nifi-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran <b.deep.internatio...@gmail.com>
Subject Re[2]: NiFi PlublishAMQP using cert CN as username
Date Tue, 13 Dec 2016 21:13:58 GMT
Oleg,

Sorry for the delay, I've created the following JIRA ticket: 
https://issues.apache.org/jira/browse/NIFI-3193

If you need anything else added to the ticket give me a bell.

I'll attach my test application to the JIRA ticket this weekend.

Thanks,

Kiran

------ Original Message ------
From: "Oleg Zhurakousky" <ozhurakousky@hortonworks.com>
To: "users@nifi.apache.org" <users@nifi.apache.org>; "Kiran" 
<b.deep.international@gmail.com>
Sent: 10/12/2016 13:21:41
Subject: Re: NiFi PlublishAMQP using cert CN as username

>Brian
>
>Thank you for detailed explanation.
>I don't believe you're doing anything wrong. We just need do add the 
>feature you describe (pulling credentials from certificate).
>
>Would you mind creating JIRA ticket and if at all possible attach the 
>sample code that demonstrates exactly what you're trying to accomplish?
>
>Cheers
>Oleg
>
>
>On Dec 10, 2016, at 03:52, Kiran <b.deep.international@gmail.com> 
>wrote:
>
>>Hello,
>>
>>I'm having a bit of trouble getting NiFi to talk to RabbitMQ using 
>>SSL. I've created some certificates using the openssl and I have been 
>>successful in sending messages to RabbitMQ when I specific an SSL 
>>context and a username/password. In this scenario I can see a TLS 1.2 
>>HTTPS connection form between NiFi and RabbitMQ and the username and 
>>password used to then authenticate successfully, so from this I know 
>>that the certs being used are valid.
>>
>>What I'm trying to achieve is for the RabbitMQ username to be pulled 
>>out of the certificate COMMON_NAME so don't need to provide a username 
>>and password. I've created a quick test application to confirm that I 
>>can connect successfully to RabbitMQ using the certs I created and 
>>just the certificate CN name and this worked, which means it must be 
>>something I've done wrong within my NiFi processor configuration which 
>>is why I'm sending this email for help :)
>>
>>The RabbitMQ configuration I'm using is:
>>RabbitMQ 3.5.4 Erlang 18.0 rabbitmq_auth_mechanism_ssl plugin enabled 
>>Base OS is RHEL 6.5
>>My RabbitMQ.config contains the following:
>>[
>>   {rabbit, [
>>      {ssl_listeners, [5671]},
>>      {loopback_users, []},
>>      {auth_mechanisms, ['EXTERNAL', 'PLAIN']},
>>      {ssl_options, 
>>[{cacertfile,"/home/data/openssl/brian_testca/cacert.pem"},
>>                     
>>{certfile,"/home/data/openssl/brian_server/cert.pem"},
>>                     
>>{keyfile,"/home/data/openssl/brian_server/key.pem"},
>>                     {verify,verify_peer},
>>                     {versions, ['tlsv1.2']},
>>                     {password,  "MySecretPassword"},
>>                     {verify,verify_peer},
>>                     {ssl_cert_login_from, common_name},
>>                     {fail_if_no_peer_cert,true}]}
>>    ]}
>>].
>>
>>The NiFi configuration I'm using is:
>>NiFi 0.7.1 (We are in the process of updating to NiFi 1.1.0 but there 
>>are some dependencies on other projects so it will happen just not for 
>>a few months)
>>2 Clusters each made up of 1 NCM and 3 Nodes
>>In the PublishAMQP I've put the certificate CN name into the 
>>"username" field.
>>The client certificate I'm using to connect to RabbitMQ has a CN name 
>>of: "rabbitmq_client". There is an entry for it in the RabbitMQ users 
>>with NO PASSWORD set.
>>
>>Error message in the rabbitmq log files:
>>
>>=ERROR REPORT==== 7-Dec-2016::21:47:30 ===
>>closing AMQP connection <0.905.0> (192.168.137.1:54324 -> 
>>192.168.137.128:5671):
>>{handshake_error,starting,0,
>>                  {amqp_error,access_refused,
>>                              "PLAIN login refused: user 
>>'rabbitmq_client' - invalid credentials",
>>                              'connection.start_ok'}}
>>
>>Please can you tell me if there is something obvious that I'm missed 
>>out in my NiFi configuration?
>>
>>I did have a very brief look at the code and I was thinking that 
>>because the USERNAME and PASSWORD were mandatory fields and always 
>>used to establish the connection it could be that RabbitMQ prioritises 
>>those fields before trying to pull out the CN name and using that for 
>>authentication. The reason I was thinking this was in the test app I 
>>created I didn't specify the username or password when setting up my 
>>ConnectionFactory but the RabbitMQ documentation says even if you 
>>don't specify the username and password they default to guest/guest so 
>>this could be a red herring.
>>
>>Thanks in advance for the help,
>>
>>Brian
Mime
View raw message