qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: broker clustering with SSL?
Date Thu, 17 Nov 2011 16:51:16 GMT
On 11/17/2011 03:08 AM, Paul Colby wrote:
> I have a cluster of two Qpidd brokers - both C++ v0.12 (on CentOS 5.5).
>
> Both brokers have been clustering very happily so far :)
>
> Now, I've enabled both SASL and SSL on both brokers.
>
> I have several client applications I've written that can authenticate, and
> use SSL to talk successfully to either broker.  However, I can't get the
> two brokers to cluster anymore (unless I disable SSL).
>
> Specifically, if I start one broker, then everything is happy (clients
> connect / send / receive etc).
>
> But when I try to start a second broker, the second broker begins to start
> up ok, but then stops after reporting "error Rejected un-encrypted
> connection", and then shutting down the catch-up connection.
>
> Is there something I need to do to tell the brokers to use SSL for their
> catch-up connections?  Or is require-encryption=yes incompatible with
> clustering?

This is just a suggestion, but you could try setting --cluster-url to 
amqps://<fqdn>:<port>, e.g. amqps://myhost.mydomain.com:5671. The idea 
there is to get the update client (which I think is what is failing) to 
use SSL.

An alternative might be to set --cluster-mechanism to DIGEST-MD5 along 
with a valid --cluster-username and --cluster-password. The idea there 
is to use a SASL encryption layer on the update client so as to avoid 
being excluded by the require-encryption=yes setting.

I haven't verified either of these myself however...

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


Mime
View raw message