RabbitMQ TLS guide
The aim of this guide is to explain how to configure Abiquo to work with RabbitMQ with TLS.
Introduction
You can generate certificates on the server where RabbitMQ is running in your datacenter, which may be the API/UI server or the Datanode server.
For example, you could create the private key and certificates in the /etc/rabbitmq/cert/
folder, and the certificate at /etc/rabbitmq/cert/rabbitmq.cert
.
You should then also import the certificate into the Java Keystores on the Remote RS and Remote V2V.
To quickly check the certificates use the following commands on the remote RS and remote V2V servers (here our API server is called abiquo
).
[root@removev2v tomcat_keystore_v2v]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias abiquo
Enter keystore password:
abiquo, Sep 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
[root@eremoter2 ~]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias abiquo
Enter keystore password:
abiquo, Sep 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
Enable TLS on the server
Follow the guide in the RabbitMQ documentation to configure RabbitMQ TLS from the server side.
Typically, you would configure the LTS listeners at /etc/rabbitmq/rabbitmq.config
.
Here is an example configuration.
[
{rabbit, [
{tcp_listeners, [{"127.0.0.1",5672}]},
{ssl_listeners, [{"10.60.12.5",5671}]},
{ssl_options, [{cacertfile,"/opt/testca/cacert.pem"},
{certfile,"/opt/server/cert.pem"},
{keyfile,"/opt/server/key.pem"},
{verify,verify_peer},
{password, "changeit"},
{fail_if_no_peer_cert,false}]}
]}
].
Note: Ensure that RabbitMQ has the right permissions to read the cert/key files.
The TLS password option will be needed if your private key has a password. If you don't have a password set up for your private key, just remove it.
Properties
Add Abiquo properties on all Abiquo platform servers (API, RS, V2V) for your desired configuration and then restart the Tomcat servers.
The “trustallcertificates” property applies when the value of the property abiquo.rabbitmq.tls
is true
.
Property name | Description | Default |
abiquo.rabbitmq.tls | Set to | False |
abiquo.rabbitmq.tls.trustallcertificates | If | False |
Configurations
Plain TCP
This is the default configuration with no SSL enabled. The default values match this configuration but you should ensure that abiquo.rabbitmq.tls
value is false
.
Property name | Value |
abiquo.rabbitmq.tls | false |
Trust all certificates
In this configuration Abiquo will connect without validating the server certificate and without presenting any client certificates.
Property name | Value |
abiquo.rabbitmq.tls | true |
abiquo.rabbitmq.tls.trustallcertificates | true |
Use trust manager to validate server certificates
In this configuration Abiquo will connect and validate the server certificate but without presenting any client certificate.
To import your server certificate to your keystore, follow the example on the RabbitMQ website in the section "Presenting and validating certificates".
Property name | Value |
abiquo.rabbitmq.tls | true |
abiquo.rabbitmq.tls.trustallcertificates | false |
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved