赞
踩
RabbitMQ MQTT TLS相关配置 一、启用rabbitmq_mqtt插件及配置 1、启用rabbitmq_mqtt rabbitmq-plugins enable rabbitmq_mqtt 2、用户和身份验证 添加用户:rabbitmqctl add_user mqtt_chen mqtt_chen 添加用户角色:rabbitmqctl set_user_tags mqtt_chen management 添加虚拟主机:rabbitmqctl add_vhost vhost1 将用户添加到虚拟主机:rabbitmqctl set_permissions -p /vhost1 mqtt_chen”*” “*” “*” 3、rabbitmqctl常用命令 4、rabbitmq_mqtt配置 若etc/rabbitmq/rabbitmq.config 不存在,则cd /usr/share/doc/rabbitmq-server-3.7.10 拷贝一份:cp /rabbitmq.config.example /etc/rabbitmq/rabbitmq.config 编辑rabbitmq.config: vi /etc/rabbitmq/rabbitmq.config {rabbitmq_mqtt, [ {default_user, <<"guest">>}, {default_pass, <<"guest">>}, {loopback_users, []}, {allow_anonymous, true}, {vhost, <<"/">>}, {exchange, <<"amq.topic">>}, {subscription_ttl, 1800000}, {prefetch, 10}, {tcp_listeners, [1883]}, {ssl_listeners, [8883]}, {tcp_listen_options, [ {backlog, 128}, {nodelay, true}, {linger, {true, 0}}, {exit_on_close, false} ]} ]} 5、端口到虚拟主机映射 rabbitmqctl set_global_parameter mqtt_port_to_vhost_mapping \ ‘{“1883”:”vhost1”,”8883”:”vhost1”}’ 6、重启rabbitmq rabbitmq-server restart or rabbitmq-server stop, rabbitmqctl stop,rabbitmq-server start 二、启用rabbitmq TLS及配置 1、启用TLS 编辑rabbitmq.config: vi /etc/rabbitmq/rabbitmq.config {rabbit, [ {tcp_listeners, [5672]}, {ssl_listeners, [5671]}, {loopback_users, []}, {ssl_options, [ {cacertfile, "/path/to/ca_certificate_bundle.pem"}, {certfile, "/path/to/server_certificate.pem"}, {keyfile, "/path/to/server_key.pem"}, {verify, verify_peer}, {fail_if_no_peer_cert, false}]} ]} 2、手动为开发和QA环境生成自签名证书 2.1、testca mkdir testca cd testca mkdir certs private chmod 700 private echo 01> serial touch index.txt touch openssl.cnf 添加如下内容: [ ca ] default_ca = testca [ testca ] dir = . certificate = $dir/ca_certificate_bundle.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/ca_private_key.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = sha256 policy = testca_policy x509_extensions = certificate_extensions [ testca_policy ] commonName = supplied stateOrProvinceName = optional countryName = optional emailAddress = optional organizationName = optional organizationalUnitName = optional domainComponent = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = ./private/ca_private_key.pem default_md = sha256 prompt = yes distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = hostname [ root_ca_extensions ] basicConstraints = CA:true keyUsage = keyCertSign, cRLSign [ client_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ server_ca_extensions ] basicConstraints = CA:false keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = 1.3.6.1.5.5.7.3.1 然后生成证书颁发机构将使用的密钥和证书: openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 \ -out ca_certificate_bundle.pem -outform PEM -subj /CN=MyTestCA/ -nodes openssl x509 -in ca_certificate_bundle.pem -out ca_certificate_bundle.cer -outform DER 2.2、server cd .. ls # => testca mkdir server cd server openssl genrsa -out private_key.pem 2048 openssl req -new -key private_key.pem -out req.pem -outform PEM \ -subj /CN=$(hostname)/O=server/ -nodes cd ../testca openssl ca -config openssl.cnf -in ../server/req.pem -out \ ../server/server_certificate.pem -notext -batch -extensions server_ca_extensions cd ../server openssl pkcs12 -export -out server_certificate.p12 -in server_certificate.pem -inkey private_key.pem \ -passout pass:MySecretPassword 2.3、client cd .. ls # => server testca mkdir client cd client openssl genrsa -out private_key.pem 2048 openssl req -new -key private_key.pem -out req.pem -outform PEM \ -subj /CN=$(hostname)/O=client/ -nodes cd ../testca openssl ca -config openssl.cnf -in ../client/req.pem -out \ ../client/client_certificate.pem -notext -batch -extensions client_ca_extensions cd ../client openssl pkcs12 -export -out client_certificate.p12 -in client_certificate.pem -inkey private_key.pem \ -passout pass:MySecretPasswordRabbitmq.config总配置
[ {rabbit, [ {tcp_listeners, [5672]}, {ssl_listeners, [5671]}, {loopback_users, []}, {ssl_options, [{cacertfile, "/path/to/ca_certificate_bundle.pem"}, {certfile, "/path/to/server_certificate.pem"}, {keyfile, "/path/to/server_key.pem"}, {verify, verify_peer}, {fail_if_no_peer_cert, false}]} ]}, {rabbitmq_mqtt, [ {default_user, <<"guest">>}, {default_pass, <<"guest">>}, {loopback_users, []}, {allow_anonymous, true}, {vhost, <<"/">>}, {exchange, <<"amq.topic">>}, {subscription_ttl, 1800000}, {prefetch, 10}, {tcp_listeners, [1883]}, {ssl_listeners, [8883]}, {tcp_listen_options, [ {backlog, 128}, {nodelay, true}, {linger, {true, 0}}, {exit_on_close, false} ]} ]} ].
-
- 参考官网:
- 启用mqtt: http://www.rabbitmq.com/mqtt.html
- 启用TLS: http://www.rabbitmq.com/ssl.html
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。