PuppetMaster
locate the dir and find the existing keys:
# puppet agent --configprint ssldir /var/lib/puppet/ssl
In this case:
CA: /var/lib/puppet/ssl/certs/ca.pem PUBLIC: /var/lib/puppet/ssl/certs/puppetm.demo PRIVATE: /var/lib/puppet/ssl/private_keys/puppetm.demo
If you like to test them:
openssl x509 -noout -modulus -in /var/lib/puppet/ssl/certs/puppetm.demo | openssl md5 (stdin)= d41d8cd98f00b204e9800998ecf8427e openssl rsa -noout -modulus -in /var/lib/puppet/ssl/private_keys/puppetm.demo | openssl md5 (stdin)= d41d8cd98f00b204e9800998ecf8427e openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/puppetm.demo.pem /var/lib/puppet/ssl/certs/puppetm.demo: OK openssl x509 -in /var/lib/puppet/ssl/certs/puppetm.demo.pem -text -noout Validity Not Before: Nov 6 01:17:58 2013 GMT Not After : Nov 6 01:17:58 2018 GMT
Since ActiveMQ is a java-based product, it requires truststores and keystores, the java way to deal with keys.
The document mentioned that “The truststore is only required for CA-verified TLS. If you are using anonymous TLS, you may skip it.” Since we are using CA-verified TLS, we are going to use truststore.
ActiveMQ requires truststore:
keytool -import -alias "MyCA" -file /var/lib/puppet/ssl/certs/ca.pem -keystore truststore.jks enter password and confirmed yes
You can test:
keytool -list -keystore truststore.jks
Results:
Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry myca, Nov 25, 2013, trustedCertEntry, Certificate fingerprint (MD5): FC:A5:4E:D3:4D:16:0F:DD:10:12:97:6A:13:8C:EF:98
Create keystore:
cat /var/lib/puppet/ssl/private_keys/puppetm.demo.pem /var/lib/puppet/ssl/certs/puppetm.demo.pem > temp.pem openssl pkcs12 -export -in temp.pem -out activemq.p12 -name puppetm.demo enter password keytool -importkeystore -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias puppetm.demo Enter destination keystore password: Re-enter new password: Enter source keystore password:
Test:
keytool -list -keystore keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetm.demo, Nov 25, 2013, PrivateKeyEntry, Certificate fingerprint (MD5): 4F:D9:22:D0:AC:B6:71:09:9B:0F:35:83:DB:E9:DF:DA openssl x509 -in /var/lib/puppet/ssl/certs/puppetm.demo.pem -fingerprint -md5 MD5 Fingerprint=4F:D9:22:D0:AC:B6:71:09:9B:0F:35:83:DB:E9:DF:DA
On the middleware/activemq server, add stomp+ssl, also the keystore and truststore:
<transportConnectors> <transportConnector name="openwire" uri="tcp://0.0.0.0:61616"/> <transportConnector name="stomp+nio" uri="stomp+nio://0.0.0.0:61613"/> <transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61614?needClientAuth=true"/> </transportConnectors> <sslContext> <sslContext keyStore="/etc/activemq/keystore.jks" keyStorePassword="passwordhere" trustStore="/etc/activemq/truststore.jks" trustStorePassword="passwordhere" /> </sslContext>
Connect each MCollective server to the middleware, use /var/log/mcollective.log to debug, make sure it stays connected correctly.
INSTALL MCOLLECTIVE CLIENT:
Again run this on puppetmaster server to get signed with PuppetMaster CA. If you have other server for the client, you can then copy these keys over:
# puppet cert generate userclient Notice: userclient has a waiting certificate request Notice: Signed certificate request for userclient Notice: Removing file Puppet::SSL::CertificateRequest userclient at '/var/lib/puppet/ssl/ca/requests/userclient.pem' Notice: Removing file Puppet::SSL::CertificateRequest userclient at '/var/lib/puppet/ssl/certificate_requests/userclient.pem' #Important: Puppet 3.0 put the CA file in certs/ca.pem instead of ca/ca_crt.pem #also user public key is in certs/[user].pem instead of public_keys.pem #using ssl plugin, use public - no ssl: /var/lib/puppet/ssl/certs/userclient.pem mkdir /etc/mcollective/ssl/activemqssl cp /var/lib/puppet/ssl/certs/ca.pem ca.pem cp /var/lib/puppet/ssl/certs/userclient.pem userclient-cert.pem cp /var/lib/puppet/ssl/public_keys/userclient.pem userclient-public.pem cp /var/lib/puppet/ssl/private_keys/userclient.pem userclient-private.pem cp /var/lib/puppet/ssl/ca/signed/userclient.pem userclient-signed.pem
/etc/mcollective/client.cfg
connector = activemq plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = localhost plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = passwordhere plugin.activemq.pool.1.ssl = true #if ssl=false (default) -> port=61613, else if ssl=true -> port=61614 #plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.port = 61614 plugin.activemq.pool.1.ssl.ca = /etc/mcollective/ssl/activemqssl/ca.pem plugin.activemq.pool.1.ssl.key = /etc/mcollective/ssl/activemqssl/userclient-private.pem plugin.activemq.pool.1.ssl.cert = /etc/mcollective/ssl/activemqssl/userclient-cert.pem
You can then test them: mco inventory someclient.demo
]]>