Enable TLS in RabbitMQ
OpenIAM services communicate with each other through RabbitMQ, and there are also remote connectors, such as the AD and Azure PowerShell connectors, that interact with the OpenIAM system. To enhance security, enabling TLS communication in RabbitMQ is recommended.
The sections below detail the necessary changes in both the RabbitMQ and OpenIAM configurations.
RabbitMQ Configuration
Follow the steps outlined at this URL to:
- Enable TLS communication in RabbitMQ
- Create a keystore file named
rabbitmq.jkscontaining the necessary certificates.
If you obtained the certificates through tls-gen using the link above, you will receive the following files:
ca_certificate.pemca_key.pemclient_<hostname>.p12client_<hostname>_certificate.pemclient_<hostname>_key.pemserver_<hostname>.p12server_<hostname>_certificate.pemserver_<hostname>_key.pem
Then use the following command.
keytool -import -alias rabbitmqserver -file server_<hostname>_certificate.pem -keystore rabbitmq.jks
Keytool will prompt you to enter a password, so use the same value you set in vault.secret.rabbitmq.jks.password below.
chown openiam:openiam rabbitmq.jks
OpenIAM Configuration
To configure TLS communication with RabbitMQ on the OpenIAM side, follow the steps below.
- Create the Vault secret. Hint: Refer to utils/vault/bootstrap.sh for guidance.
vault.secret.rabbitmq.jks.password
- Update
${HOME_DIR}/conf/properties/rabbitmq.propertiesto include the new RabbitMQ SSL port and the host used in the certificate's Common Name (CN).
spring.rabbitmq.host=localhostspring.rabbitmq.port=5671
Create the
${HOME_DIR}/conf/rabbitmq/clientfolder.Copy
rabbitmq.jksto${HOME_DIR}/conf/rabbitmq/client/rabbitmq.jks.Import
ca_certificate.pemto the cacerts folder.
keytool -import -alias rabbitmqserver -keystore /usr/local/openiam/jdk/lib/security/cacerts -trustcacerts -file ca_certificate.pem
With these configurations, all OpenIAM services will use TLS to communicate with RabbitMQ.