First of all Install and configure rabbitMQ on both client and server so that we will be able to establish the federation connection between rabbitmq broker and rabbitmq producer.
So, To create a RabbitMQ federation link over TLS, you can follow these steps:
upstream server and downstream server. (For federation link we will be using one server as upstream server and client as a downstream server.
In RabbitMQ, an upstream server is a remote RabbitMQ server that is configured to receive and process messages from a downstream server using a federation link.
When a downstream server publishes a message, it sends it to the upstream server over the federation link, which then delivers the message to its intended recipients. Upstream servers are typically used in RabbitMQ to implement distributed architectures and to increase scalability and fault tolerance.
Upstream servers can be configured with various policies and settings, such as how to handle message routing, how to handle duplicate messages, and how to handle connections to the downstream servers. In addition, upstream servers can also be configured to use TLS encryption for secure communication between servers.
Step 1. Generate SSL certificate on the server with the command below.
#take the clone on server
git clone https://github.com/rabbitmq/tls-gen tls-gen
cd tls-gen/basic
make CN="client.example.com"
ls -l ./result
#you will see your outputs in results folder.
dj@Djs-MacBook-Air basic % ls -la result
total 64
drwxr-xr-x 10 dj staff 320 Feb 14 17:32 .
drwxr-xr-x 10 dj staff 320 Feb 14 17:32 ..
-rw-r--r-- 1 dj staff 1269 Feb 14 17:32 ca_certificate.pem
-rw-r--r-- 1 dj staff 1708 Feb 14 17:32 ca_key.pem
-rw-r--r-- 1 dj staff 3485 Feb 14 17:32 client-example.p12
-rw-r--r-- 1 dj staff 1330 Feb 14 17:32 client-example_certificate.pem
-rw-r--r-- 1 dj staff 1704 Feb 14 17:32 client-example_key.pem
-rw-r--r-- 1 dj staff 3549 Feb 14 17:32 server-example.p12
-rw-r--r-- 1 dj staff 1415 Feb 14 17:32 server-example_certificate.pem
-rw-r--r-- 1 dj staff 1704 Feb 14 17:32 server-example_key.pemSo from result directory copy client certificates i.e. cert.pem, key.pem, ca-certificate.pem into a saperate directory and transfer these files on client server.
Step 2. Use server certs to make tcp port 5671 listening..
Create rabbitmq.conf under /etc/rabbitmq directory with below contents in it:
listeners.ssl.default = 5671
ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile = /path/to/server_certificate.pem #use the actual path of your cert file
ssl_options.keyfile = /path/to/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = trueStep 3. Restart RabbitMQ service using below command
systemctl restart rabbitmq-server #
netstat -tulpn | grep 5671 #it should be visible to youStep 4. Create virtual host, policy, Queue, Exchange, Bindings on the server so that when federation link connect the client it communicate and consume the message from the queue via exhcange.
Use bellow command to create all you need:
#Create User
rabbitmqctl add_user test test
rabbitmqctl set_user_tags test administrator
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
#Add virtual host
rabbitmqctl add_vhost Some_Virtual_Host
rabbitmqctl set_permissions -p Some_Virtual_Host guest ".*" ".*" ".*"
#Make an Exchange
./rabbitmqadmin declare exchange --vhost=Some_Virtual_Host name=some_exchange type=direct
#Make a Queue
./rabbitmqadmin declare queue --vhost=Some_Virtual_Host name=some_outgoing_queue durable=true
#Make a Binding
./rabbitmqadmin --vhost="Some_Virtual_Host" declare binding source="some_exchange" destination_type="queue" destination="some_incoming_queue" routing_key="some_routing_key"
Client side steps now:
Step 1. Copy ca_certificate.pem, client_example_certs.pem, client_key.pem to your client server and apply apply this in /etc/rabbitmq/rabbitmq.conf
listeners.ssl.default = 5671
ssl_options.cacertfile = /path/to/ca_certificate.pem
ssl_options.certfile = /path/to/server_certificate.pem #use the actual path of your cert file
ssl_options.keyfile = /path/to/server_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = trueRestart RabbitMQ service using below command
systemctl restart rabbitmq-server #
netstat -tulpn | grep 5671 #it should be visible to you on client machine.Step 2. Create user on client server to authenticate with federation link.
rabbitmqctl add_user test test
rabbitmqctl set_user_tags test administrator
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"You are done with client config as well. Now swith back to your rabbitmq upstream server.
Create a federation link on the source RabbitMQ consumer instance, specifying the destination URI as an amqps:// URL, which indicates that the connection should use TLS.
- Set the
federation-upstream-setpolicy on the destination RabbitMQ instance to allow the upstream connection from the source instance. - Test the connection and make sure that messages can be successfully published from the source instance and received by the destination instance.
complete federation link command:
rabbitmqctl set_parameter federation-upstream myfirstlink -p myvhost '{"uri":"amqps://testusername:testpasswd@clientserveripaddress:5671/%2f?cacertfile=/cert/path/to/ca_certificate.pem&certfile=/path/to/client/cert.pem&keyfile=/path/to/keyfile.pem"}'Specify the proper client certificates path which is available on the server not at the client server path. Once, you specify proper path and create the federation link you will be able to see the link.
You may tail the log file /var/log/rabbitmq/rabbitmq-logfilename.log for any errors.
If you still face any issue you may go through rabbitmq documention site which has all the details:
Make sure you have enabled the federation plugins.
rabbitmq-plugins list #will list all the plugin
rabbitmq-plugins enable federation_mangement #This should be enabled on the server only.https://www.rabbitmq.com/ssl.html#automated-certificate-generation