TLS Support for RabbitMQ
TLS protection for communication with RabbitMQ is available starting with Platform Analytics, release 9.1. TLS support is available for the RabbitMQ connections between both the ThingWorx server and the Flink service. In each case, some individual setup is required to ensure that the necessary TLS certificates and keys are in place before you deploy Platform Analytics. Follow the links below to complete the necessary tasks:
• Create Configuration Files – Use any text editor to create the configuration files necessary to generate TLS certificates and keys for Property Transform.
• Generate Certificates and Keys – Use OpenSSL commands to generate the required TLS certificates and keys.
• Additional ThingWorx Setup for TLS Connection to RabbitMQ – If you want to support TLS protection between the ThingWorx server and RabbitMQ, complete the additional setup tasks.
• During Platform Analytics Installation – Gather the parameters you will need during the Platform Analytics installation if you intend to enable TLS for RabbitMQ.
Create Configuration Files
1. Open any text editor and create a rabbitmq.conf file similar to the example below.
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.2 = <IP address of the server where RabbitMQ will be installed>
[alt_names]
DNS.1 = localhost
IP.2 = <IP address of the server where RabbitMQ will be installed>
2. Create a client.conf file similar to the example below.
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.2 = <IP address of the server where Property Transform will be installed>
IP.3 = <IP address of the server where Thingworx will be installed, if different>
[alt_names]
DNS.1 = localhost
IP.2 = <IP address of the server where Property Transform will be installed>
IP.3 = <IP address of the server where Thingworx will be installed, if different>
3. Store both of the configuration files somewhere that will be accessible when you run the OpenSSL commands to generate certificates and keys.
Generate Certificates and Keys
To use TLS for RabbitMQ, see the chart below to generate the following certificate and key files using the OpenSSL tool:
• ca_certificate.pem – The RabbitMQ CA bundle file containing the authority that signed the RabbitMQ certificate and, optionally, the ThingWorxcertificate.
• rabbitmq_key.pem – The RabbitMQ key file necessary to create the signed RabbitMQ certificate.
• rabbitmq_certificate.pem – The RabbitMQ certificate file signed by the authority in the RabbitMQ CA bundle.
• client.pkcs12 – The Property Transform PKCS12 file which is used to identify the Property Transform and Flink services to RabbitMQ. It must contain a certificate and the corresponding key. It must be signed by an authority in the RabbitMQ CA bundle.
• Files necessary if protecting the RabbitMQ connection to ThingWorx server:
◦ client.pkcs12 – A PKCS12 file which is used to identify the ThingWorx server to RabbitMQ. You can reuse the Property Transfrom PKCS12 file or generate a separate file. This file will be listed in the ThingWorx platform-settings.json file.
◦ BrokerSslServerTrustStore.jks – A Truststore file that contains the authority that signed the RabbitMQ certification. This file will be listed in the ThingWorx platform-settings.json file.
To generate the required TLS files and convert them to the necessary formats, run the series of OpenSSL commands listed in the chart below. The chart lists each command along with a description of its action.
|
OpenSSL Command
|
Description
|
|||
|---|---|---|---|---|
|
1.
|
openssl genrsa -out ca_key.pem 2048
|
Creates the Certificate Authority key necessary to create the RabbitMQ CA bundle in the next command.
|
||
|
2.
|
openssl req -x509 -sha256 -new -nodes -key ca_key.pem -days 3650 -out ca_certificate.pem
|
Uses the CA key from the previous command to create the RabbitMQ CA bundle file.
|
||
|
3.
|
openssl genrsa -out rabbitmq_key.pem 2048
|
Creates the RabbitMQ key file necessary to create a signed RabbitMQ certificate.
|
||
|
4.
|
openssl req -new -key rabbitmq_key.pem -out rabbitmq.csr
|
Creates a certificate signing request (CSR) file necessary to request a new certificate from the Certificate Authority.
|
||
|
5.
|
openssl x509 -req -in rabbitmq.csr -CA ca_certificate.pem -CAkey ca_key.pem -CAcreateserial -out rabbitmq_certificate.pem -days 3650 -sha256 -extfile rabbitmq.conf
|
Uses the RabbitMQ CSR file, from the previous command, and the rabbitmq.conf configuration file, created in the previous section, to generate the RabbitMQ certificate file. The certificate is signed by the authority in the RabbitMQ CA bundle.
|
||
|
6.
|
openssl genrsa -out client_key.pem 2048
|
Creates the client key file necessary for peer verification.
|
||
|
7.
|
openssl req -new -key client_key.pem -out client.csr
|
Creates a certificate signing request (CSR) file necessary to request a new certificate from the Certificate Authority.
|
||
|
8.
|
openssl x509 -req -in client.csr -CA ca_certificate.pem -CAkey ca_key.pem -CAcreateserial -out client_certificate.pem -days 3650 -sha256 -extfile client.conf
|
Uses the client CSR file, from the previous command, and the client.conf configuration file, created in the previous section, to generate the client certificate file. The certificate is signed by the authority in the RabbitMQ CA bundle.
|
||
|
9.
|
openssl pkcs12 -export -in client_certificate.pem -inkey client_key.pem -out client.pkcs12 -password pass:<BrokerSslClientStorePassword>
|
Converts the client certificate, created from the previous command, to a PKCS12 format.
For the password, use the BrokerSslClientStorePassword that will be listed in the PlatformSettingsConfig section of the platform-settings.json for the ThingWorx server. For more information see Additional ThingWorx Setup for TLS Connection with RabbitMQ.
|
||
|
10.
|
keytool -importcert -keystore BrokerSslServerTrustStore.jks -storepass <BrokerSslServerTrustStorePassword> -file ca_certificate.pem -alias <rabbitmq alias>
|
Creates the ThingWorx Truststore file, BrokerSslServerTrustStore.jks, imports the RabbitMQ CA bundle file into the Truststore, and assigns an alias name to the bundle in the Truststore.
For the password, use the BrokerSslServerTrustStorePassword that will be listed in the PlatformSettingsConfig section of the platform-settings.json for the ThingWorx server. For more information see Additional ThingWorx Setup for TLS Connection with RabbitMQ.
|
Additional ThingWorx Setup for TLS Connection with RabbitMQ
If you choose to use TLS support for RabbitMQ and its connections to a ThingWorx server, some additional configuration is required. The following tasks must be completed as part of your ThingWorx installation and setup:
• Obtain a signed ThingWorx TLS certificate and key. You can use a certificate signed by a trusted Certificate Authority or a self-signed certificate. For more information, see TLS Support for ThingWorx.
• Ensure that the authority that signed the ThingWorx TLS certificate is included in the RabbitMQ CA Bundle file.
• Create a PKCS12 file that can be used to identify the ThingWorx server to RabbitMQ. It must contain a certificate and the corresponding key. To create the PKCS12 file, use the OpenSSL tool. For example:
openssl pkcs12 -export -in <certificate.pem> -inkey <key.pem> -out client.pkcs12
 |
You can use the Property Transform PKCS12 file created during Platform Analytics installation or create a new file.
|
• Place the PKCS12 file on the ThingWorx host server.
• Ensure that a Truststore on the ThingWorx host server (such as the Java cacerts file) contains the authority that signed the RabbitMQ certificate.
• When you update the platform-settings.json file for the ThingWorx server to include the required PlatformSettingsConfig section, add the following TLS-specific parameters:
{
"PlatformSettingsConfig": {
...
"PropertyTransformSettings": {
...
"BrokerSslEnabled": "true",
"BrokerSslClientStore": "<path to PKCS12 file>",
"BrokerSslClientStorePassword": "<PKCS12 password>",
"BrokerSslServerTrustStore": "<path to ThingWorx Truststore file>",
"BrokerSslServerTrustStorePassword": "<ThingWorx Truststore password>"
}
}
}
For more information about updating the platform-settings.json file, see one of the following procedures:
During Platform Analytics Installation
During the Platform Analytics installation, you will be asked if you want to enable TLS protection for your RabbitMQ connections. If you choose to enable TLS authentication for RabbitMQ, your signed certificate will be stored in a TLS Keystore. During the installation, you will be prompted to provide certain information from your authentication certificate. Be prepared to provide the following:
• Locations of the following PEM files:
◦ ca_certificate.pem – RabbitMQ CA bundle
◦ rabbitmq_key.pem – RabbitMQ key
◦ rabbitmq_certificate.pem – RabbitMQ certificate
• Location of the Property Transform PKCS12 file (client.pkcs12)
• Password assigned to the PKCS12 file
• Truststore information as follows:
◦ For 9.2 and later – Password that will be assigned to the RabbitMQ truststore when it is generated automatically during Platform Analytics installation.
◦ For 9.0 and 9.1 – Password assigned to the Java truststore and RabbitMQ alias as it appears in the truststore.
For more information about configuring RabbitMQ during Platform Analytics installation, see one of the following procedures: