Enable TLS in RabbitMQ

OpenIAM services communicate with each other through RabbitMQ, and there are also remote connectors, such as the AD and Azure PowerShell connectors, that interact with the OpenIAM system. To enhance security, enabling TLS communication in RabbitMQ is recommended.

The sections below detail the necessary changes in both the RabbitMQ and OpenIAM configurations.

RabbitMQ Configuration

Follow the steps outlined at this URL to:

  • Enable TLS communication in RabbitMQ
  • Create a keystore file named rabbitmq.jks containing the necessary certificates.

If you obtained the certificates through tls-gen using the link above, you will receive the following files:

  • ca_certificate.pem
  • ca_key.pem
  • client_<hostname>.p12
  • client_<hostname>_certificate.pem
  • client_<hostname>_key.pem
  • server_<hostname>.p12
  • server_<hostname>_certificate.pem
  • server_<hostname>_key.pem

Then use the following command.

keytool -import -alias rabbitmqserver -file server_<hostname>_certificate.pem -keystore rabbitmq.jks

Keytool will prompt you to enter a password, so use the same value you set in vault.secret.rabbitmq.jks.password below.

chown openiam:openiam rabbitmq.jks

OpenIAM Configuration

To configure TLS communication with RabbitMQ on the OpenIAM side, follow the steps below.

  1. Create the Vault secret. Hint: Refer to utils/vault/bootstrap.sh for guidance.
  1. Update ${HOME_DIR}/conf/properties/rabbitmq.properties to include the new RabbitMQ SSL port and the host used in the certificate's Common Name (CN).
  1. Create the ${HOME_DIR}/conf/rabbitmq/client folder.

  2. Copy rabbitmq.jks to ${HOME_DIR}/conf/rabbitmq/client/rabbitmq.jks.

  3. Import ca_certificate.pem to the cacerts folder.

keytool -import -alias rabbitmqserver -keystore /usr/local/openiam/jdk/lib/security/cacerts -trustcacerts -file ca_certificate.pem

With these configurations, all OpenIAM services will use TLS to communicate with RabbitMQ.