Skip to main content

Message System SSL

The Message Bus system (MooMs) can be configured to operate using SSL connections to provide secure and authorized connectivity.

The message system for Moogsoft Enterprise is implemented with RabbitMQ. By default, Moogsoft Enterprise provides rabbitmq.config which does not start RabbitMQ in SSL mode.

To enable RabbitMQ to run in SSL mode, see the Rabbit MQ documentation.

Configure Moogsoft Enterprise to use SSL with the Message Bus

Once RabbitMQ has been configured to use SSL, Moogsoft Enterprise needs to be configured to use the RabbitMQ broker's SSL port, as well as the SSL certificates and keys to enable secure and authorized connection to these brokers if required by the SSL configuration set on RabbitMQ.

Below is an example of full SSL Message Bus configuration in system.conf:

system.conf

########################################################################
# SSL configuration can be used to provide a means of secure           #
# communication between a Moog process and MooMS. MooMS can be setup   #
# with options to accept SSL connections with or without providing     #
# the relevant certificates and keys.                                  #
# Three modes of SSL are available:                                    #
# 1. No SSL      - SSL configuration is not specified                  #
# 2. Express SSL - This is where SSL configuration is specified, but   #
#                  empty or only the SSL protocol is set and specific  #
#                  certificates do not need to specified.              #
# 3. Custom SSL  - This is where all the SSL configuration and         #
#                  certificates needed are specified to enable secure  #
#                  and authorised communication to MooMS.              #
#                  Note that Client key and certificate are optional.  #
#                  If neither of those are specified, then client      #
#                  certification verification will not be performed.   #
########################################################################

"ssl" :
{
    # Specify the SSL Protocol to use.
    # If the configuration is not specified, "TLSv1.2" will be used
    # by default.
    # JRE 8 supports "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
    #
    "ssl_protocol" : "TLSv1.2",
    #
    # The location of the SSL certificate, key files.
    #
    # Relative pathing can be used, i.e. '.' to mean current directory,
    # '../server.pem' or '../../server.pem' etc. If neither relative 
    # nor absolute (using '/') path is used then $MOOGSOFT_HOME is 
    # prepended to it.
    # i.e. "config/server.pem" becomes "$MOOGSOFT_HOME/config/server.pem"
    #
    # Specify the server certificate.
    #
    "server_cert_file" : "server.pem",
    #
    # Enable client authentication by specifying the client certificate
    # and key files below. 
    # The key file has to be in PKCS#8 format.
    #
    "client_cert_file" : "client.pem",
    "client_key_file"  : "client.key"
}
Express SSL

Moogsoft Enterprise can be configured to connect to the RabbitMQ server without validating any certificates or attempting to authorize the client.

If the RabbitMQ server has been configured to reject clients that do not present valid certificates then this SSL mode will not work, Moogsoft Enterprise will need to be configured with the correct certificates and keys to establish connectivity. To enable express SSL mode simply uncomment "ssl" configuration block, optionally specify the "ssl_protocol" configuration:

Express SSL

"ssl" :
{
    # Specify the SSL Protocol to use.
    # If the configuration is not specified, "TLSv1.2" will be used
    # by default.
    # JDK 8 supports "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
    #
    "ssl_protocol" : "TLSv1.2"
}
Custom SSL

Moogsoft Enterprise can be configured to connect to the RabbitMQ server using a specific server certificate, and if RabbitMQ has been enabled with Client Authentication then Moogsoft Enterprise can be configured with the client key and client certificate to authenticate with RabbitMQ.

Client Authentication is optional functionality, to run Moogsoft Enterprise with just a specific server certificate simply comment out the client_cert_file and client_key_file entries.

Note

If Client Authentication is used, the "client_key_file" must be in a PKCS#8 Format. The following command can be run to convert a private key in to PKCS#8 format:

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in key.pem -out client.key

An example of Moogsoft Enterprise specifying full SSL configuration, connecting to a RabbitMQ which requires Client Authentication. The example also shows how you can organise the server and client SSL files in sub-folders:

Custom SSL

"ssl" :
{
    # Specify the SSL Protocol to use.
    # If the configuration is not specified, "TLSv1.2" will be used
    # by default.
    # JRE 8 supports "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
    #
    "ssl_protocol" : "TLSv1.2",
    #
    # The location of the SSL certificate, key files.
    #
    # Relative pathing can be used, i.e. '.' to mean current directory,
    # '../server.pem' or '../../server.pem' etc. If neither relative 
    # nor absolute (using '/') path is used then $MOOGSOFT_HOME is 
    # prepended to it.
    # i.e. "config/server.pem" becomes "$MOOGSOFT_HOME/config/server.pem"
    #
    # Specify the server certificate.
    #
    "server_cert_file" : "server/server.pem",
    #
    # Enable client authentication by specifying the client certificate
    # and key files below. 
    # The key file has to be in PKCS#8 format.
    #
    "client_cert_file" : "client/client.pem",
    "client_key_file"  : "client/client.key"
}

Note

To disable SSL connectivity with the Message Bus, change the port number for the brokers back to the non-SSL port (typically 5672) and comment out the "ssl" section in system.conf.