SSL安全认证

1. 文件创建

使用rmqca作为RabbitMQ的认证中心，certs文件用于存放CA产生的证书，private存放CA的密钥，改变其权限不允许第三方访问，serial存放CA证书的序列号，index.txt存放CA颁发的证书

# mkdir rmqca# cd rmqca# mkdir certs private# chmod 700 private# echo 01 > serial# touch index.txt

2. 创建openSSL各种命令的配置文件：openssl.conf

[ ca ]
default_ca = rmqca[rmqca]
dir = .
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serialdefault_crl_days = 7
default_days = 365
default_md = sha1policy = rmqca _policy
x509_extensions = certificate_extensions[ rmqca _policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional[ certificate_extensions ]
basicConstraints = CA:false[ req ]
default_bits = 2048
default_keyfile = ./private/cakey.pem
default_md = sha1
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions[ root_ca_distinguished_name ]
commonName = hostname[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature
extendedKeyUsage = 1.3.6.1.5.5.7.3.2[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1

[ ca ]

是ca的名称设置，

[rmqca]

设置CA颁发证书和密钥存放路径以及过期时间 （365天），每隔7天提供一个CRL文件，并且使用shal作为哈希函数生成证书；

[ rmqca _policy ]

告诉openssl在证书中哪些是必填项，supplied为必选，optional为可选

[ certificate_extensions ]

false值代表CA不能将自己作为CA----无法用于签名和颁发新证书

[ req ]

指明书生成2048位的密钥，密钥安全方面来说这是最小的数字，，密钥被写入private下的cakey.pem文件，默认使用shal作为默认的哈希函数

[ root_ca_extensions ]

根扩展用于签名其他证书

[ client_ca_extensions ]

用于客户端的证书认证

[ server_ca_extensions ]

用于加密数据以及认证服务器

3.  生成CA证书

# openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \-out cacert.pem -outform PEM -subj /CN=MyRmqca/ -nodes
# openssl x509 -in cacert.pem -out cacert.cer -outform DER

4.  生成服务端证书

生成RSA密钥然后为其提供证书

# cd ..
# ls
rmqca
# mkdir server
# cd server
# openssl genrsa -out key.pem 2048
# openssl req -new -key key.pem -out req.pem -outform PEM \-subj /CN=$(hostname)/O=server/ -nodes
# cd ../rmqca
# openssl ca -config openssl.cnf -in ../server/req.pem -out \../server/cert.pem -notext -batch -extensions server_ca_extensions
# cd ../server
# openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

5.  生成客户端证书

生成RSA密钥然后为其提供证书

# cd ..# lsserver testca# mkdir client# cd client# openssl genrsa -out key.pem 2048# openssl req -new -key key.pem -out req.pem -outform PEM \-subj /CN=$(hostname)/O=client/ -nodes# cd ../rmqca# openssl ca -config openssl.cnf -in ../client/req.pem -out \../client/cert.pem -notext -batch -extensions client_ca_extensions# cd ../client# openssl pkcs12 -export -out keycert.p12 -in cert.pem -inkey key.pem -passout pass:MySecretPassword

这样就生成了三份证书，此时serial已经变为03，index.txt也列出了你颁发过的证书

6. 启动RabbitMQ的SSL监听器

为方便，将生成的目录拷贝到/etc/rabbitmq/ssl下

cp -r rmqca /etc/rabbitmq/sslcp -r server /etc/rabbitmq/sslcp -r client /etc/rabbitmq/ssl

启用：

vim rabbitmq.config[{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},{rabbit, [{tcp_listeners, [5672]},{ssl_listeners, [5671]},{ssl_options, [{cacertfile,"/etc/rabbitmq/ssl/rmqca/cacert.pem"},{certfile,"/etc/rabbitmq/ssl/server/cert.pem"},{keyfile,"/etc/rabbitmq/ssl/server/key.pem"},{verify, verify_peer},{fail_if_no_peer_cert, true},{versions, ['tlsv1.2', 'tlsv1.1']}]}]}].

这样就可以支持普通连接和ssl连接，端口分别为5672和5671

重启rabbitmq服务即可看到已经监听5671端口

7.  使用keytool导入证书

将连接服务器所需要的证书导入到密钥库中

# keytool -import -alias server1 -file /etc/rabbitmq/ssl/server/cert.pem -keystore /etc/rabbitmq/ssl/rabbitstore

会要求输入密码，至少6位数

之后将SSL安全认证产生的文件与rabbitmq.config拷贝到其他机器上，就可以开启RabbitMQ的SSL安全认证了。

首先创建SSL文件夹，在rm2和rmq3机器上分别执行

mkdir /etc/rabbitmq/ssl

复制

scp -r /etc/rabbitmq/ssl  root@rmq2:/etc/rabbitmq/sslscp -r /etc/rabbitmq/rabbitmq.config  root@rmq2:/etc/rabbitmq/scp -r /etc/rabbitmq/ssl  root@rmq3:/etc/rabbitmq/sslscp -r /etc/rabbitmq/rabbitmq.config  root@rmq3:/etc/rabbitmq/

重启:

rabbitmqctl stoprabbitmq-server &

可以看到启动的两个端口：