Overview This article will demonstrate how to configure a TLS connection between RabbitMQ and Xray.
Prerequisites
Certificates
Artifactory and Xray are up and running.
Generate a server certificate and private key. In this guide we’ll use tls-gen to generate a self-signed certificate and private key for the RabbitMQ server.
Copying generated certificates Once the certificates are generated, the path to each one should be accessible by xray user (default user for Xray services). For ease of access, we’ll copy server(RabbitMq) certificates to
${XRAY_HOME}/var/data/rabbitmq/certs/ and client(Xray) to ${XRAY_HOME}/var/data/server/certs/ folders(certs folders must be created), set permissions and ownership of certificates to the xray user.
${XRAY_HOME} variable is the root folder of Xray installation (by default /opt/jfrog/xray)
${XRAY_HOME}/var/data/rabbitmq/certs/
-rw------- 1 xray xray 1.3K Mar 26 12:02 ca_certificate.pem
-rw------- 1 xray xray 1.4K Mar 26 12:02 server_xray_certificate.pem
-rw------- 1 xray xray 1.7K Mar 26 12:02 server_xray_key.pem
${XRAY_HOME}/var/data/server/certs/
-rw------- 1 xray xray 1.3K Mar 26 12:00 ca_certificate.pem
-rw------- 1 xray xray 1.3K Mar 26 11:59 client_xray_certificate.pem
-rw------- 1 xray xray 1.7K Mar 26 11:59 client_xray_key.pem
Configure RabbitMQ to use the certificate and key You can do this by adding the following lines to the RabbitMQ configuration file located in ${XRAY_HOME}/app/bin/rabbitmq/rabbitmq.conf:
listeners.ssl.default = 5671
listeners.tcp = none
management.listener.ssl = true
ssl_options.cacertfile = ${XRAY_HOME}/var/data/rabbitmq/certs/ca_certificate.pem
ssl_options.certfile = ${XRAY_HOME}/var/data/rabbitmq/certs/server_xray_certificate.pem
ssl_options.keyfile = ${XRAY_HOME}/var/data/rabbitmq/certs/server_xray_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
The listeners.ssl.default line tells RabbitMQ to listen for SSL/TLS connections on port 5671 and listeners.tcp disables non-TLS listeners, management.listener.ssl secures RabbitMQ management UI. The ssl_options.certfile and ssl_options.keyfile lines specify the paths to the server certificate and private key, respectively. The ssl_options.verify line tells RabbitMQ to verify the peer's certificate, and the ssl_options.fail_if_no_peer_cert line tells it to fail if the peer does not provide a certificate. Finally, the ssl_options.cacertfile line specifies the path to the certificate authority (CA) certificate that is used to verify the peer's certificate.
Configure Xray to use the certificate and key Next, we’ll need to configure Xray to connect to RabbitMQ using a certificate and key for SSL/TLS encryption. Modify rabbitMq section in Xray’s system.yaml file located in ${XRAY_HOME}/var/etc/system.yaml:
rabbitMq:
url: amqps://localhost:5671
autoStop: true
certFilePath: ${XRAY_HOME}/var/data/server/certs/client_xray_certificate.pem
certKeyFilePath: ${XRAY_HOME}/var/data/server/certs/client_xray_key.pem
certCaFilePath: ${XRAY_HOME}/var/data/server/certs/ca_certificate.pem
These lines enable SSL/TLS for RabbitMQ inside JFrog Xray and configure the paths to the client certificate(certFilePath), private key(certKeyFilePath), and CA certificate (certCaFilePath). Port 5671 in url as specified in rabbitmq.conf in the previous step to establish SSL/TLS connections, by default RabbitMQ will always be running “autoStop” will make sure that RabbitMQ stops/starts along with the Xray service.
Final steps Finally, execute the following API query to enable TLS configuration and restart the Xray service.