The aim of this guide is to explain how to configure Abiquo to work with RabbitMQ with TLS.

Introduction

You can generate certificates on the server where RabbitMQ is running in your datacenter, which may be the API/UI server or the Datanode server.

For example, you could create the private key and certificates in the /etc/rabbitmq/cert/ folder, and the certificate at /etc/rabbitmq/cert/rabbitmq.cert.

You should then also import the certificate into the Java Keystores on the Remote RS and Remote V2V.

To quickly check the certificates use the following commands on the remote RS and remote V2V servers (here our API server is called abiquo).

[root@removev2v tomcat_keystore_v2v]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias abiquo
Enter keystore password:  
abiquo, Sep 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

[root@eremoter2 ~]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias abiquo
Enter keystore password:  
abiquo, Sep 18, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

Enable TLS on the server

Follow the guide in the RabbitMQ documentation to configure RabbitMQ TLS from the server side.

Typically, you would configure the LTS listeners at /etc/rabbitmq/rabbitmq.config.

Here is an example configuration.

[
  {rabbit, [
     {tcp_listeners, [{"127.0.0.1",5672}]},
     {ssl_listeners, [{"10.60.12.5",5671}]},
     {ssl_options, [{cacertfile,"/opt/testca/cacert.pem"},
                    {certfile,"/opt/server/cert.pem"},
                    {keyfile,"/opt/server/key.pem"},
                    {verify,verify_peer},
                    {password, "changeit"},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

Note: Ensure that RabbitMQ has the right permissions to read the cert/key files.

The TLS password option will be needed if your private key has a password. If you don't have a password set up for your private key, just remove it.

Properties

Add Abiquo properties on all Abiquo platform servers (API, RS, V2V) for your desired configuration and then restart the Tomcat servers.

The “trustallcertificates” property applies when the value of the property abiquo.rabbitmq.tls is true.

Property name	Description	Default
abiquo.rabbitmq.tls	Set to `true` if TLS is enabled.	False
abiquo.rabbitmq.tls.trustallcertificates	If `true`, Abiquo will not enforce any server certificate authentication.	False

Configurations

Plain TCP

This is the default configuration with no SSL enabled. The default values match this configuration but you should ensure that abiquo.rabbitmq.tls value is false.

Property name	Value
abiquo.rabbitmq.tls	false

Trust all certificates

In this configuration Abiquo will connect without validating the server certificate and without presenting any client certificates.

Property name	Value
abiquo.rabbitmq.tls	true
abiquo.rabbitmq.tls.trustallcertificates	true

Use trust manager to validate server certificates

In this configuration Abiquo will connect and validate the server certificate but without presenting any client certificate.

To import your server certificate to your keystore, follow the example on the RabbitMQ website in the section "Presenting and validating certificates".

Property name	Value
abiquo.rabbitmq.tls	true
abiquo.rabbitmq.tls.trustallcertificates	false

Abiquo Documentation

RabbitMQ TLS guide