RabbitMQ MQTT TLS相关配置
一、启用rabbitmq_mqtt插件及配置
1、启用rabbitmq_mqtt
rabbitmq-plugins enable rabbitmq_mqtt
2、用户和身份验证
添加用户:rabbitmqctl add_user mqtt_chen mqtt_chen
添加用户角色:rabbitmqctl set_user_tags mqtt_chen management
添加虚拟主机:rabbitmqctl add_vhost vhost1
将用户添加到虚拟主机:rabbitmqctl set_permissions -p /vhost1 mqtt_chen”*” “*” “*”
3、rabbitmqctl常用命令
4、rabbitmq_mqtt配置
若etc/rabbitmq/rabbitmq.config 不存在,则cd /usr/share/doc/rabbitmq-server-3.7.10
拷贝一份:cp /rabbitmq.config.example /etc/rabbitmq/rabbitmq.config
编辑rabbitmq.config: vi /etc/rabbitmq/rabbitmq.config
{rabbitmq_mqtt,
[
{default_user, <<"guest">>},
{default_pass, <<"guest">>},
{loopback_users, []},
{allow_anonymous, true},
{vhost, <<"/">>},
{exchange, <<"amq.topic">>},
{subscription_ttl, 1800000},
{prefetch, 10},
{tcp_listeners, [1883]},
{ssl_listeners, [8883]},
{tcp_listen_options, [
{backlog, 128},
{nodelay, true},
{linger, {true, 0}},
{exit_on_close, false}
]}
]}
5、端口到虚拟主机映射
rabbitmqctl set_global_parameter mqtt_port_to_vhost_mapping \
‘{“1883”:”vhost1”,”8883”:”vhost1”}’
6、重启rabbitmq
rabbitmq-server restart or rabbitmq-server stop, rabbitmqctl stop,rabbitmq-server start
二、启用rabbitmq TLS及配置
1、启用TLS
编辑rabbitmq.config: vi /etc/rabbitmq/rabbitmq.config
{rabbit,
[
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{loopback_users, []},
{ssl_options, [
{cacertfile, "/path/to/ca_certificate_bundle.pem"},
{certfile, "/path/to/server_certificate.pem"},
{keyfile, "/path/to/server_key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
2、手动为开发和QA环境生成自签名证书
2.1、testca
mkdir testca
cd testca
mkdir certs private
chmod 700 private echo 01> serial
touch index.txt
touch openssl.cnf
添加如下内容:
[ ca ]
default_ca = testca
[ testca ]
dir = .
certificate = $dir/ca_certificate_bundle.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/ca_private_key.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = sha256
policy = testca_policy
x509_extensions = certificate_extensions
[ testca_policy ]
commonName = supplied
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
domainComponent = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = ./private/ca_private_key.pem
default_md = sha256
prompt = yes
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = hostname
[ root_ca_extensions ]
basicConstraints = CA:true
keyUsage = keyCertSign, cRLSign
[ client_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
[ server_ca_extensions ]
basicConstraints = CA:false
keyUsage = digitalSignature,keyEncipherment
extendedKeyUsage = 1.3.6.1.5.5.7.3.1
然后生成证书颁发机构将使用的密钥和证书:
openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \
-out ca_certificate_bundle.pem -outform PEM -subj /CN=MyTestCA/ -nodes
openssl x509 -in ca_certificate_bundle.pem -out ca_certificate_bundle.cer -outform DER
2.2、server
cd ..
ls
# => testca
mkdir server
cd server
openssl genrsa -out private_key.pem 2048
openssl req -new -key private_key.pem -out req.pem -outform PEM \
-subj /CN=$(hostname)/O=server/ -nodes
cd ../testca
openssl ca -config openssl.cnf -in ../server/req.pem -out \
../server/server_certificate.pem -notext -batch -extensions server_ca_extensions
cd ../server
openssl pkcs12 -export -out server_certificate.p12 -in server_certificate.pem -inkey private_key.pem \
-passout pass:MySecretPassword
2.3、client
cd ..
ls
# => server testca
mkdir client
cd client
openssl genrsa -out private_key.pem 2048
openssl req -new -key private_key.pem -out req.pem -outform PEM \
-subj /CN=$(hostname)/O=client/ -nodes
cd ../testca
openssl ca -config openssl.cnf -in ../client/req.pem -out \
../client/client_certificate.pem -notext -batch -extensions client_ca_extensions
cd ../client
openssl pkcs12 -export -out client_certificate.p12 -in client_certificate.pem -inkey private_key.pem \
-passout pass:MySecretPassword
Rabbitmq.config总配置
[
{rabbit,
[
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{loopback_users, []},
{ssl_options, [{cacertfile, "/path/to/ca_certificate_bundle.pem"},
{certfile, "/path/to/server_certificate.pem"},
{keyfile, "/path/to/server_key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]},
{rabbitmq_mqtt,
[
{default_user, <<"guest">>},
{default_pass, <<"guest">>},
{loopback_users, []},
{allow_anonymous, true},
{vhost, <<"/">>},
{exchange, <<"amq.topic">>},
{subscription_ttl, 1800000},
{prefetch, 10},
{tcp_listeners, [1883]},
{ssl_listeners, [8883]},
{tcp_listen_options, [
{backlog, 128},
{nodelay, true},
{linger, {true, 0}},
{exit_on_close, false}
]}
]}
].
参考官网:
启用mqtt: http://www.rabbitmq.com/mqtt.html
启用TLS: http://www.rabbitmq.com/ssl.html