Enable TLS in RabbitMQ

OpenIAM services communicate with each other through RabbitMQ, and there are also remote connectors, such as the AD and Azure PowerShell connectors, that interact with the OpenIAM system. To enhance security, enabling TLS communication in RabbitMQ is recommended.

The sections below detail the necessary changes in both the RabbitMQ and OpenIAM configurations.

RabbitMQ Configuration

Follow the steps outlined here to:

  • Enable TLS communication in RabbitMQ.
  • Create a keystore file named rabbitmq.jks containing the necessary certificates.

If you obtained the certificates through tls-gen using the link above, you will receive the following files:

  • ca_certificate.pem
  • ca_key.pem
  • client_<hostname>.p12
  • client_<hostname>_certificate.pem
  • client_<hostname>_key.pem
  • server_<hostname>.p12
  • server_<hostname>_certificate.pem
  • server_<hostname>_key.pem

Then use the following command.

keytool -import -alias rabbitmqserver -file server_<hostname>_certificate.pem -keystore rabbitmq.jks

Keytool will prompt you to enter a password, so use the same value you set in vault.secret.rabbitmq.jks.password below.

chown openiam:openiam rabbitmq.jks

Enabling TLS connection to RabbitMQ

If you would like to enable TLS connection to RabbitMQ, perform the following steps.

  1. Configure TLS on the RabbitMQ side. The steps to do it are provided in the link above.
  2. Set 'IsTLSEnabled' parameter to 'true' instead of 'false'.
  3. Make sure that RabbitMQPort is the right one that accepts TLS connections. By default, RabbitMQ port for secured communication is 5671, but if you have custom configuration it may be different.
  4. Restart your connector. To do this you can go to Windows Services, find your connector, which name should start with OpenIAM and followed by the connector name that you gave it during the installation and restart this service.

OpenIAM Configuration

To configure TLS communication with RabbitMQ on the OpenIAM side, follow the steps below.

  1. Create the Vault secret. Hint: Refer to utils/vault/bootstrap.sh for guidance.
vault.secret.rabbitmq.jks.password
  1. Update ${HOME_DIR}/conf/properties/rabbitmq.properties to include the new RabbitMQ SSL port and the host used in the certificate's Common Name (CN).
spring.rabbitmq.host=localhost
spring.rabbitmq.port=5671
  1. Create the ${HOME_DIR}/conf/rabbitmq/client folder.

  2. Copy rabbitmq.jks to ${HOME_DIR}/conf/rabbitmq/client/rabbitmq.jks.

  3. Import ca_certificate.pem to the cacerts folder.

keytool -import -alias rabbitmqserver -keystore /usr/local/openiam/jdk/lib/security/cacerts -trustcacerts -file ca_certificate.pem

With these configurations, all OpenIAM services will use TLS to communicate with RabbitMQ.