(9.5.4+) Securing your HA RabbitMQ connection

Configuration steps for secure RabbitMQ.

You can secure your RabbitMQ connection for a High Availability deployment by adding the certificate details to the RabbitMQ site.config file and updating the URI for each RabbitMQ federation upstream. This guide details the process for securing RabbitMQ with On-Premise Callback 9.5.4 and higher.

Note: Mindful secure RabbitMQ configuration does not support password protected certificates.

Before you begin

Consider the following prerequisites before configuring the solution.

Note:
  • The CA public key and any intermediates must be in PEM format.

  • Private and public server keys must be in PEM format.

  • The server PKCS12 keystore must contain both the private and public server keys. Use the following command to export a .p12 file:

    openssl pkcs12
    -export -out "/path/to/server.p12" 
    -in "/path/to/server.pem" 
    -inkey "/path/to/server.key"

Configuration

Note:
  • The following steps must be performed on all On-Premise Callback servers in the solution.

  • These instructions apply to HA On-Premise Callback solutions only.

  • These instructions do not apply to Agent Priority integrations.

Initial steps

  • Stage your certificates to the recommended directory \Virtual Hold Technology\certs.

  • Stop RabbitMQ service and all Mindful services and processes.

Create the RabbitMQ environment variable

  • Open sysdm.cpl > Advanced > Environment Variables.

  • Create a new System Variable:

    • Name - RABBITMQ_USE_LONGNAME

    • Value - true

Reinstall the RabbitMQ Windows service

  • Open a new command prompt window.

  • Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.

  • Run the following commands to reinstall the RabbitMQ service:

    rabbitmq-service.bat remove
    rabbitmq-service.bat install

Enable the RabbitMQ auth plugin

  • Open a new command prompt window.

  • Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.

  • Run the following command:

    rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl

Create the RabbitMQ user and set permissions

  • Open a new command prompt window.

  • Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin

  • Start RabbitMQ with the following command and wait a few seconds for the service to initialize:

    rabbitmq-service.bat start
  • Run the following commands while replacing {COMMON_NAME} with the common name of your server certificate:

    rabbitmqctl.bat add_user {COMMON_NAME} password
    rabbitmqctl clear_password {COMMON_NAME}
    rabbitmqctl.bat set_user_tags {COMMON_NAME} administrator
    rabbitmqctl.bat set_permissions -p / {COMMON_NAME} "." "." ".*"
    rabbitmq-service.bat stop

Update RabbitMQ Server configuration

  • Delete the existing Virtual Hold Technology\RabbitMQ Server\rabbitmq.config file.

  • Create a Virtual Hold Technology\RabbitMQ Server\rabbitmq.conf file (not the existing rabbitmq.config)

  • Edit the new rabbitmq.conf and add the following options (replace {CERT_DIR} with the full path to your certs, and use '/' in your path to avoid escaping backslashes).

    log.file.level = info
    cluster_partition_handling = autoheal
    auth_mechanisms.1 = EXTERNAL
    ssl_options.versions.1 = tlsv1.3
    ssl_cert_login_from = common_name
    listeners.tcp = none
    listeners.ssl.default = 5671
    ssl_options.cacertfile = {CERT_DIR}/ca.pem
    ssl_options.certfile = {CERT_DIR}/server.pem
    ssl_options.keyfile = {CERT_DIR}/server.key
    ssl_options.verify = verify_peer
    ssl_options.fail_if_no_peer_cert = true
    management.ssl.port = 15671
    management.ssl.cacertfile = {CERT_DIR}/ca.pem
    management.ssl.certfile = {CERT_DIR}/server.pem
    management.ssl.keyfile = {CERT_DIR}/server.key

Edit the cookie

  • Change the cookie name in \Virtual Hold Technology\RabbitMQ Server\rabbitmq.vm.args from "vht_cookie.rabbitmq" to "vht_cookie".

Update Mindful Configuration

  • Edit the \Virtual Hold Technology\rabbitmq_config.json file and modify the following options:

    • Replace {FQDN} with the local server FQDN.

    • Replace {CERT_DIR} with the full path to your certs.

    • Use '/' in your path to avoid escaping backslashes.

    • Replace {COMMON_NAME} with the common name of your server certificate.

    "sslEnabled": true,
    "sslServerName": "{FQDN}",
    "sslVersion": "Tls13",
    "certPathP12": "",
    "keyFileP12": "{CERT_DIR}/server.p12",
    "caCertFile": "{CERT_DIR}/ca.pem",
    "certFile": "{CERT_DIR}/server.pem",
    "keyFile": "{CERT_DIR}/server.key",
    "hostname": "{FQDN}",
    "depth": 2,
    "port": 5671,
    "identity": "{COMMON_NAME}",
    "vHost": "/"

Update RabbitMQ Federation Policies and Upstreams

For each Core server:

  • Open a new command prompt window.

  • Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.

  • Start RabbitMQ with the following command and wait a few seconds for the service to initialize:

    rabbitmq-service.bat start
  • Run the following commands to create RabbitMQ federation policies:

    rabbitmqctl.bat set_policy call-stream-federation-core "VHT.call_event_stream"
    "{""federation-upstream-set"":""all"",""max-length"":"300000"}"
    --priority 1 --apply-to queues"
    
    rabbitmqctl.bat set_policy federate-transaction "vht.license.transaction"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to exchanges"
    
    rabbitmqctl.bat set_policy federate-notification "vht.license.notification"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to exchanges"
  • Run the following command to create an upstream to each Management server.

    • Run once for each Management instance and replace {FQDN} {COMMON_NAME} and {CERT_DIR} before running. Use '/' in your path to avoid escaping backslashes.

    rabbitmqctl.bat set_parameter federation-upstream {FQDN} ^ "{""uri"":""amqps://{COMMON_NAME}@{FQDN}?cacertfile={CERT_DIR}/ca.pem&certfile={CERT_DIR}/server.pem&keyfile={CERT_DIR}/server.key&verify=verify_peer&auth_mechanism=external&heartbeat=10&connection_timeout=500"",""expires"":300000,
    ""max-hops"":1, ""ack-mode"":""on-confirm"",
    ""trust-user-id"":false}"

Stop RabbitMQ

rabbitmq-service.bat stop

Additional Management server configuration

Perform the following steps on all Management servers in the solution.

  • Open a new command prompt window.

  • Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.

  • Start RabbitMQ with the following command and wait a few seconds for the service to initialize:

    rabbitmq-service.bat start
  • Run the following commands to create RabbitMQ federation policies:

    rabbitmqctl.bat set_policy component-federation "control_exchange"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to exchanges"
    
    rabbitmqctl.bat set_policy call-stream-federation-management "VHT.call_event_stream"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to queues"
    
    rabbitmqctl.bat set_policy federate-feed "vht.license.feed"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to exchanges"
    
    rabbitmqctl.bat
    set_policy federate-transaction "vht.license.transaction"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to exchanges"
    
    rabbitmqctl.bat set_policy federate-notification "vht.license.notification"
    "{""federation-upstream-set"":""all""}"
    --priority 0 --apply-to exchanges"
  • Run the following command to create an upstream to each Core and Management server. Run once for each Core and Management instance (not including the current server) and replace {FQDN} {COMMON_NAME} and {CERT_DIR} before running. Use '/' in your path to avoid escaping backslashes.

    rabbitmqctl.bat set_parameter federation-upstream {FQDN} ^ "{""uri"":""amqps://{COMMON_NAME}
    @{FQDN}?cacertfile={CERT_DIR}/ca.pem&certfile={CERT_DIR}/server.pem&keyfile={CERT_DIR}/server.key&verify=verify_peer&auth_mechanism=external&heartbeat=10&connection_timeout=500"",""expires"":300000, ""max-hops"":1, ""ack-mode"":""on-confirm"", ""trust-user-id"":false}"

Stop RabbitMQ

rabbitmq-service.bat stop

Lastly, start the RabbitMQ service and all Mindful services and processes.

Testing procedure

Two steps can help to verify that the configuration is working as expected:

  • Locate the log statement "started TLS (SSL) listener" during startup in your RabbitMQ logs.

  • Log in to the Launchpad and verify that the System Management status is "operational".