:1888 admin/1234@src_broker:1889 -s -d -t
ssl "my.exchange" "#"
both brokers start logging rapidly, quickly filling up all disk space with
the log file.
destination broker log:
2012-01-18 18:16:37 error Channel exception: not-attached: Channel 1 is not
attached (qpid/amqp_0_10/SessionHandler.cpp:39)
2012-01-18 18:16:37 error Channel exception: not-attached: Channel 1 is not
attached (qpid/amqp_0_10/SessionHandler.cpp:39)
2012-01-18 18:16:37 error Channel exception: not-attached: Channel 1 is not
attached (qpid/amqp_0_10/SessionHandler.cpp:39)
source broker log:
2012-01-18 18:16:35 error Channel exception: not-attached: Channel 1 is not
attached (qpid/amqp_0_10/SessionHandler.cpp:39)
2012-01-18 18:16:35 error Channel exception: not-attached: Channel 1 is not
attached (qpid/amqp_0_10/SessionHandler.cpp:39)
2012-01-18 18:16:35 error Channel exception: not-attached: Channel 1 is not
attached (qpid/amqp_0_10/SessionHandler.cpp:39)
What could that mean? Perhaps a bug? Certainly a nice way to DOS my
destination broker, while only needing the acl rights to create a link.
3) The automatically created bridge queue (bridge_queue_2_UUID) on the
source broker seems to always have the durable flag disabled. I might have
done something wrong..will retest it soon, but might this be by design?
In that case, if i wanted to be able to send messages to src broker in the
time, when the link src -> dst is down and have all the messages resent to
the destination broker once the link is up again, what should I do?
Use a queue route and have the source queue set to durable manually?
4) Why does no link appear in the qpid-tool on destination router in the
push mode? Is there a way to tell how many federated brokers are connected
to the destination broker?
Regards
Martin
Re: c++ broker federation over ssl
Posted by wei6rong <we...@hotmail.com>.
hi Martin,
it looks like you have set qpid route ssl link successfully,
I currently want to set a queue route working between my 2 c++ brokers
running 0.16, after putting a lot of effort into it, i coun't get it
done also.
the scenario is as following:
I started the 2 qpidd with each of following two configure file
qpidd --config ./qpidd.9997.conf
*** qpidd.9997.conf content ***
data-dir=/root/qpidd_test_dir/9997/data
pid-dir=/root/qpidd_test_dir/9997
auth=yes
realm=devbox
require-encryption=yes
port=5677
log-to-file=/root/qpidd_test_dir/qpidd-9997.log
ssl-cert-db=/root/Downloads/qpid-0.16/cpp/src/tests/test_cert_db
ssl-cert-password-file=/root/Downloads/qpid-0.16/cpp/src/tests/cert.password
ssl-cert-name=127.0.0.1
ssl-port=9997
transport=ssl
qpidd --config ./qpidd.9998.conf
*** qpidd.9998.conf content ***
data-dir=/root/qpidd_test_dir/9998/data
pid-dir=/root/qpidd_test_dir/9998
auth=yes
realm=devbox
require-encryption=yes
port=5678
log-to-file=/root/qpidd_test_dir/qpidd-9998.log
ssl-cert-db=/root/Downloads/qpid-0.16/cpp/src/tests/test_cert_db
ssl-cert-password-file=/root/Downloads/qpid-0.16/cpp/src/tests/cert.password
ssl-cert-name=127.0.0.1
ssl-port=9998
transport=ssl
we want to set up ssl route between them.
I have set SASL mechanism(PLAIN) for authentication of 2 qpidd broker,
username/password is qpidd/qpidd.
ssl.so is default loaded for two qpidd,
a single db with a single self signed certificate is set up using command of
following:
mkdir test_cert_db
certutil -N -d test_cert_db -f cert.password
certutil -S -d test_cert_db -n "127.0.0.1" \
-s "CN=127.0.0.1" -t "CT,," -x \
-f cert.password -z /usr/bin/certutil
what is the right command of federation setting up using transport ssl:
for example, route message for broker(port=5677) to broker(port=5678),
exchange name is "my.exchange"
i have tried command of qpid-route
[root@MQServer1 ~]# qpid-route route add localhost:5678
qpidd/qpidd@localhost:5677 -s -d -t ssl "my.exchange" "#"
Failed: ConnectionFailed - (None, 'No acceptable SASL authentication
mechanism available')
its fail.
can you give some advice of this? is there any successfully working
examples?
thanks
weirong
--
View this message in context: http://qpid.2158936.n2.nabble.com/c-broker-federation-over-ssl-tp7201044p7579681.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: c++ broker federation over ssl
Posted by wei6rong <we...@hotmail.com>.
hi all,
i get over it after adding sasl EXTERNAL support,
i using this sasl configure file
/etc/sasl2/qpidd.conf
change mech_list option to
mech_list:PLAIN EXTERNAL
the qpid-route command is as following:
qpid-route --client-sasl-mechanism=PLAIN -t ssl queue add
qpidd/qpidd@localhost:5807 127.0.0.1:6667 sasl_fedex sasl_fed_queue EXTERNAL
later i using qpid-route check it
#qpid-route link list qpidd/qpidd@localhost:5807
Host Port Transport Durable State Last Error
=============================================================================
127.0.0.1 6667 ssl N Operational
it looks like successful.
i can using following two command to transfer messages now
./drain -f -b qpidd/qpidd@172.26.181.101:5807 sasl_fed_queue
./spout -b qpidd/qpidd@172.26.181.101:5801 sasl_fed_queue aadgag
hope this can give some helps for who is look for ssl route link help.
Best Regards
weirong
--
View this message in context: http://qpid.2158936.n2.nabble.com/c-broker-federation-over-ssl-tp7201044p7580026.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: c++ broker federation over ssl
Posted by wei6rong <we...@hotmail.com>.
hi all,
I have set the qpid ssl link successfully by refer to
qpid-0.16/cpp/src/tests/sasl_fex_ex,
the process is as following,
TEST 1:
/root/Downloads/qpid-0.16/cpp/src/.libs/lt-qpidd --port=5801 --ssl-port 6667
--ssl-sasl-no-dict
--sasl-config=/root/Downloads/qpid-0.16/cpp/src/tests/sasl_config
--ssl-require-client-authentication --auth yes --ssl-cert-db
/root/Downloads/qpid-0.16/cpp/src/tests/test_cert_db
--ssl-cert-password-file
/root/Downloads/qpid-0.16/cpp/src/tests/cert.password --ssl-cert-name
127.0.0.1 --no-data-dir --no-module-dir --load-module
/root/Downloads/qpid-0.16/cpp/src/.libs/ssl.so --mgmt-enable=yes
--log-enable info+ --log-source yes --daemon --log-to-file
/root/Downloads/qpid-0.16/cpp/src/tests/sasl_fed_ex_temp/qpidd_src.log
/root/Downloads/qpid-0.16/cpp/src/.libs/lt-qpidd --port=5807 --ssl-port 6666
--ssl-sasl-no-dict
--sasl-config=/root/Downloads/qpid-0.16/cpp/src/tests/sasl_config
--ssl-require-client-authentication --auth yes --ssl-cert-db
/root/Downloads/qpid-0.16/cpp/src/tests/test_cert_db
--ssl-cert-password-file
/root/Downloads/qpid-0.16/cpp/src/tests/cert.password --ssl-cert-name
127.0.0.1 --no-data-dir --no-module-dir --load-module
/root/Downloads/qpid-0.16/cpp/src/.libs/ssl.so --mgmt-enable=yes
--log-enable info+ --log-source yes --daemon --log-to-file
/root/Downloads/qpid-0.16/cpp/src/tests/sasl_fed_ex_temp/qpidd_dst.log
qpid-config -b localhost:5801 add exchange direct sasl_fedex
qpid-config -b localhost:5807 add exchange direct sasl_fedex
qpid-config -b localhost:5801 add queue sasl_fed_queue
qpid-config -b localhost:5807 add queue sasl_fed_queue
qpid-config -b localhost:5801 bind sasl_fedex sasl_fed_queue sasl_fed_queue
qpid-config -b localhost:5807 bind sasl_fedex sasl_fed_queue sasl_fed_queue
# as said in sasl_fex_ex
# NOTE: The SRC broker *must* be referred to as $TEST_HOSTNAME, and not as
"localhost".
# It must be referred to by the exact string given as the Common Name
(CN) in the cert,
# which was created in the function create_certs,
my is 127.0.0.1
qpid-route -t ssl queue add localhost:5807 127.0.0.1:6667 sasl_fedex
sasl_fed_queue
later we can get message by drain which is send by spout
./drain -f -b localhost:5807 sasl_fed_queue
./spout -b localhost:5801 sasl_fed_queue aadgag
but all this is referring to
#######################################
# Understanding this Plumbing
#######################################
# 1. when you establish the route with qpid-route,
# here is the best termiology to use:
#
# qpid-route route add DST SRC
#
# 2. DST will connect to SRC through the ssl port of SRC.
#
# 3. sender client connects to the tcp port of SRC.
#
# 4. sender specifies mechanism ANONYMOUS.
#
# 5. DST pulls messages off the temp queue on SRC to itself.
#
but, if i using sals PLAIN mechanism with SSL link as following
TEST 2:
/root/Downloads/qpid-0.16/cpp/src/.libs/lt-qpidd --port=5801 --realm devbox
--ssl-port 6667 --ssl-sasl-no-dict --ssl-require-client-authentication
--auth yes --ssl-cert-db
/root/Downloads/qpid-0.16/cpp/src/tests/test_cert_db
--ssl-cert-password-file
/root/Downloads/qpid-0.16/cpp/src/tests/cert.password --ssl-cert-name
127.0.0.1 --no-data-dir --no-module-dir --load-module
/root/Downloads/qpid-0.16/cpp/src/.libs/ssl.so --mgmt-enable=yes
--log-enable info+ --log-source yes --daemon --log-to-file
/root/Downloads/qpid-0.16/cpp/src/tests/sasl_fed_ex_temp/qpidd_src.log
/root/Downloads/qpid-0.16/cpp/src/.libs/lt-qpidd --port=5807 --realm devbox
--ssl-port 6666 --ssl-sasl-no-dict --ssl-require-client-authentication
--auth yes --ssl-cert-db
/root/Downloads/qpid-0.16/cpp/src/tests/test_cert_db
--ssl-cert-password-file
/root/Downloads/qpid-0.16/cpp/src/tests/cert.password --ssl-cert-name
127.0.0.1 --no-data-dir --no-module-dir --load-module
/root/Downloads/qpid-0.16/cpp/src/.libs/ssl.so --mgmt-enable=yes
--log-enable info+ --log-source yes --daemon --log-to-file
/root/Downloads/qpid-0.16/cpp/src/tests/sasl_fed_ex_temp/qpidd_dst.log
qpid-config --sasl-mechanism=PLAIN -b qpidd/qpidd@localhost:5801 add
exchange direct sasl_fedex
qpid-config --sasl-mechanism=PLAIN -b qpidd/qpidd@localhost:5807 add
exchange direct sasl_fedex
qpid-config --sasl-mechanism=PLAIN -b qpidd/qpidd@localhost:5801 add queue
sasl_fed_queue
qpid-config --sasl-mechanism=PLAIN -b qpidd/qpidd@localhost:5807 add queue
sasl_fed_queue
qpid-config --sasl-mechanism=PLAIN -b qpidd/qpidd@localhost:5801 bind
sasl_fedex sasl_fed_queue sasl_fed_queue
qpid-config --sasl-mechanism=PLAIN -b qpidd/qpidd@localhost:5807 bind
sasl_fedex sasl_fed_queue sasl_fed_queue
qpid-route --client-sasl-mechanism=PLAIN -t ssl queue del
qpidd/qpidd@localhost:5807 127.0.0.1:6667 sasl_fedex sasl_fed_queue EXTERNAL
this qpid-route command same not executed successfully,
i using following command check it
qpid-route --client-sasl-mechanism=PLAIN link list
qpidd/qpidd@localhost:5807
Can someone give me some clues aboute how to use qpid-route queue add
command [mechanism] option.
how can i get through of this setting?
thanks
--
View this message in context: http://qpid.2158936.n2.nabble.com/c-broker-federation-over-ssl-tp7201044p7579732.html
Sent from the Apache Qpid users mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org