MCollective ActiveMQ TLS CA-Verified using Puppet CA

PuppetMaster

locate the dir and find the existing keys:

# puppet agent --configprint ssldir
/var/lib/puppet/ssl

In this case:

CA: /var/lib/puppet/ssl/certs/ca.pem
PUBLIC: /var/lib/puppet/ssl/certs/puppetm.demo
PRIVATE: /var/lib/puppet/ssl/private_keys/puppetm.demo

If you like to test them:

openssl x509 -noout -modulus -in /var/lib/puppet/ssl/certs/puppetm.demo | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e
openssl rsa -noout -modulus -in /var/lib/puppet/ssl/private_keys/puppetm.demo | openssl md5
(stdin)= d41d8cd98f00b204e9800998ecf8427e
openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/puppetm.demo.pem
/var/lib/puppet/ssl/certs/puppetm.demo: OK
openssl x509 -in /var/lib/puppet/ssl/certs/puppetm.demo.pem -text -noout
Validity
Not Before: Nov 6 01:17:58 2013 GMT
Not After : Nov 6 01:17:58 2018 GMT

Since ActiveMQ is a java-based product, it requires truststores and keystores, the java way to deal with keys.
The document mentioned that “The truststore is only required for CA-verified TLS. If you are using anonymous TLS, you may skip it.” Since we are using CA-verified TLS, we are going to use truststore.

ActiveMQ requires truststore:

keytool -import -alias "MyCA" -file /var/lib/puppet/ssl/certs/ca.pem -keystore truststore.jks
enter password and confirmed yes

You can test:

keytool -list -keystore truststore.jks

Results:

Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
myca, Nov 25, 2013, trustedCertEntry,
Certificate fingerprint (MD5): FC:A5:4E:D3:4D:16:0F:DD:10:12:97:6A:13:8C:EF:98

Create keystore:

cat /var/lib/puppet/ssl/private_keys/puppetm.demo.pem /var/lib/puppet/ssl/certs/puppetm.demo.pem > temp.pem

openssl pkcs12 -export -in temp.pem -out activemq.p12 -name puppetm.demo
enter password

keytool -importkeystore -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias puppetm.demo
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:

Test:

keytool -list -keystore keystore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
puppetm.demo, Nov 25, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): 4F:D9:22:D0:AC:B6:71:09:9B:0F:35:83:DB:E9:DF:DA

openssl x509 -in /var/lib/puppet/ssl/certs/puppetm.demo.pem -fingerprint -md5
MD5 Fingerprint=4F:D9:22:D0:AC:B6:71:09:9B:0F:35:83:DB:E9:DF:DA

On the middleware/activemq server, add stomp+ssl, also the keystore and truststore:

<transportConnectors>
<transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/>
<transportConnector name="stomp+nio" uri="stomp+nio://0.0.0.0:61613"/>
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61614?needClientAuth=true"/>
</transportConnectors>

<sslContext>
<sslContext
keyStore="/etc/activemq/keystore.jks" keyStorePassword="passwordhere"
trustStore="/etc/activemq/truststore.jks" trustStorePassword="passwordhere"
/>
</sslContext>

Connect each MCollective server to the middleware, use /var/log/mcollective.log to debug, make sure it stays connected correctly.

INSTALL MCOLLECTIVE CLIENT:

Again run this on puppetmaster server to get signed with PuppetMaster CA. If you have other server for the client, you can then copy these keys over:

# puppet cert generate userclient
Notice: userclient has a waiting certificate request
Notice: Signed certificate request for userclient
Notice: Removing file Puppet::SSL::CertificateRequest userclient at '/var/lib/puppet/ssl/ca/requests/userclient.pem'
Notice: Removing file Puppet::SSL::CertificateRequest userclient at '/var/lib/puppet/ssl/certificate_requests/userclient.pem'

#Important: Puppet 3.0 put the CA file in certs/ca.pem instead of ca/ca_crt.pem
#also user public key is in certs/[user].pem instead of public_keys.pem

#using ssl plugin, use
public - no ssl: /var/lib/puppet/ssl/certs/userclient.pem

mkdir /etc/mcollective/ssl/activemqssl
cp /var/lib/puppet/ssl/certs/ca.pem ca.pem
cp /var/lib/puppet/ssl/certs/userclient.pem userclient-cert.pem
cp /var/lib/puppet/ssl/public_keys/userclient.pem userclient-public.pem
cp /var/lib/puppet/ssl/private_keys/userclient.pem userclient-private.pem
cp /var/lib/puppet/ssl/ca/signed/userclient.pem userclient-signed.pem

/etc/mcollective/client.cfg

connector = activemq
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = localhost
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = passwordhere

plugin.activemq.pool.1.ssl = true
#if ssl=false (default) -> port=61613, else if ssl=true -> port=61614
#plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.port = 61614

plugin.activemq.pool.1.ssl.ca = /etc/mcollective/ssl/activemqssl/ca.pem
plugin.activemq.pool.1.ssl.key = /etc/mcollective/ssl/activemqssl/userclient-private.pem
plugin.activemq.pool.1.ssl.cert = /etc/mcollective/ssl/activemqssl/userclient-cert.pem

You can then test them: mco inventory someclient.demo
]]>

Personal Journey

No Advise

MCollective ActiveMQ TLS CA-Verified using Puppet CA