nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran <>
Subject Re[2]: NiFi PlublishAMQP using cert CN as username
Date Tue, 13 Dec 2016 21:13:58 GMT

Sorry for the delay, I've created the following JIRA ticket:

If you need anything else added to the ticket give me a bell.

I'll attach my test application to the JIRA ticket this weekend.



------ Original Message ------
From: "Oleg Zhurakousky" <>
To: "" <>; "Kiran" 
Sent: 10/12/2016 13:21:41
Subject: Re: NiFi PlublishAMQP using cert CN as username

>Thank you for detailed explanation.
>I don't believe you're doing anything wrong. We just need do add the 
>feature you describe (pulling credentials from certificate).
>Would you mind creating JIRA ticket and if at all possible attach the 
>sample code that demonstrates exactly what you're trying to accomplish?
>On Dec 10, 2016, at 03:52, Kiran <> 
>>I'm having a bit of trouble getting NiFi to talk to RabbitMQ using 
>>SSL. I've created some certificates using the openssl and I have been 
>>successful in sending messages to RabbitMQ when I specific an SSL 
>>context and a username/password. In this scenario I can see a TLS 1.2 
>>HTTPS connection form between NiFi and RabbitMQ and the username and 
>>password used to then authenticate successfully, so from this I know 
>>that the certs being used are valid.
>>What I'm trying to achieve is for the RabbitMQ username to be pulled 
>>out of the certificate COMMON_NAME so don't need to provide a username 
>>and password. I've created a quick test application to confirm that I 
>>can connect successfully to RabbitMQ using the certs I created and 
>>just the certificate CN name and this worked, which means it must be 
>>something I've done wrong within my NiFi processor configuration which 
>>is why I'm sending this email for help :)
>>The RabbitMQ configuration I'm using is:
>>RabbitMQ 3.5.4 Erlang 18.0 rabbitmq_auth_mechanism_ssl plugin enabled 
>>Base OS is RHEL 6.5
>>My RabbitMQ.config contains the following:
>>   {rabbit, [
>>      {ssl_listeners, [5671]},
>>      {loopback_users, []},
>>      {auth_mechanisms, ['EXTERNAL', 'PLAIN']},
>>      {ssl_options, 
>>                     {verify,verify_peer},
>>                     {versions, ['tlsv1.2']},
>>                     {password,  "MySecretPassword"},
>>                     {verify,verify_peer},
>>                     {ssl_cert_login_from, common_name},
>>                     {fail_if_no_peer_cert,true}]}
>>    ]}
>>The NiFi configuration I'm using is:
>>NiFi 0.7.1 (We are in the process of updating to NiFi 1.1.0 but there 
>>are some dependencies on other projects so it will happen just not for 
>>a few months)
>>2 Clusters each made up of 1 NCM and 3 Nodes
>>In the PublishAMQP I've put the certificate CN name into the 
>>"username" field.
>>The client certificate I'm using to connect to RabbitMQ has a CN name 
>>of: "rabbitmq_client". There is an entry for it in the RabbitMQ users 
>>with NO PASSWORD set.
>>Error message in the rabbitmq log files:
>>=ERROR REPORT==== 7-Dec-2016::21:47:30 ===
>>closing AMQP connection <0.905.0> ( -> 
>>                  {amqp_error,access_refused,
>>                              "PLAIN login refused: user 
>>'rabbitmq_client' - invalid credentials",
>>                              'connection.start_ok'}}
>>Please can you tell me if there is something obvious that I'm missed 
>>out in my NiFi configuration?
>>I did have a very brief look at the code and I was thinking that 
>>because the USERNAME and PASSWORD were mandatory fields and always 
>>used to establish the connection it could be that RabbitMQ prioritises 
>>those fields before trying to pull out the CN name and using that for 
>>authentication. The reason I was thinking this was in the test app I 
>>created I didn't specify the username or password when setting up my 
>>ConnectionFactory but the RabbitMQ documentation says even if you 
>>don't specify the username and password they default to guest/guest so 
>>this could be a red herring.
>>Thanks in advance for the help,
View raw message