SSL安全认证
- 文件创建
使用rmqca作为RabbitMQ的认证中心,certs文件用于存放CA产生的证书,private存放CA的密钥,改变其权限不允许第三方访问,serial存放CA证书的序列号,index.txt存放CA颁发的证书
# mkdir rmqca
# cd rmqca
# mkdir certs private
# chmod 700 private
# echo 01 > serial
# touch index.txt
- 创建openSSL各种命令的配置文件:openssl.conf
[ ca ]
default_ca = rmqca
[rmqca]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha1
policy = rmqca _policy
x509_extensions = certificate_extensions
[ rmqca _policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
配置详情
[ ca ]
是ca的名称设置,
[rmqca]
设置CA颁发证书和密钥存放路径以及过期时间 (365天),每隔7天提供一个CRL文件,并且使用shal作为哈希函数生成证书;
[ rmqca _policy ]
告诉openssl在证书中哪些是必填项,supplied为必选,optional为可选
[ certificate_extensions ]
false值代表CA不能将自己作为CA----无法用于签名和颁发新证书
[ req ]
指明书生成2048位的密钥,密钥安全方面来说这是最小的数字,,密钥被写入private下的cakey.pem文件,默认使用shal作为默认的哈希函数
[ root_ca_extensions ]
根扩展用于签名其他证书
[ client_ca_extensions ]
用于客户端的证书认证
[ server_ca_extensions ]
用于加密数据以及认证服务器
- 生成CA证书
# openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out cacert.pem -outform PEM -subj /CN=MyRmqca/ -nodes
# openssl x509 -in cacert.pem -out cacert.cer -outform DER
- 生成服务端证书
生成RSA密钥然后为其提供证书
# cd ..
# ls
rmqca
# mkdir server
# cd server
# openssl genrsa -out key.pem 2048
# openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=server/ -nodes
# cd ../rmqca
# openssl ca -config openssl.cnf -in ../server/req.pem -out ../server/cert.pem -notext -batch -extensions server_ca_extensions
# cd ../server
# openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword
- 生成客户端证书
生成RSA密钥然后为其提供证书
# cd ..
# ls
server testca
# mkdir client
# cd client
# openssl genrsa -out key.pem 2048
# openssl req -new -key key.pem -out req.pem -outform PEM -subj /CN=$(hostname)/O=client/ -nodes
# cd ../rmqca
# openssl ca -config openssl.cnf -in ../client/req.pem -out ../client/cert.pem -notext -batch -extensions client_ca_extensions
# cd ../client
# openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword
这样就生成了三份证书,此时serial已经变为03,index.txt也列出了你颁发过的证书
- 启动RabbitMQ的SSL监听器
为方便,将生成的目录拷贝到/etc/rabbitmq/ssl下
cp -r rmqca /etc/rabbitmq/ssl
cp -r server /etc/rabbitmq/ssl
cp -r client /etc/rabbitmq/ssl
启用:
vim rabbitmq.config
[
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/rmqca/cacert.pem"},
{certfile,"/etc/rabbitmq/ssl/server/cert.pem"},
{keyfile,"/etc/rabbitmq/ssl/server/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{versions, ['tlsv1.2', 'tlsv1.1']}
]}
]}
].
这样就可以支持普通连接和ssl连接,端口分别为5672和5671
重启rabbitmq服务即可看到已经监听5671端口
7. 使用keytool导入证书
将连接服务器所需要的证书导入到密钥库中
# keytool -import -alias server1 -file /etc/rabbitmq/ssl/server/cert.pem -keystore /etc/rabbitmq/ssl/rabbitstore
会要求输入密码,至少6位数
之后将SSL安全认证产生的文件与rabbitmq.config拷贝到其他机器上,就可以开启RabbitMQ的SSL安全认证了。
若报错-bash: keytool: 未找到命令
配置环境变量
vim /etc/profile
## 添加以下三句
export到文件最后 注意JAVA_HOME的目录为你解压jdk的目录版本为你下载的jdk版本
export JAVA_HOME=/opt/jdk1.8.0_152/
export CLASSPATH=.:%JAVA_HOME%/lib/dt.jar:%JAVA_HOME%/lib/tools.jar
export PATH=$PATH:$JAVA_HOME/bin
首先创建SSL文件夹,在rm2和rmq3机器上分别执行
mkdir /etc/rabbitmq/ssl
复制
scp -r /etc/rabbitmq/ssl root@rmq2:/etc/rabbitmq/ssl
scp -r /etc/rabbitmq/rabbitmq.config root@rmq2:/etc/rabbitmq/
scp -r /etc/rabbitmq/ssl root@rmq3:/etc/rabbitmq/ssl
scp -r /etc/rabbitmq/rabbitmq.config root@rmq3:/etc/rabbitmq/
重启:
rabbitmqctl stop
rabbitmq-server &
可以看到启动的两个端口:5671 5672
————————————————
版权声明:本文为CSDN博主「大神中的传说」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/zou100/article/details/100521976