Skip to main content
Deutsch Español Français Français (Canada) Italiano 日本語 한국어 Latviešu Polski Português Português do Brasil 简体中文

Disable cleartext authentication option in RabbitMQ

Steven Hajek
  • Updated

Product: ProfileUnity-FlexApp

Product Version: 6.8.4+

Expires on: 365 days from publish date

Updated: Jun 22, 2021

 

Problem:

Vulnerability scans may flag the RabbitMQ service on port 5672 of your ProfileUnity Console server(s) as supporting cleartext authentication.  While this is true by default, the messages used by ProfileUnity are encrypted, regardless.  While the alert on the scan results is accurate regarding allowed cleartext authentication, it can't be exploited in the context of ProfileUnity because of the message encryption in use.

Prerequisites:

  • OpenSSL (manually installed on Windows or used on elsewhere running Linux or macOS)
    Windows version of OpenSSL     (The guide uses this implementation on the ProU Console)
    Linux Subsystem on Windows 10
  • prou_services account password (created when originally installing the ProU Console)
  • ProfileUnity Console ver 6.8.4, HA mode enabled (even if only using a single console)

Steps to disable cleartext authentication support and force SSL-only connections:

***WARNING*** - DO NOT begin these steps without first knowing the current prou_services account password that was originally set during the installation of the ProfileUnity Console!

***NOTE*** - If you are using only a single ProfileUnity Console node, you must still enable High-Availability under the Administration, Clustering section before proceeding!  The following will NOT work otherwise!

If the steps are carefully followed, all commands should be able to be copied/pasted to make things easier.

On your ProfileUnity Console server(s):

  1. Launch mmc.exe and add in the Certificates snap-in (Computer/Local Computer context), navigate to Trusted Root Certificates Authorities\Certificates

    a. Export the entry named Liquidware Certificate to C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ, NOT including the private key, as Base-64 encoded x.509, named cacert.cer:



    b. Export the Liquidware Certificate again but this time on your Desktop, INCLUDING the private key, as PKCS 12, using a password of your choice, named ProfileUnity.pfx:


  2. We now need to extract the public certificate and private key from the PFX file using OpenSSL.  This can be done using almost any Linux machine, the Linux Subsystem on Windows 10 or by installing a Windows version of OpenSSL.  If using the Windows build of OpenSSL, then you need to make sure you're in an elevated cmd prompt and that you've changed directories to the bin folder before executing the following.  This example is done with openssl.exe on the ProfileUnity Console server itself.

    a. Export the public certificate from the PFX, it will prompt for the password used when exported above: (single line command)
    openssl pkcs12 -in %userprofile%\Desktop\ProfileUnity.pfx -out C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ\server.pem -nokeys

    b. Now export the private key, will prompt for both the password of the PFX and a password for the new encrypted key file: (single line command)
    openssl pkcs12 -in %userprofile%\Desktop\ProfileUnity.pfx -out C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ\server-encrypted.key -nocerts

    c. Create a decrypted copy of the private key that will get used in RabbitMQ, enter the PEM password set above: (single line command)
    openssl rsa -in C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ\server-encrypted.key -out C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ\server.key

    d. Once complete, you should see the following files in the RabbitMQ directory: (single line command)
    dir /a-d C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ


  3. In the same elevated cmd prompt, we need to edit the rabbitmq.config file: (single line command)
    notepad.exe C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ\rabbitmq.config

    We need to edit the file to have the following contents instead:  (you can change ssl_listeners 5671 to 443 or another port and carry that port through the rest of the steps instead of 5671)
    [{rabbit, [
     {cluster_partition_handling, autoheal},
     {tcp_listeners, [{"127.0.0.1", 5672}]},
     {ssl_listeners, [5671]},
     {ssl_options, [
     {cacertfile, "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\RabbitMQ\\cacert.cer"},
     {certfile, "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\RabbitMQ\\server.pem"},
     {keyfile, "C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\RabbitMQ\\server.key"},
     {verify, verify_none},
     {fail_if_no_peer_cert, false},
     {client_renegotiation, false},
     {secure_renegotiate, true},
     {versions,['tlsv1.2', 'tlsv1.1']}
     ]}
     ]},
     {rabbitmq_management, [
     {listener, [{port, 15671},
     {ssl, true}
     ]}
     ]}
    ].
  4. Launch services.msc and restart the RabbitMQ service.  The only way to know if the service is running properly is check the log file located in C:\Windows\System32\config\systemprofile\AppData\Roaming\RabbitMQ\log after waiting over 1 minute from restarting the service to see that you find the last entry like "started SSL Listener on 0.0.0.0:5671" has a current timestamp.
  5. Once the RabbitMQ service is up and ready, back in services.msc, restart the Liquidware Labs ProfileUnity Service as well.
  6. If your ProfileUnity Console server has the Windows Firewall enabled, under the Advanced Settings section of the Windows Firewall you will need to edit the Inbound Rule policy and find a rule name ProU Open Port 5672, edit the rule and change the name to ProU Open Port 5671 and edit the port being allowed from 5672 to 5671.
  7. Navigate to your ProfileUnity Web Console, login and open the top-right menu with your login name, Administration, scroll down to the Client Settings section, click the Manage Message Queue Connection button, change the "amqp://" to "amqps://", enter the prou_services account password and click Update(if you used a different port an 5671, you need to append the port to the string before the trailing /, amqps://prou_services:theRealPassword@f.q.d.n:443/)
  8. Click Update at the top-right of the Administration screen, wait roughly 30 seconds, then click Deploy Client Settings to push out the new connection string to your network share or cloud storage.
  9. Last, if you're using a startup GPO to (re)install the ProfileUnity Client Tools, then simply refresh your pool.  Otherwise you'll just need to re-install the client tools using another method.  An uninstall is not necessary, just a reinstall over the top by running LwL.ProfileUnity.Startup.exe is all that's needed.

Related articles