Quarkus reactive messaging rabbitmq Connector with client certificate authentication

174 views Asked by At

I would like to use the Quarkus RabbitMQ Connector to connect to a RabbitMQ Broker (Queues). The customer requires peer verification and client certificate authentication (instead of username/password). Unfortunately, I could not find an example of how to configure the client certificate.

In the Quarkus description, I found that he Vert.x RabbitMQ client can be customized (https://quarkus.io/guides/rabbitmq-reference#customizing-the-underlying-rabbitmq-client). I have the server certificate (where the RabbitMQ broker is running) as .crt and the keyfile as .key file. I also have the client certificate as a .pem file with the cert chain und the encrypted private key included.

------BEGIN CERTIFICATE-----  
CERT  
-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE-----  
CERT   
-----END CERTIFICATE-----  
-----BEGIN CERTIFICATE-----  
CERT  
-----END CERTIFICATE-----  
-----BEGIN ENCRYPTED PRIVATE KEY-----  
-----END ENCRYPTED PRIVATE KEY-----  

Does anyone have experience with client certificate authentication and RabbitMQ?

I am currently not sure if the client certificate authentication works with Quarkus and the RabbitMQ connector. For the underlying vert.x client, I can only configure a truststore (https://vertx.io/docs/vertx-rabbitmq-client/java/#_jks_trust_store_option). I set there the server certificate file and the password. Or should I create a own keystore with the server certificate and the client certificate included? Is this possible?

1

There are 1 answers

0
Janez Kuhar On

TLS Connections Without Peer Verification

You DO NOT need the server's private key! That would defeat the purpose of the server keeping it a secret.

If your RabbitMQ server or a TLS-terminating proxy uses a self-signed certificate, add the following configuration to your RabbitMQ client:

PemTrustOptions trust = new PemTrustOptions().addCertPath("./tlc/ca.crt");
RabbitMQOptions options = new RabbitMQOptions()
    .setSsl(true)
    .setPemTrustOptions(trust)
    // ... other configuration options

Ensure that ./tlc/ca.crt contains the public key (certificate) of the CA that signed the server certificate.

Try to make this work first before proceeding to client certificate authentication and peer verification.

Enabling Peer Verification

To enable peer verification, provide the RabbitMQ client with the client's private and public key:

PemKeyCertOptions keycert = new PemKeyCertOptions()
    .addCertPath("./tls/tls.crt")
    .addKeyPath("./tls/tls.key");
RabbitMQOptions options = new RabbitMQOptions()
    .setSsl(true)
    .setPemKeyCertOptions(keycert)
    // ... other configuration options

Here, ./tls/tls.crt is the public key, and ./tls/tls.key is the private key of your client certificate.

Ensure RabbitMQ is configured for peer verification. If your RabbitMQ server doesn't handle TLS traffic directly, consider configuring it at a higher layer (e.g., if behind HaProxy or Nginx).

For self-signed client certificates, inform the server (RabbitMQ or TLS terminating proxy) about their trustworthiness. Detailed steps for establishing this trust are beyond this post's scope.