Enable TLS in RabbitMQ
OpenIAM services communicate with each other through RabbitMQ, and there are also remote connectors, such as the AD and Azure PowerShell connectors, that interact with the OpenIAM system. To enhance security, enabling TLS communication in RabbitMQ is recommended.
The sections below detail the necessary changes in both the RabbitMQ and OpenIAM configurations.
RabbitMQ Configuration
Follow the steps outlined here to:
- Enable TLS communication in RabbitMQ.
- Create a keystore file named
rabbitmq.jks
containing the necessary certificates.
If you obtained the certificates through tls-gen using the link above, you will receive the following files:
ca_certificate.pem
ca_key.pem
client_<hostname>.p12
client_<hostname>_certificate.pem
client_<hostname>_key.pem
server_<hostname>.p12
server_<hostname>_certificate.pem
server_<hostname>_key.pem
Then use the following command.
keytool -import -alias rabbitmqserver -file server_<hostname>_certificate.pem -keystore rabbitmq.jks
Keytool will prompt you to enter a password, so use the same value you set in vault.secret.rabbitmq.jks.password
below.
chown openiam:openiam rabbitmq.jks
Enabling TLS connection to RabbitMQ
If you would like to enable TLS connection to RabbitMQ, perform the following steps.
- Configure TLS on the RabbitMQ side. The steps to do it are provided in the link above.
- Set 'IsTLSEnabled' parameter to 'true' instead of 'false'.
- Make sure that RabbitMQPort is the right one that accepts TLS connections. By default, RabbitMQ port for secured communication is 5671, but if you have custom configuration it may be different.
- Restart your connector. To do this you can go to Windows Services, find your connector, which name should start with OpenIAM and followed by the connector name that you gave it during the installation and restart this service.
OpenIAM Configuration
To configure TLS communication with RabbitMQ on the OpenIAM side, follow the steps below.
- Create the Vault secret. Hint: Refer to utils/vault/bootstrap.sh for guidance.
vault.secret.rabbitmq.jks.password
- Update
${HOME_DIR}/conf/properties/rabbitmq.properties
to include the new RabbitMQ SSL port and the host used in the certificate's Common Name (CN).
spring.rabbitmq.host=localhostspring.rabbitmq.port=5671
Create the
${HOME_DIR}/conf/rabbitmq/client
folder.Copy
rabbitmq.jks
to${HOME_DIR}/conf/rabbitmq/client/rabbitmq.jks
.Import
ca_certificate.pem
to the cacerts folder.
keytool -import -alias rabbitmqserver -keystore /usr/local/openiam/jdk/lib/security/cacerts -trustcacerts -file ca_certificate.pem
With these configurations, all OpenIAM services will use TLS to communicate with RabbitMQ.