Using SSL connection from GPSS to RabbitMQ
search cancel

Using SSL connection from GPSS to RabbitMQ

book

Article ID: 389063

calendar_today

Updated On: 02-25-2025

Products

VMware Tanzu Greenplum VMware Tanzu Data Suite VMware Tanzu Data Suite

Issue/Introduction

This article describes what is needed to use SSL connections between Greenplum Streaming Server(GPSS) RabbitMQ broker.

When GPSS connects to RabbitMQ without SSL (plaintext connection). a username and password is specified in the job's yaml file, for example:

DATABASE: mydatabase
USER: user01
PASSWORD: t0pS3cr3t
HOST: cdw
PORT: 5432
VERSION: 2
RABBITMQ:
  INPUT:
    SOURCE:
      SERVER: r_user:user_password@rabbitmq_server:5672    # format: <user>:<password>@<server name or IP>:<port>
      QUEUE: test_queue
   :

 

When GPSS connects to RabbitMQ with SSL, it is not possible to specify a username/password in the job's yaml file. A certificate specifying the RabbitMQ user is used. For example:

DATABASE: mydatabase
USER: user01
PASSWORD: t0pS3cr3t
HOST: cdw
PORT: 5432
VERSION: 2
RABBITMQ:
  INPUT:
    SOURCE:
      SERVER: rabbitmq_server:5671    # Format <server name or IP>:<port>
      QUEUE: test_queue
   :
   :
  PROPERTIES:
    use.ssl: true
    ssl_options.servername: rabbit-server.domain.com
    ssl_options.cacertfile: /etc/certificates/root_cert.pem 
    ssl_options.certfile: /etc/certificates/user_cert.pem
    ssl_options.keyfile: /etc/certificates/user_key.pem
   :

Resolution

Required configuration on the RabbitMQ broker:

  • The RabbitMQ broker needs to be configured to allow "auth_mechanisms" "EXTERNAL", for example:
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL

ssl_cert_login_from = common_name

ssl_options.cacertfile  = /etc/certificates/root_cert.pem
ssl_options.certfile    = /etc/certificates/rabbit_server_cert.pem
ssl_options.keyfile     = /etc/certificates/rabbit_server_key.pem
ssl_options.verify      = verify_peer
ssl_options.fail_if_no_peer_cert        = true

The above example allows "EXTERNAL" along with the default authentication mechanisms, "PLAIN" and "AMQPLAIN"

The setting "ssl_cert_login_from" specifies where to look in the certificate for the username of the user trying to login. This can be changed to "subject_alternative_name", but you will also need to set "ssl_cert_login_san_type" and "ssl_cert_login_san_index". See x509 (TLS/SSL) certificate Authentication Mechanism for RabbitMQ for more details.

The "ssl_options.cacertfile" specifies the root cert of the rabbit server and should be the same as the root cert that signed client certificate.

The "ssl_options.certfile" and "ssl_options.keyfile" contain the certificate and key of the RabbitMQ server.

NOTE: The certificate and key files need to be in "PEM" format.

 

  • The plugin "rabbitmq_auth_mechanism_ssl" needs to be enabled
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl

 

Required configuration in the GPSS job's yaml file:

    :
  PROPERTIES:
    use.ssl: true
    ssl_options.servername: rabbit-server.domain.com
    ssl_options.cacertfile: /etc/certificates/root_cert.pem 
    ssl_options.certfile: /etc/certificates/user_cert.pem
    ssl_options.keyfile: /etc/certificates/user_key.pem
   :

"ssl_options.server" needs to match the CommonName(CN) of the RabbitMQ's certificate.

"ssl_options.cacertfile" is the root certificate of the user's certificate and needs to be trusted by the RabbitMQ server.

"ssl_options.certfile" contains the user's certificate in PEM

"ssl_options.keyfile" contains the user's key

Powered by Wolken Software