Configuring secure replication links with TLS introduces challenges when encrypting private key passwords and utilizing client certificate authentication instead of standard username and password credentials.

Specifically, users need to:

• Secure replication data in transit via TLS.

• Encrypt private key passwords within the configuration files.

• RabbitMQ deployments that use replication-related plugins or features with TLS settings.
• Configurations that include replication-specific keys such as schema_definition_sync.ssl_options.* or standby.replication.downstream.ssl_options.*.

In rabbitmq.conf, encrypted values are supported only for a limited set of keys that were explicitly implemented for tagged encrypted values.

Replication-specific TLS password keys are not generally documented as part of that supported rabbitmq.conf encrypted-value set, so they may need to be configured in advanced.config instead.

• Put the replication plugin TLS block in advanced.config when the replication password field must be stored as an encrypted Erlang term such as {encrypted, "..."}.
• Use rabbitmqctl encode to generate the encrypted value, then place that value in the relevant replication ssl_options.password entry in advanced.config.

Following links can be useful:

• https://www.rabbitmq.com/docs/ssl
• https://www.rabbitmq.com/docs/configure#encrypted-values-in-rabbitmqconf
• https://www.rabbitmq.com/docs/access-control
• https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-rabbitmq-rpm/4-2/tanzu-rabbitmq-rpm-offering/site-standby-replication-without-k8s.html