Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Trying to connect Neutron (Network Node) to the QPID AMQP (Controller Node): SASL(-4): no mechanism available

Using: RHEL7 + Icehouse Openstack

I am following the guide published at http://docs.openstack.org/icehouse/install-guide/install/yum/content/neutron-ml2-network-node.html to try to deploy the Neutron service inside standalone virtual machine named as Network node.

After configuring the /etc/neutron/*.conf files and started the services i am getting the following looping message

Unable to connect to AMQP server: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found. Sleeping 4 seconds ... ...

I selected QPID as my AMPQ server. My QPID is deployed inside another virtual machine named as Controller node. Im using SSL authentication. Its working sucessfull with the other services Cinder, Glance, KeyStone, ... deployed in the same host.

I have checked and disabled the iptables firewall rules. They are Ok.

But if... i disable que QPID SSL authentication about the AMPQ inside the Controller the Network Node can connect sucessfully with the QPID.

I do not understand what is happening... Seems that it is something related the SSL Certificate.

My QPID configuration at /etc/neutron/neutron.conf [DEFAULT] auth_strategy = keystone

QPID configuration

rpc_backend = neutron.openstack.common.rpc.impl_qpid qpid_hostname = 192.168.100.10 qpid_username = qpidauth qpid_password = openstack qpid_protocol = ssl qpid_port = 5671

Space separated list of SASL mechanisms to use for auth

qpid_sasl_mechanisms = 'DIGEST-MD5 CRAM-MD5 GSSAPI'

My Keystone configuration at /etc/neutron/neutron.conf

[keystone_authtoken] auth_uri = http://192.168.100.10:5000 auth_host = 192.168.100.10 auth_protocol = http auth_port = 35357 admin_tenant_name = services admin_user = neutron admin_password = openstack ... ...

Then, i followed the instructions about to export the SSL Certificate (that it is using the QPID) from the Controller node to import it inside the Network node inside the /etc/pki/nnsd...

From the documentation... the certificates listed in the cert8.db database are the subsystem certificates used for subsystem operations. User certificates are stored with the user entries in the LDAP internal database.

[root@controller qpid]# cd /etc/pki/tls/qpid [root@controller qpid]# ls -la total 76 drwx------. 2 qpidd root 51 Sep 29 11:00 . drwxr-xr-x. 6 root root 87 Oct 1 22:58 .. -rw-------. 1 qpidd root 65536 Sep 29 11:00 cert8.db -rw-------. 1 qpidd root 16384 Sep 29 11:00 key3.db -rw-------. 1 qpidd root 16384 Sep 29 11:00 secmod.db ?

To view the certificates in the subsystem database using certutil, open the instance's certificate database directory, and run the certutil with the -L option. For example: [root@controller qpid]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

controller CTu,u,u

To view the keys stored in the subsystem databases using certutil, run the certutil with the -K option. For example: [root@controller qpid]# certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": < 0> rsa 4d43fa140a94f5e92e3b70b0543091442d6a455e NSS Certificate DB:controller

Exporting an SSL Certificate for Clients When SSL is enabled on a server, the clients require a copy of the SSL certificate to establish a secure connection. The following example commands can be used to export a client certificate and the private key from the broker's NSS database: [root@controller qpid]# pk12util -o qpid-controller.pk12 -n controller -d . -w /etc/qpid/qpid.pass Enter Password or Pin for "NSS Certificate DB": pk12util: PKCS12 EXPORT SUCCESSFUL

Installing Certificates Using certutil To install subsystem certificates in the Certificate System instance's security databases using certutil, do the following: Copy from the controller node the QPID's nss databases and the QPID's SASL password used to sign the certificate in the previous tasks [root@network OpenStack]# scp -r root@controller:/etc/pki/tls/qpid ~/OpenStack root@controller's password: secmod.db cert8.db key3.db qpid-controller.pk12 [root@network ~]# scp root@controller:/etc/qpid/qpid.pass ~/OpenStack/qpid/ root@controller's password: qpid.pass

Make a backup about the NSSDB databases [root@network ~]# cd /etc/pki/nssdb [root@network nssdb]# cp -a /etc/pki/nssdb ../nssdb.orig

Import the PK12 certificate inside the NSS database [root@network nssdb]# pwd /etc/pki/nssdb [root@network nssdb]# pk12util -i /root/OpenStack/qpid/qpid-controller.pk12 -w /root/OpenStack/qpid/qpid.pass -d . pk12util: PKCS12 IMPORT SUCCESSFUL

Check the certificates imported / stored inside the NSS database [root@network nssdb]# certutil -L -d . Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

controller u,u,u [root@network nssdb]# certutil -K -d . certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 4d43fa140a94f5e92e3b70b0543091442d6a455e controller

...No results. Same looping error. Any ideas? Any error?

Note:

Before the install the package... python-saslwrapper.x86_64... the message was ERROR neutron.openstack.common.rpc.impl_qpid [req-5f8bd25b-69c7-4c35-91dd-ffdc8756940b None] Unable to connect to AMQP server: sasl negotiation failed: no mechanism agreed. Sleeping 2 seconds now the message is this one ERROR neutron.openstack.common.rpc.impl_qpid [req-1fc88005-a385-429e-94d5-81a607bd2946 None] Unable to connect to AMQP server: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found. Sleeping 5 seconds

I tried to enable the "Debug" mode at neutron.conf but... there is not any relevant information for me.

Many thanks in advance