Bug 1165606 - rubygem-openshift-origin-routing-daemon and rubygem-openshift-origin-routing-activemq should allow user to enable activemq ssl connection.
Summary: rubygem-openshift-origin-routing-daemon and rubygem-openshift-origin-routing-...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 2.2.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: chris alfonso
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-19 10:44 UTC by Johnny Liu
Modified: 2016-02-01 02:36 UTC (History)
7 users (show)

Fixed In Version: rubygem-openshift-origin-routing-activemq-0.6.1.2-1.el6op, rubygem-openshift-origin-routing-daemon-0.17.1.7-1.el6op
Doc Type: Enhancement
Doc Text:
The routing plug-in and routing daemon now support SSL connections to ActiveMQ. This allows administrators to encrypt ActiveMQ traffic to provide a higher level of security by enabling SSL connectivity between ActiveMQ and both the routing daemon and the routing plug-in. See the OpenShift Enterprise Deployment Guide for configuration details.
Clone Of:
Environment:
Last Closed: 2014-12-10 13:25:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1979 0 normal SHIPPED_LIVE Red Hat OpenShift Enterprise 2.2.2 bug fix and enhancement update 2014-12-10 18:23:46 UTC

Comment 2 chris alfonso 2014-11-21 19:50:49 UTC 
PR is open upstream, I'll merge this into enterprise after it's merged upstream.
https://github.com/openshift/origin-server/pull/5969
Comment 3 chris alfonso 2014-11-24 14:07:48 UTC 
The patches for this bug have been merged and built for enterprise-server.

This required a fix to both the routing plugin and routing daemon. The next puddle build will contiain the packages as noted in Fixed In Version.
Comment 4 chris alfonso 2014-11-24 14:14:35 UTC 
Since the documentation for this hasn't yet been updated, I want to make sure I have more notes around for QE for testing SSL connections for the routing plugin and routing daemon.

For SSL testing the routing pluging and routing daemon configuration need to be able handle an SSL configuration per activemq host. The routing plugin is able to set the MCOLLECTIVE_CONFIG="/opt/rh/ruby193/root/etc/mcollective/client.cfg" setting in openshift-origin-routing-activemq.conf to pick up the client.cfg settings on the OpenShift broker. It's important to know that the username and password are still picked up from the openshift-origin-routing-activemq.conf and not from the client.cfg. The reason for this is the client.cfg doesn't have credentials for the routing topic.

The routing daemon is typically not installed on the OpenShift broker, so if you want to configure SSL, you'll need to uncomment the new plugin.activemq* settings routing-daemon.conf. They are bssically a duplication of what is carried in the mcollective client.cfg - again, other than the username and password.
Comment 8 Johnny Liu 2014-11-25 11:07:16 UTC 
Verified this bug with rubygem-openshift-origin-routing-activemq-0.7.1.2-1.el6op.noarch and rubygem-openshift-origin-routing-daemon-0.20.2.1-1.el6op.noarch, PASS.

# cat /etc/openshift/plugins.d/openshift-origin-routing-activemq.conf
ACTIVEMQ_TOPIC='/topic/routinginfo'
ACTIVEMQ_PORT='61613'
ACTIVEMQ_HOST='activemq.ose21-20141112.example.com'
ACTIVEMQ_USERNAME='routinginfo'
ACTIVEMQ_PASSWORD='routinginfopasswd'
MCOLLECTIVE_CONFIG="/opt/rh/ruby193/root/etc/mcollective/client.cfg"

# cat /opt/rh/ruby193/root/etc/mcollective/client.cfg
main_collective = mcollective
collectives = mcollective
libdir = /opt/rh/ruby193/root/usr/libexec/mcollective
logger_type = console
loglevel = warn
direct_addressing = 0

# Plugins
securityprovider=psk
plugin.psk = asimplething

connector = activemq
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = activemq.ose21-20141112.example.com
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.user = mcollective
plugin.activemq.pool.1.password = marionette
plugin.activemq.pool.1.ssl = true
plugin.activemq.pool.1.ssl.ca = /etc/ssl/server.crt
plugin.activemq.pool.1.ssl.key = /etc/ssl/server.key
plugin.activemq.pool.1.ssl.cert = /etc/ssl/server.crt
# For further options on heartbeats and timeouts, refer to
# https://docs.puppetlabs.com/mcollective/reference/plugins/connector_activemq.html
plugin.activemq.heartbeat_interval = 30
plugin.activemq.max_hbread_fails = 2
plugin.activemq.max_hbrlck_fails = 2
# Broker will retry ActiveMQ connection, then report error
plugin.activemq.initial_reconnect_delay = 0.1
plugin.activemq.max_reconnect_attempts = 6

# Facts
factsource = yaml
plugin.yaml = /opt/rh/ruby193/root/etc/mcollective/facts.yaml


# cat /etc/openshift/routing-daemon.conf
<--snip-->
ACTIVEMQ_HOST=activmq.example.com
ACTIVEMQ_USER=routinginfo
ACTIVEMQ_PASSWORD=routinginfopasswd
ACTIVEMQ_PORT=61613
ACTIVEMQ_DESTINATION=/topic/routinginfo
<--snip-->
# Enabling the plugin.activemq settings will override the ACTIVEMQ_HOST and ACTIVEMQ_PORT
# settings. Use the plugin settings if you need to verified SSL settings.
plugin.activemq.pool.size = 1
plugin.activemq.pool.1.host = 10.66.79.123
plugin.activemq.pool.1.port = 61613
plugin.activemq.pool.1.ssl = true
plugin.activemq.pool.1.ssl.ca = /etc/keys/server.crt
plugin.activemq.pool.1.ssl.key = /etc/keys/server.key
plugin.activemq.pool.1.ssl.cert = /etc/keys/server.crt


After scalable app is created successfully, nginx config file is also created successfully, app could be accessed successfully via nginx.
Comment 10 errata-xmlrpc 2014-12-10 13:25:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1979.html
Note You need to log in before you can comment on or make changes to this bug.