Enable TLS in Rabbit MQ

Owned by Enterprise IT
May 08, 2024

Download Release Notes | Previous Versions: << Sierra << Sierra HF01 << Sierra SP1 << Sierra SP1 HF01 << Sierra SP1 HF02 << Sierra SP1 HF03 << Denali << Denali HF01 << Denali HF02 << Denali HF03 << Denali SP1 << Denali SP1 HF01 << Tahoe

What's New? | Customer Fixed Issues and Known Issues | Prerequisites | Installation, Configuration, and Upgrade

On this page: 



Rabbit MQ is a queuing mechanism for the Business Rule Designer. TLS support enabled on Rabbit MQ ensures secure connection.

The Transport Layer Security (TLS) protocol is an industry standard designed to help protect the privacy of information communicated over the Internet. TLS 1.2 is a standard that provides security improvements over previous versions. TLS provides enhanced security by encrypting data sent over the internet.

Note: The path recorded in the UI is for reference.

Prerequisites:

To enable TLS support for Rabbit MQ, the following steps are required:

  1. There must be CA Certificate file and Key file which need to be kept handy. (Check with Administrator)
  2. Convert the CA Certificate file to .p7b format.

Conversion of CA Certificate file to .p7b format Configuration

The primary step to enabling TLS is conversion of CA Certificate file to .P7b format which is detailed below.

  1. Navigate to Start > Run.
  2. Type msc.
  3. The Certificate Manager Window is displayed.

Figure: Certificate Manager

4. Navigate to Certificates > Intermediate Certification > Certificates.

Figure: Certificate Manager

5. Select the CA Certificate and right click All Task > Export

Figure: Certificate Manager

6. The Certificate Export Wizard is displayed.

Figure: Certificate Export Wizard

7. Select Cryptographic Message Syntax Standard and enable check box for Include all certificate in the certification path if possible.

Figure: Certificate Export Wizard

8. Choose any file path where the Certificate can be saved with a name given in the required field.

Figure: Certificate Export Wizard

9. Click Finish and the message displayed shows that the export was successful.

Figure: Certificate Export Wizard

10. The file saved would be in the required .p7b format.

Installing OpenSSL V1.1.1

The subsequent step in the configuration involves installing OpenSSL V1.1.1 https://www.openssl.org/.

11. When OpenSSL has been installed, open command prompt in admin mode and generate the .pem files using the below commands.

(Note: The output generated will be three files sslcacertificate, public key and private key)


Openssl pkcs7 -print_certs -inform der -in “CA certificate file path in.p7b format” -out sslcacertificat e.pem 
Openssl pkcs12 -in “Key file path” -nokeys -out public-sslcertificate.pem -nodes 
Openssl pkcs12 -in “Key file path” -nocerts -out private-sslcertificate.pem -nodes

Create a folder and paste the above generated .pem files.

12. Create an environment variable in the System Variable called RABBITMQ_BASE in the Variable name. The Variable value can be any path where we can place a configuration file (eg: C:\RabbitConfig).

Figure: Environment Variable

13. Navigate to the environment variable file path specified in the Variable value and create a file rabbitmq.conf.

14. Click file rabbitmq.conf > Edit with notepad and enter the following codes and save the file.

(Note: Enter the three .pem files created in step 11 in both the ports.)

listeners.ssl.default     = 5671 
ssl_options.cacertfile    = "CA certificate file path in .pem format" 
ssl_options.certfile      = "Public key file path in .pem format" 
ssl_options.keyfile       = "Private key file path in .pem format" 
management.ssl.port       = 15671 
management.ssl.cacertfile = "CA certificate file path in .pem format" 
management.ssl.certfile   = "Public key file path in .pem format" 
management.ssl.keyfile    = "Private key file path in .pem format"

15. Navigate to RabbitMQ > sbin and run the following commands:

rabbitmq-service stop
rabbitmq-service remove
rabbitmq-service install
rabbitmq-service start

TLS would be successfully enabled. 

To Verify if TLS has been enabled, perform the following steps.

  1. Navigate to RabbitMQ base path and check for the log file (Reference path - C:\RabbitConfig > log > log file).
  2. Click the file and search for “5671” which will return “started TLS (SSL) listener on [: :] : 5671."

Update Program Config Files

Update the below keys in all app/web config files.

<add key="BUSINESS_RULE_RABBITMQ_ENABLESSL" value="true" /> 

<add key="BUSINESS_RULE_RABBITMQ_PORT" value="5671" /> 

TLS enabled on RabbitMQ makes its use secure and is recommended when the communication between the Server and Clients need to be encrypted.