Bug 1165606
| Summary: | rubygem-openshift-origin-routing-daemon and rubygem-openshift-origin-routing-activemq should allow user to enable activemq ssl connection. | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Johnny Liu <jialiu> |
| Component: | Node | Assignee: | chris alfonso <calfonso> |
| Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 2.2.0 | CC: | adellape, bleanhar, calfonso, hbrock, jokerman, libra-onpremise-devel, mmccomas |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-openshift-origin-routing-activemq-0.6.1.2-1.el6op, rubygem-openshift-origin-routing-daemon-0.17.1.7-1.el6op | Doc Type: | Enhancement |
| Doc Text: |
The routing plug-in and routing daemon now support SSL connections to ActiveMQ. This allows administrators to encrypt ActiveMQ traffic to provide a higher level of security by enabling SSL connectivity between ActiveMQ and both the routing daemon and the routing plug-in. See the OpenShift Enterprise Deployment Guide for configuration details.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-12-10 13:25:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 2
chris alfonso
2014-11-21 19:50:49 UTC
The patches for this bug have been merged and built for enterprise-server. This required a fix to both the routing plugin and routing daemon. The next puddle build will contiain the packages as noted in Fixed In Version. Since the documentation for this hasn't yet been updated, I want to make sure I have more notes around for QE for testing SSL connections for the routing plugin and routing daemon. For SSL testing the routing pluging and routing daemon configuration need to be able handle an SSL configuration per activemq host. The routing plugin is able to set the MCOLLECTIVE_CONFIG="/opt/rh/ruby193/root/etc/mcollective/client.cfg" setting in openshift-origin-routing-activemq.conf to pick up the client.cfg settings on the OpenShift broker. It's important to know that the username and password are still picked up from the openshift-origin-routing-activemq.conf and not from the client.cfg. The reason for this is the client.cfg doesn't have credentials for the routing topic. The routing daemon is typically not installed on the OpenShift broker, so if you want to configure SSL, you'll need to uncomment the new plugin.activemq* settings routing-daemon.conf. They are bssically a duplication of what is carried in the mcollective client.cfg - again, other than the username and password. Verified this bug with rubygem-openshift-origin-routing-activemq-0.7.1.2-1.el6op.noarch and rubygem-openshift-origin-routing-daemon-0.20.2.1-1.el6op.noarch, PASS. # cat /etc/openshift/plugins.d/openshift-origin-routing-activemq.conf ACTIVEMQ_TOPIC='/topic/routinginfo' ACTIVEMQ_PORT='61613' ACTIVEMQ_HOST='activemq.ose21-20141112.example.com' ACTIVEMQ_USERNAME='routinginfo' ACTIVEMQ_PASSWORD='routinginfopasswd' MCOLLECTIVE_CONFIG="/opt/rh/ruby193/root/etc/mcollective/client.cfg" # cat /opt/rh/ruby193/root/etc/mcollective/client.cfg main_collective = mcollective collectives = mcollective libdir = /opt/rh/ruby193/root/usr/libexec/mcollective logger_type = console loglevel = warn direct_addressing = 0 # Plugins securityprovider=psk plugin.psk = asimplething connector = activemq plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = activemq.ose21-20141112.example.com plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.user = mcollective plugin.activemq.pool.1.password = marionette plugin.activemq.pool.1.ssl = true plugin.activemq.pool.1.ssl.ca = /etc/ssl/server.crt plugin.activemq.pool.1.ssl.key = /etc/ssl/server.key plugin.activemq.pool.1.ssl.cert = /etc/ssl/server.crt # For further options on heartbeats and timeouts, refer to # https://docs.puppetlabs.com/mcollective/reference/plugins/connector_activemq.html plugin.activemq.heartbeat_interval = 30 plugin.activemq.max_hbread_fails = 2 plugin.activemq.max_hbrlck_fails = 2 # Broker will retry ActiveMQ connection, then report error plugin.activemq.initial_reconnect_delay = 0.1 plugin.activemq.max_reconnect_attempts = 6 # Facts factsource = yaml plugin.yaml = /opt/rh/ruby193/root/etc/mcollective/facts.yaml # cat /etc/openshift/routing-daemon.conf <--snip--> ACTIVEMQ_HOST=activmq.example.com ACTIVEMQ_USER=routinginfo ACTIVEMQ_PASSWORD=routinginfopasswd ACTIVEMQ_PORT=61613 ACTIVEMQ_DESTINATION=/topic/routinginfo <--snip--> # Enabling the plugin.activemq settings will override the ACTIVEMQ_HOST and ACTIVEMQ_PORT # settings. Use the plugin settings if you need to verified SSL settings. plugin.activemq.pool.size = 1 plugin.activemq.pool.1.host = 10.66.79.123 plugin.activemq.pool.1.port = 61613 plugin.activemq.pool.1.ssl = true plugin.activemq.pool.1.ssl.ca = /etc/keys/server.crt plugin.activemq.pool.1.ssl.key = /etc/keys/server.key plugin.activemq.pool.1.ssl.cert = /etc/keys/server.crt After scalable app is created successfully, nginx config file is also created successfully, app could be accessed successfully via nginx. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2014-1979.html |