Search code examples
amqpservicebuswindows-server-2012-r2nlb

Sending messages to Service Bus for Windows Server via AMQP in a NLB cluster

When connecting to our load-balanced Service Bus instance via AMQP, we cannot send messages to a queue or topic.

We have a Windows Server 2012 R2, running in a VM on Hyper-V. The server is part of a NLB cluster (which currently only contains this single host). On the server, we installed Service Bus for Windows Server 1.1 and configured the farm, host and namespace using the following PowerShell script:

$machineName = 'server'
$domainName = 'sb.department.company.com' # this DNS name is linked to the virtual IP address of the NLB cluster
$namespace = 'namespace'

New-SBFarm -SBFarmDBConnectionString "Data Source=$machineName;Integrated Security=True" -FarmDns $domainName -EncryptionCertificateThumbprint $certThumbprint -FarmCertificateThumbprint $certThumbprint -RunAsAccount $accountName

Add-SBHost -SBFarmDBConnectionString "Data Source=$machineName;Integrated Security=True" -EnableFirewallRules $true -RunAsPassword $securePassword -ExternalBrokerUrl "sb://$domainName"

New-SBNamespace -Name $namespace -AddressingScheme 'Path' -ManageUsers $userGroupName

First we tried generating certificates using makecert, but these certificates did not have the Subject Alternative Name property. As a solution to this issue, we used OpenSSL to generate our certificates. Here's the chain of certificates we use:

  • Company CA
    • Signature algorithm: sha256RSA
    • Public key: RSA (2048 bits)
    • Subject: O = Company, CN = Company CA
    • Basic Constraints: Subject Type = CA, Path Length Constraint = None
    • Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing
  • Company Department CA
    • Signature algorithm: sha256RSA
    • Public key: RSA (2048 bits)
    • Issuer: Company CA
    • Subject: O = Company, CN = Company CA
    • Basic Constraints: Subject Type = CA, Path Length Constraint = None
    • Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing
  • sb.department.company.com
    • Signature algorithm: sha256RSA
    • Public key: RSA (2048 bits)
    • Issuer: Company Department CA
    • Subject: O = Company, CN = sb.department.company.com
    • Basic Constraints: Subject Type = End Entity, Path Length Constraint = None
    • Key Usage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment
    • Enhanced Key Usage: Server Authentication
    • Subject Alternative Name: DNS Name = sb.department.company.com

These 3 certificates are installed in the certificate store of the local machine (not of the current user):

  • The root certificate (Company CA) is installed in Trusted Root Certification Authorities.
  • The intermediate certificate (Company Department CA) is installed in Intermediate Certification Authorities.
  • The server certificate (sb.department.company.com) is installed in Trusted People.

When we use a web browser to connect to https:// sb.department.company.com:9355/namespace, we can see that the certificates are correct and trusted.

When we use the .NET library to connect to the Service Bus instance, we can do everything (get list of queues/topics, create queues/topics, send messages to a queue, ...).

When we connect using AMQP in our C++ application (on Linux), we cannot send messages to a queue. This can easily be demonstrated via Service Bus Explorer: if we set transport type to AMQP, we get this erratic behavior. We can get the list of queues and topics, but when trying to send messages we get the following error message: Exception: The remote certificate is invalid according to the validation procedure.. Method b__be.

How can we solve this?

Solution

  • After consulting Microsoft support we were able to resolve the issue. Here's a short description of the problem.

    • The client connects to the Service Bus Gateway via the NLB domain name (the certificate validation succeeds, because it contains the NLB domain name).
    • When trying to send a message, the Service Bus Gateway redirects the client to a Service Bus Message Broker on one of the servers.
    • The client connects to the server using the domain name or machine name of the server.
    • Certificate validation fails, because the certificate does not contain the domain name or machine name of the server.

    The solution is to include the domain names (or machine names, if not in a domain) of all the servers of the farm in the Subject Alternative Names property of the certificate.