(9.5.4+) Securing your HA RabbitMQ connection
Configuration steps for secure RabbitMQ.
You can secure your RabbitMQ connection for a High Availability deployment by adding the certificate details to the RabbitMQ site.config file and updating the URI for each RabbitMQ federation upstream. This guide details the process for securing RabbitMQ with On-Premise Callback 9.5.4 and higher.
Before you begin
Consider the following prerequisites before configuring the solution.
-
The CA public key and any intermediates must be in PEM format.
-
Private and public server keys must be in PEM format.
-
The server PKCS12 keystore must contain both the private and public server keys. Use the following command to export a .p12 file:
openssl pkcs12 -export -out "/path/to/server.p12" -in "/path/to/server.pem" -inkey "/path/to/server.key"
Configuration
-
The following steps must be performed on all On-Premise Callback servers in the solution.
These instructions apply to HA On-Premise Callback solutions only.
These instructions do not apply to Agent Priority integrations.
Initial steps
-
Stage your certificates to the recommended directory \Virtual Hold Technology\certs.
-
Stop RabbitMQ service and all Mindful services and processes.
Create the RabbitMQ environment variable
-
Open sysdm.cpl > Advanced > Environment Variables.
-
Create a new System Variable:
-
Name - RABBITMQ_USE_LONGNAME
-
Value - true
-
Reinstall the RabbitMQ Windows service
-
Open a new command prompt window.
-
Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.
-
Run the following commands to reinstall the RabbitMQ service:
rabbitmq-service.bat remove rabbitmq-service.bat install
Enable the RabbitMQ auth plugin
-
Open a new command prompt window.
-
Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.
-
Run the following command:
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
Create the RabbitMQ user and set permissions
-
Open a new command prompt window.
-
Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin
-
Start RabbitMQ with the following command and wait a few seconds for the service to initialize:
rabbitmq-service.bat start
-
Run the following commands while replacing {COMMON_NAME} with the common name of your server certificate:
rabbitmqctl.bat add_user {COMMON_NAME} password rabbitmqctl clear_password {COMMON_NAME} rabbitmqctl.bat set_user_tags {COMMON_NAME} administrator rabbitmqctl.bat set_permissions -p / {COMMON_NAME} "." "." ".*" rabbitmq-service.bat stop
Update RabbitMQ Server configuration
-
Delete the existing Virtual Hold Technology\RabbitMQ Server\rabbitmq.config file.
-
Create a Virtual Hold Technology\RabbitMQ Server\rabbitmq.conf file (not the existing rabbitmq.config)
-
Edit the new rabbitmq.conf and add the following options (replace {CERT_DIR} with the full path to your certs, and use '/' in your path to avoid escaping backslashes).
log.file.level = info cluster_partition_handling = autoheal auth_mechanisms.1 = EXTERNAL ssl_options.versions.1 = tlsv1.3 ssl_cert_login_from = common_name listeners.tcp = none listeners.ssl.default = 5671 ssl_options.cacertfile = {CERT_DIR}/ca.pem ssl_options.certfile = {CERT_DIR}/server.pem ssl_options.keyfile = {CERT_DIR}/server.key ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = true management.ssl.port = 15671 management.ssl.cacertfile = {CERT_DIR}/ca.pem management.ssl.certfile = {CERT_DIR}/server.pem management.ssl.keyfile = {CERT_DIR}/server.key
Edit the cookie
-
Change the cookie name in \Virtual Hold Technology\RabbitMQ Server\rabbitmq.vm.args from "vht_cookie.rabbitmq" to "vht_cookie".
Update Mindful Configuration
-
Edit the \Virtual Hold Technology\rabbitmq_config.json file and modify the following options:
-
Replace {FQDN} with the local server FQDN.
-
Replace {CERT_DIR} with the full path to your certs.
-
Use '/' in your path to avoid escaping backslashes.
-
Replace {COMMON_NAME} with the common name of your server certificate.
"sslEnabled": true, "sslServerName": "{FQDN}", "sslVersion": "Tls13", "certPathP12": "", "keyFileP12": "{CERT_DIR}/server.p12", "caCertFile": "{CERT_DIR}/ca.pem", "certFile": "{CERT_DIR}/server.pem", "keyFile": "{CERT_DIR}/server.key", "hostname": "{FQDN}", "depth": 2, "port": 5671, "identity": "{COMMON_NAME}", "vHost": "/"
-
Update RabbitMQ Federation Policies and Upstreams
For each Core server:
-
Open a new command prompt window.
-
Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.
-
Start RabbitMQ with the following command and wait a few seconds for the service to initialize:
rabbitmq-service.bat start
-
Run the following commands to create RabbitMQ federation policies:
rabbitmqctl.bat set_policy call-stream-federation-core "VHT.call_event_stream" "{""federation-upstream-set"":""all"",""max-length"":"300000"}" --priority 1 --apply-to queues" rabbitmqctl.bat set_policy federate-transaction "vht.license.transaction" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to exchanges" rabbitmqctl.bat set_policy federate-notification "vht.license.notification" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to exchanges"
-
Run the following command to create an upstream to each Management server.
-
Run once for each Management instance and replace {FQDN} {COMMON_NAME} and {CERT_DIR} before running. Use '/' in your path to avoid escaping backslashes.
rabbitmqctl.bat set_parameter federation-upstream {FQDN} ^ "{""uri"":""amqps://{COMMON_NAME}@{FQDN}?cacertfile={CERT_DIR}/ca.pem&certfile={CERT_DIR}/server.pem&keyfile={CERT_DIR}/server.key&verify=verify_peer&auth_mechanism=external&heartbeat=10&connection_timeout=500"",""expires"":300000, ""max-hops"":1, ""ack-mode"":""on-confirm"", ""trust-user-id"":false}"
-
Stop RabbitMQ
rabbitmq-service.bat stop
Additional Management server configuration
Perform the following steps on all Management servers in the solution.
-
Open a new command prompt window.
-
Change the directory to \Virtual Hold Technology\RabbitMQ Server\rabbitmq_server-{version}\sbin.
-
Start RabbitMQ with the following command and wait a few seconds for the service to initialize:
rabbitmq-service.bat start
-
Run the following commands to create RabbitMQ federation policies:
rabbitmqctl.bat set_policy component-federation "control_exchange" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to exchanges" rabbitmqctl.bat set_policy call-stream-federation-management "VHT.call_event_stream" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to queues" rabbitmqctl.bat set_policy federate-feed "vht.license.feed" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to exchanges" rabbitmqctl.bat set_policy federate-transaction "vht.license.transaction" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to exchanges" rabbitmqctl.bat set_policy federate-notification "vht.license.notification" "{""federation-upstream-set"":""all""}" --priority 0 --apply-to exchanges"
-
Run the following command to create an upstream to each Core and Management server. Run once for each Core and Management instance (not including the current server) and replace {FQDN} {COMMON_NAME} and {CERT_DIR} before running. Use '/' in your path to avoid escaping backslashes.
rabbitmqctl.bat set_parameter federation-upstream {FQDN} ^ "{""uri"":""amqps://{COMMON_NAME} @{FQDN}?cacertfile={CERT_DIR}/ca.pem&certfile={CERT_DIR}/server.pem&keyfile={CERT_DIR}/server.key&verify=verify_peer&auth_mechanism=external&heartbeat=10&connection_timeout=500"",""expires"":300000, ""max-hops"":1, ""ack-mode"":""on-confirm"", ""trust-user-id"":false}"
Stop RabbitMQ
rabbitmq-service.bat stop
Lastly, start the RabbitMQ service and all Mindful services and processes.
Testing procedure
Two steps can help to verify that the configuration is working as expected:
-
Locate the log statement "started TLS (SSL) listener" during startup in your RabbitMQ logs.
-
Log in to the Launchpad and verify that the System Management status is "operational".