RabbitMQ MQTT TLS相关配置

                                      RabbitMQ MQTT TLS相关配置
        一、启用rabbitmq_mqtt插件及配置
        1、启用rabbitmq_mqtt
        rabbitmq-plugins enable rabbitmq_mqtt
        2、用户和身份验证
        添加用户:rabbitmqctl add_user mqtt_chen mqtt_chen
        添加用户角色:rabbitmqctl set_user_tags mqtt_chen management
        添加虚拟主机:rabbitmqctl add_vhost vhost1
        将用户添加到虚拟主机:rabbitmqctl set_permissions -p /vhost1 mqtt_chen”*” “*” “*”
        3、rabbitmqctl常用命令
        
        4、rabbitmq_mqtt配置
        若etc/rabbitmq/rabbitmq.config 不存在,则cd /usr/share/doc/rabbitmq-server-3.7.10
        拷贝一份:cp /rabbitmq.config.example /etc/rabbitmq/rabbitmq.config
        编辑rabbitmq.config:  vi /etc/rabbitmq/rabbitmq.config
        {rabbitmq_mqtt,
        [
        {default_user, <<"guest">>},
        {default_pass, <<"guest">>},
        {loopback_users, []},
        {allow_anonymous, true},
        {vhost, <<"/">>},
        {exchange, <<"amq.topic">>},
        {subscription_ttl, 1800000},
        {prefetch, 10},
        {tcp_listeners, [1883]},
        {ssl_listeners, [8883]},
        {tcp_listen_options, [
        {backlog, 128},
        {nodelay, true},
        {linger,        {true, 0}},
        {exit_on_close, false}
        ]}
        ]}
        5、端口到虚拟主机映射
        rabbitmqctl set_global_parameter mqtt_port_to_vhost_mapping \
        ‘{“1883”:”vhost1”,”8883”:”vhost1”}’
        6、重启rabbitmq
        rabbitmq-server restart or rabbitmq-server stop, rabbitmqctl stop,rabbitmq-server start
        二、启用rabbitmq TLS及配置
        1、启用TLS
        编辑rabbitmq.config:  vi /etc/rabbitmq/rabbitmq.config
        {rabbit,
        [
        {tcp_listeners, [5672]},
        {ssl_listeners, [5671]},
        {loopback_users, []},
        {ssl_options, [
        {cacertfile,         "/path/to/ca_certificate_bundle.pem"},
        {certfile,            "/path/to/server_certificate.pem"},
        {keyfile,             "/path/to/server_key.pem"},
        {verify,              verify_peer},
        {fail_if_no_peer_cert, false}]}

        ]}
        2、手动为开发和QA环境生成自签名证书
        2.1、testca
        mkdir testca
        cd testca
        mkdir certs private 
        chmod 700 private echo 01> serial
        touch index.txt
        touch openssl.cnf
        添加如下内容:
        [ ca ]
        default_ca = testca

        [ testca ]
        dir = .
        certificate = $dir/ca_certificate_bundle.pem
        database = $dir/index.txt
        new_certs_dir = $dir/certs
        private_key = $dir/private/ca_private_key.pem
        serial = $dir/serial

        default_crl_days = 7
        default_days = 365
        default_md = sha256

        policy = testca_policy
        x509_extensions = certificate_extensions

        [ testca_policy ]
        commonName = supplied
        stateOrProvinceName = optional
        countryName = optional
        emailAddress = optional
        organizationName = optional
        organizationalUnitName = optional
        domainComponent = optional

        [ certificate_extensions ]
        basicConstraints = CA:false

        [ req ]
        default_bits = 2048
        default_keyfile = ./private/ca_private_key.pem
        default_md = sha256
        prompt = yes
        distinguished_name = root_ca_distinguished_name
        x509_extensions = root_ca_extensions

        [ root_ca_distinguished_name ]
        commonName = hostname

        [ root_ca_extensions ]
        basicConstraints = CA:true
        keyUsage = keyCertSign, cRLSign

        [ client_ca_extensions ]
        basicConstraints = CA:false
        keyUsage = digitalSignature,keyEncipherment
        extendedKeyUsage = 1.3.6.1.5.5.7.3.2

        [ server_ca_extensions ]
        basicConstraints = CA:false
        keyUsage = digitalSignature,keyEncipherment
        extendedKeyUsage = 1.3.6.1.5.5.7.3.1
        然后生成证书颁发机构将使用的密钥和证书:
        openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
        -out ca_certificate_bundle.pem -outform PEM -subj /CN=MyTestCA/ -nodes
        openssl x509 -in ca_certificate_bundle.pem -out ca_certificate_bundle.cer -outform DER

        2.2、server
        cd ..
        ls
        # => testca
        mkdir server
        cd server
        openssl genrsa -out private_key.pem 2048
        openssl req -new -key private_key.pem -out req.pem -outform PEM \
        -subj /CN=$(hostname)/O=server/ -nodes
        cd ../testca
        openssl ca -config openssl.cnf -in ../server/req.pem -out \
        ../server/server_certificate.pem -notext -batch -extensions server_ca_extensions
        cd ../server
        openssl pkcs12 -export -out server_certificate.p12 -in server_certificate.pem -inkey private_key.pem \
        -passout pass:MySecretPassword

        2.3、client
        cd ..
        ls
        # => server testca
        mkdir client
        cd client
        openssl genrsa -out private_key.pem 2048
        openssl req -new -key private_key.pem -out req.pem -outform PEM \
        -subj /CN=$(hostname)/O=client/ -nodes
        cd ../testca
        openssl ca -config openssl.cnf -in ../client/req.pem -out \
        ../client/client_certificate.pem -notext -batch -extensions client_ca_extensions
        cd ../client
        openssl pkcs12 -export -out client_certificate.p12 -in client_certificate.pem -inkey private_key.pem \
        -passout pass:MySecretPassword

Rabbitmq.config总配置
[
{rabbit,
  [
    {tcp_listeners, [5672]},
    {ssl_listeners, [5671]},
    {loopback_users, []},
    {ssl_options, [{cacertfile,           "/path/to/ca_certificate_bundle.pem"},
    {certfile,             "/path/to/server_certificate.pem"},
    {keyfile,              "/path/to/server_key.pem"},
    {verify,               verify_peer},
    {fail_if_no_peer_cert, false}]}
  ]},
{rabbitmq_mqtt,
  [
    {default_user, <<"guest">>},
    {default_pass, <<"guest">>},
    {loopback_users, []},
    {allow_anonymous, true},
    {vhost, <<"/">>},
    {exchange, <<"amq.topic">>},
    {subscription_ttl, 1800000},
    {prefetch, 10},
    {tcp_listeners, [1883]},
    {ssl_listeners, [8883]},
    {tcp_listen_options, [
            {backlog, 128},
            {nodelay, true},
            {linger,        {true, 0}},
            {exit_on_close, false}
       ]}
  ]}
].
   
        参考官网:
        启用mqtt: http://www.rabbitmq.com/mqtt.html
        启用TLS:  http://www.rabbitmq.com/ssl.html

你可能感兴趣的:(rabbitmq,mqtt,tls)