Building an external RabbitMQ service for vCloud Director

I had a requirement to deploy a RabbitMQ message broker and found the KB articles from VMware only mildly helpful, since they did not detail how to configure a trusted SSL certificate for SSL/TLS communications over the message bus.

For this deployment I used CentOS 7 to host the RabbitMQ service, but you should be able to use this guide for almost any flavour of Linux thanks to the scripts found on Package Cloud, however you’ll need to adjust the installation of the rabbitmq-server package to suit your package manager (apt-get instead of yum, etc).

The certificates were signed using a Microsoft Windows CA, so the certificate installation section may differ slightly if you’re using a different CA. Essentially you want your Root CA, Certificate and Key files in the PEM encoded format for RabbitMQ to use these for TLS/SSL.

Typically you’d deploy RabbitMQ in a cluster, but my requirements did not necessitate that so this guide does not go into any detail on adding a second node.

I haven’t yet figured out how to configure the RabbitMQ management plug-in to use HTTPS, but I’ll update this post if I can get that working.

Add repositories for Erlang and RabbitMQ

Before you install the rabbitmq-server package, you’ll need to install the repositories for these packages. Package Cloud conveniently has scripts to do this for you, including the repository for the zero-dependancy Erlang RPM for Rabbit-MQ.

Using the latest scripts from Package Cloud for your relevant OS, install the repositories for erlang and rabbitmq-server:

https://packagecloud.io/rabbitmq/rabbitmq-server

https://packagecloud.io/rabbitmq/erlang

For more details on the zero-dependancy Erlang RPM for Rabbit-MQ, take a look at their Github page: https://github.com/rabbitmq/erlang-rpm

Install RabbitMQ

Now that you have the relevant repositories installed, you can install the rabbitmq-server using the following yum command:

yum install rabbitmq-server

yum will resolve and install the erlang dependencies for you.

Configure RabbitMQ

Now we need to create some directories for your SSL certificates and create the configuration file for RabbitMQ.

Create the following directories for your SSL certificates:

cd /etc/rabbitmq
mkdir ca server client

Create the rabbitmq.config file with the following content in /etc/rabbitmq:

[{ssl, [{versions, [tlsv1, 'tlsv1.2', 'tlsv1.1']},
         {ciphers,  ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
 "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
 "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
 "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
 "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
 "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
 "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
 "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
 "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
 "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
 "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
 "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
 "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
 "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
 "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
 "ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA",
 "EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
 "DES-CBC3-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
 "DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
 "ECDH-RSA-AES128-SHA","AES128-SHA","EDH-RSA-DES-CBC-SHA","DES-CBC-SHA"]}]},
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/etc/rabbitmq/ca/cacert.pem"},
                    {certfile,"/etc/rabbitmq/server/cert.pem"},
                    {keyfile,"/etc/rabbitmq/server/key.pem"},
                    {versions, [tlsv1, 'tlsv1.2', 'tlsv1.1']},
                    {verify, verify_peer},
                    {padding_check, true},
                    {ciphers,  ["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
 "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
 "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384",
 "ECDH-ECDSA-AES256-SHA384","ECDH-RSA-AES256-SHA384",
 "DHE-RSA-AES256-GCM-SHA384","DHE-DSS-AES256-GCM-SHA384",
 "DHE-RSA-AES256-SHA256","DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
 "AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
 "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
 "ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
 "ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
 "ECDH-RSA-AES128-SHA256","DHE-RSA-AES128-GCM-SHA256",
 "DHE-DSS-AES128-GCM-SHA256","DHE-RSA-AES128-SHA256","DHE-DSS-AES128-SHA256",
 "AES128-GCM-SHA256","AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
 "ECDHE-RSA-AES256-SHA","DHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
 "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA",
 "ECDHE-ECDSA-DES-CBC3-SHA","ECDHE-RSA-DES-CBC3-SHA","EDH-RSA-DES-CBC3-SHA",
 "EDH-DSS-DES-CBC3-SHA","ECDH-ECDSA-DES-CBC3-SHA","ECDH-RSA-DES-CBC3-SHA",
 "DES-CBC3-SHA","ECDHE-ECDSA-AES128-SHA","ECDHE-RSA-AES128-SHA",
 "DHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA",
 "ECDH-RSA-AES128-SHA","AES128-SHA","EDH-RSA-DES-CBC-SHA","DES-CBC-SHA"]},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

Enable the RabbitMQ management plugin (web based admin GUI) by executing the following command:

rabbitmq-plugins enable rabbitmq_management

Create an administrative user for the rabbitmq management plugin, replacing ‘yourpasswordhere’ on the first line with a secure password:

rabbitmqctl add_user admin yourpasswordhere
rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"
rabbitmqctl set_user_tags admin administrator

Generate CSR using OpenSSL

Use the following command to bring up the OpenSSL wizard to generate a certificate signing request:

openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

I configured a challenge password when generating this CSR. I’m not sure if this is required later, but for the sake of consistency I’d recommend you configure this.

Install trusted SSL certs

I’ve skipped over the part where you sign the CSR, as this was handled by a colleague of mine, hopefully you have someone who can take care of this for you too!

If SSL certs are signed using a Microsoft Windows CA, they should be in a PEM encoded format already, so you just need to rename .cer to .pem for both the certificate and the CA certificate. If you have a root and intermediate certificate, combine these into one file (literally just copy and paste the contents into a single .pem file using your favourite text editor or command line tool). The certificates should be combined with the trusted certificate first, any intermediate certs and finally the root CA certificate.

You’ll likely need to convert the private key received from your CA to the pem format. The password here is the challenge password you configured in your CSR earlier. Use the following command to convert the key into the PEM format:

openssl rsa -in rmq.key -out key.pem -passin pass:password

You’ll end up with an intermediate certificate (cacert.pem), the certificate itself (cert.pem) and the private key (key.pem).

Copy the SSL certificates into the directories we created earlier:

cp cacert.pem /etc/rabbitmq/ca/cacert.pem
cp cert.pem /etc/rabbitmq/server/cert.pem
cp key.pem /etc/rabbitmq/server/key.pem
cp cert.pem /etc/rabbitmq/client/cert.pem
cp key.pem /etc/rabbitmq/client/key.pem 

Change ownership on the certificate directories:

chown -R rabbitmq: /etc/rabbitmq/ca
chown -R rabbitmq: /etc/rabbitmq/server
chown -R rabbitmq: /etc/rabbitmq/client

Start RabbitMQ Server!

systemctl enable rabbitmq-server
systemctl start rabbitmq-server

Configure RabbitMQ for vCloud Director

Log in to the RabbitMQ management web GUI using http://rabbitmq-fqdn:15672 and the administrative credentials you configured earlier.

Click the ‘Admin’ tab up the top and then click ‘Add a user’. Fill out the username and password fields, the select the ‘Add user’ button.

From the list of users under ‘All Users’, click the newly created users name in the ‘Name’ column to open the user configuration.

To set the default permissions and topic permissions, select the ‘Set permission’ and ‘Set topic permission’ buttons. You should then see permissions listed under ‘Current permissions’ and ‘Current topic permissions’ similar to the screenshot below.

RabbitMQ is now fully configured ready for use by vCloud Director!

Configure vCloud Director

Log in to your vCloud Director portal and select the ‘Administration’ tab, then select ‘Extensibility’ on the left under ‘System Settings’.

Configure the following settings:

AMQP Host: FQDN of your RabbitMQ host/cluster
AMQP Port: We’ve configured port 5671 for SSL here, so enter 5671 for the port
Exchange: Leave this at the default setting
vHost: Leave this at the default setting
Prefix: Leave this at the default setting
SSL: Check the ‘Use SSL’ box, but do not ticket the ‘Accept all certificates’ box
SSL Certificate: Browse and upload the SSL certificate you configured earlier for RabbitMQ in the .pem format
SSL Key Store (JECKS): Ignore this
SSL Key Store Password: Ignore this
User Name: The user account created in the previous step (the example used newuser)
Password: The password for the user created in the previous step

You can select ‘Test AMQP Connection’ to validate the settings are correct.

An example configuration is below:

You can now switch back to your RabbitMQ management GUI and under the ‘Connections’ tab you should be able to verify that all your vCloud Director Cells are connected. The dot in the SSL/TLS box indicates that messages are being encrypted in transit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s