blob: 47f855ba56b015ece343266f4b57affdaab1b6d3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
# x509 (TLS/SSL) certificate Authentication Mechanism for RabbitMQ
This plugin allows RabbitMQ clients authenticate using x509 certificates
and TLS (PKI) [peer verification mechanism](https://tools.ietf.org/html/rfc5280#section-6)
instead of credentials (username/password pairs).
## How it Works
When a client connects and performs TLS upgrade,
the username is obtained from the client's
TLS (x509) certificate. The user's password is not checked.
In order to use this mechanism the client must connect with TLS enabled, and
present a client certificate.
## Usage
This mechanism must also be enabled in RabbitMQ's configuration file,
see [Authentication Mechanisms](https://www.rabbitmq.com/authentication.html) and
[Configuration](https://www.rabbitmq.com/configure.html) guides for
more details.
A couple of examples:
``` ini
auth_mechanisms.1 = PLAIN
auth_mechanisms.1 = AMQPLAIN
auth_mechanisms.1 = EXTERNAL
```
to allow this mechanism in addition to the defaults, or:
``` ini
auth_mechanisms.1 = EXTERNAL
```
to allow only this mechanism and prohibit connections that use
username and passwords.
For safety the server must be configured with the SSL option 'verify'
set to 'verify_peer', to ensure that if an SSL client presents a
certificate, it gets verified.
### Username Extraction from Certificate
#### Distinguished Name
By default this will set the username to an [RFC 4514](https://tools.ietf.org/html/rfc4514)-ish string form of
the certificate's subject's Distinguished Name, similar to that
produced by OpenSSL's "-nameopt [RFC 2253"](https://tools.ietf.org/html/rfc2253) option.
You can obtain this string form from a certificate with a command like:
```
openssl x509 -in path/to/cert.pem -nameopt RFC2253 -subject -noout
```
or from an existing amqps connection with commands like:
``` bash
rabbitmqctl list_connections peer_cert_subject
```
#### Common Name
To use the Common Name instead, set `rabbit.ssl_cert_login_from` to `common_name`:
``` ini
auth_mechanisms.1 = EXTERNAL
ssl_cert_login_from = common_name
```
Note that the authenticated user will then be looked up in the
[configured authentication / authorisation backend(s)](https://www.rabbitmq.com/access-control.html). This will be
the internal node database by default but could include other
backends if so configured.
## Copyright & License
(c) 2007-2020 VMware, Inc. or its affiliates.
Released under the same license as RabbitMQ.
|
