Shulou(Shulou.com)06/02 Report--

In this article, the editor introduces in detail "RabbitMQ how to open SSL and SpringBoot connection test", the content is detailed, the steps are clear, and the details are handled properly. I hope this "RabbitMQ how to open SSL and SpringBoot connection test" article can help you solve your doubts.

Wedge

Recently, the company's program has been securely scanned to allow risk vulnerabilities in plaintext authentication on remote hosts, and checked the repair scheme. RabbitMQ officially provides SSL connection, and SpringBoot AMQP also supports SSL connection. The following will configure RabbitMQ to turn on SSL and use SpringBoot Demo to test the connection.

Configure RabbitMQ to enable SSL

This article is based on the RabbitMQ installed by CentOS 7 + Git + OpenSSL + yum, which needs to be submitted and installed by readers. Other ways can also be adapted to refer to this article.

Generate a certificate

# Clone the repository where the certificate is generated to the current directory git clone-- depth 1 https://github.com/Berico-Technologies/CMF-AMQP-Configuration.gitcd CMF-AMQP-Configuration/ssl# to generate the ca certificate. "MyRabbitMQCA" is a custom name, any name. Generate the ca directory under the current directory sh setup_ca.sh MyRabbitMQCA# to generate the server certificate, the first parameter is the server certificate prefix, and the second parameter is the password. The password is arbitrary. Generate the server directory sh make_server_cert.sh rabbitmq-server 12345 in the current directory to generate the client certificate. The first parameter is the client certificate prefix, and the second parameter is the password. Any password, generate the client directory sh create_client_cert.sh rabbitmq-client 654321 under the current directory

Configure the certificate of the RabbitMQ server as follows:

Ca/cacert.pem # CA certificate server/rabbitmq-server.cert.pem # server public key server/rabbitmq-server.key.pem # server private key

Generate a JKS certificate using a RabbitMQ server public key certificate

#-alias is an alias,-file is followed by the server public key location,-keystore is followed by the output JSK certificate location, where the relative path keytool-import-alias rabbitmq-server\-file server/rabbitmq-server.cert.pem\-keystore rabbitmqTrustStore-storepass changeit# enter y enter

Configure the certificate for the RabbitMQ client as follows:

Client/rabbitmq-client.keycert.p12 # PKCS12 certificate, including the public and private keys required by the client and the intermediate certificate rabbitmqTrustStore # server JKS format public key

The default RabbitMQ configuration directory is / etc/rabbitmq. We create a certificate directory to store server-side certificates.

Mkdir-p / etc/rabbitmq/ssl# replication server required certificate cp ca/cacert.pem\ server/rabbitmq-server.cert.pem\ server/rabbitmq-server.key.pem / etc/rabbitmq/ssl/

Modify RabbitMQ configuration file

Modify the RabbitMQ configuration file / etc/rabbitmq/rabbitmq.config, which does not exist by default and needs to be created manually

[{rabbit, [

{ssl_listeners, [5671]}

{ssl_options, [

{cacertfile, "/ etc/rabbitmq/ssl/cacert.pem"}

{certfile, "/ etc/rabbitmq/ssl/rabbitmq-server.cert.pem"}

{keyfile, "/ etc/rabbitmq/ssl/rabbitmq-server.key.pem"}

{verify, verify_peer}

{fail_if_no_peer_cert, true}

{ciphers, [

"ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384"

"ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384"

"ECDHE-ECDSA-DES-CBC3-SHA", "ECDH-ECDSA-AES256-GCM-SHA384"

"ECDH-RSA-AES256-GCM-SHA384", "ECDH-ECDSA-AES256-SHA384"

"ECDH-RSA-AES256-SHA384", "DHE-DSS-AES256-GCM-SHA384"

"DHE-DSS-AES256-SHA256", "AES256-GCM-SHA384"

"AES256-SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256"

"ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256"

"ECDHE-RSA-AES128-SHA256", "ECDH-ECDSA-AES128-GCM-SHA256"

"ECDH-RSA-AES128-GCM-SHA256", "ECDH-ECDSA-AES128-SHA256"

"ECDH-RSA-AES128-SHA256", "DHE-DSS-AES128-GCM-SHA256"

"DHE-DSS-AES128-SHA256", "AES128-GCM-SHA256"

"AES128-SHA256", "ECDHE-ECDSA-AES256-SHA"

"ECDHE-RSA-AES256-SHA", "DHE-DSS-AES256-SHA"

"ECDH-ECDSA-AES256-SHA", "ECDH-RSA-AES256-SHA"

"AES256-SHA", "ECDHE-ECDSA-AES128-SHA"

"ECDHE-RSA-AES128-SHA", "DHE-DSS-AES128-SHA"

"ECDH-ECDSA-AES128-SHA", "ECDH-RSA-AES128-SHA", "AES128-SHA"

]}

]}

]}].

Description of the main configuration items:

Ssl_listeners specifies the port number of the SSL protocol, official document 5671

Ssl_options SSL certification configuration item

Cacertfile CA Certificate location

Certfile public key certificate location

Keyfile key Certificate location

Verify

Verify_peer client and server send certificates to each other

Verify_none disables certificate exchange and verification

Fail_if_no_peer_cert

True does not accept client connections without certificates

False accepts client connections without certificates

Ciphers cipher (I don't know if this translation is correct? )

Restart RabbitMQ

# close rabbitmqctl stop# and start rabbitmq-server-detached

Verify whether the SSL is enabled successfully

Use the diagnostic tools included with Rabbitmq to check the port snooping status and use the protocol

# View listening rabbitmq-diagnostics listeners# to view supported TLS version rabbitmq-diagnostics-- silent tls_versions

Use the OpenSSL CLI tool to verify that the certificate is valid cd the ssl directory that generates the certificate # use the client certificate + CA certificate to connect to RabbitMQ verification. The MQ of our office is the same host as the generated certificate. Please consider other circumstances. Openssl s_client-connect localhost:5671\-cert client/rabbitmq-client.cert.pem\-key client/rabbitmq-client.key.pem\-CAfile ca/cacert.pem

In addition to the command line view, you can also view it through the administrative interface, but you can only confirm that SSL snooping is turned on, and you cannot confirm whether the certificate has been verified.

Write SpringBoot code connection test

Code structure

It's just a Maven project generated using start.spring.io, depending on WEB and AMQP

Code and configuration

Pom.xml

4.0.0 org.springframework.boot spring-boot-starter-parent 2.5.8 com.example demo 0.0.1-SNAPSHOT demo Demo project for Spring Boot 1.8 Org.springframework.boot spring-boot-starter-amqp org.springframework.boot spring-boot-starter-web org.springframework.boot Spring-boot-starter-test test org.springframework.amqp spring-rabbit-test test Org.springframework.boot spring-boot-maven-plugin

Launch class DemoApplication.java

Package com.hellxz.rabbitmq.ssl;import org.springframework.boot.SpringApplication;import org.springframework.boot.autoconfigure.SpringBootApplication;@SpringBootApplicationpublic class DemoApplication {public static void main (String [] args) {SpringApplication.run (DemoApplication.class, args);}}

RabbitMQ client configuration class RabbitFanoutExchangeConfig.java

Package com.hellxz.rabbitmq.ssl;import org.springframework.amqp.core.Binding;import org.springframework.amqp.core.BindingBuilder;import org.springframework.amqp.core.FanoutExchange;import org.springframework.amqp.core.Queue;import org.springframework.beans.factory.annotation.Qualifier;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration;@Configurationpublic class RabbitFanoutExchangeConfig {public static final String FANOUT_EXCHANGE = "fanout.exchange"; public static final String FANOUT_QUEUE1 = "fanout.queue1" @ Bean (name = FANOUT_EXCHANGE) public FanoutExchange fanoutExchange () {return new FanoutExchange (FANOUT_EXCHANGE, true, false);} @ Bean (name = FANOUT_QUEUE1) public Queue fanoutQueue1 () {return new Queue (FANOUT_QUEUE1, true, false, false) } @ Bean public Binding bindingSimpleQueue1 (@ Qualifier (FANOUT_QUEUE1) Queue fanoutQueue1, @ Qualifier (FANOUT_EXCHANGE) FanoutExchange fanoutExchange) {return BindingBuilder.bind (fanoutQueue1) .to (fanoutExchange);}}

Sending message test class TestController.java

Package com.hellxz.rabbitmq.ssl;import org.springframework.amqp.core.Message;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.web.bind.annotation.GetMapping;import org.springframework.web.bind.annotation.RestController;@RestControllerpublic class TestController {@ Autowired RabbitMQSenderService rabbitMQSenderService; @ GetMapping ("/ test") public void sendMsg () {Message msg = new Message ("hello world" .getBytes ()) Try {rabbitMQSenderService.send (RabbitFanoutExchangeConfig.FANOUT_EXCHANGE, RabbitFanoutExchangeConfig.FANOUT_QUEUE1, msg);} catch (Exception e) {e.printStackTrace ();}

Messaging service RabbitMQSenderService.java

Package com.hellxz.rabbitmq.ssl;import java.util.UUID;import org.springframework.amqp.core.Message;import org.springframework.amqp.rabbit.connection.CorrelationData;import org.springframework.amqp.rabbit.core.RabbitTemplate;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.stereotype.Component;@Componentpublic class RabbitMQSenderService {@ Autowired private RabbitTemplate rabbitTemplate; public void send (String exchange, String routingkey, Message message) {CorrelationData correlationId = new CorrelationData (UUID.randomUUID () .toString ()) System.out.println ("start send msg:" + message); rabbitTemplate.convertAndSend (exchange, routingkey, message, correlationId); System.out.println ("end send msg:" + message);}}

Message recipient RabbitMQReciver.java

Package com.hellxz.rabbitmq.ssl;import org.springframework.amqp.rabbit.annotation.RabbitListener;import org.springframework.stereotype.Component;@Componentclass RabbitMQReciver {@ RabbitListener (queues = RabbitFanoutExchangeConfig.FANOUT_QUEUE1) public void reciveLogAll (String msg) throws Exception {System.out.println ("received msg:" + msg);}}

Profile application.properties

Server.port=8085# basic configuration according to the actual configuration of spring.rabbitmq.host=192.168.56.104#ssl protocol port spring.rabbitmq.port=5671spring.rabbitmq.username=adminspring.rabbitmq.password=123456spring.rabbitmq.virtual-host=/# enable rabbitmq client SSL connection spring.rabbitmq.ssl.enabled=true# client PKCS12 certificate and password spring.rabbitmq.ssl.key-store=classpath:ssl/rabbitmq-client.keycert.p12spring.rabbitmq.ssl.key-store-password=654321# public key certificate and type spring.rabbitmq. Ssl.trust-store=classpath:ssl/rabbitmqTrustStorespring.rabbitmq.ssl.trust-store-type=JKS# does not verify hostname Enabling it by default will cause the connection to fail spring.rabbitmq.ssl.verify-hostname=false

Create the ssl directory under src/main/resources, and copy the client certificate and server JKS public key to the ssl directory.

Perform code verification

Run DemoApplication.java to see if the console has reported an error:

As shown in the figure, it indicates that the connection has been successfully created, indicating that the connection has been successful.

We then call the / test interface defined in TestController.java

Message sent and consumed successfully.

Read this, the "RabbitMQ how to open SSL and SpringBoot connection testing" article has been introduced, want to master the knowledge of this article still need to do your own practice to understand, if you want to know more related articles, welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.