Skip to main content

Message System SSL

The Message Bus system (MooMs) can be configured to operate using SSL connections to provide secure and authorized connectivity.

The message system for Moogsoft Onprem is implemented with RabbitMQ. By default, Moogsoft Onprem provides rabbitmq.config which does not start RabbitMQ in SSL mode.

To enable RabbitMQ to run in SSL mode, see the Rabbit MQ documentation.

Configure Moogsoft Onprem to use SSL with the Message Bus

Once RabbitMQ has been configured to use SSL, Moogsoft Onprem needs to be configured to use the RabbitMQ broker's SSL port, as well as the SSL certificates and keys to enable secure and authorized connection to these brokers if required by the SSL configuration set on RabbitMQ.

Below is an example of full SSL Message Bus configuration in system.conf:

system.conf

########################################################################
# SSL configuration can be used to provide a means of secure           #
# communication between a Moog process and MooMS. MooMS can be setup   #
# with options to accept SSL connections with or without providing     #
# the relevant certificates and keys.                                  #
# Three modes of SSL are available:                                    #
# 1. No SSL      - SSL configuration is not specified                  #
# 2. Express SSL - This is where SSL configuration is specified, but   #
#                  empty or only the SSL protocol is set and specific  #
#                  certificates do not need to specified.              #
# 3. Custom SSL  - This is where all the SSL configuration and         #
#                  certificates needed are specified to enable secure  #
#                  and authorised communication to MooMS.              #
#                  Note that Client key and certificate are optional.  #
#                  If neither of those are specified, then client      #
#                  certification verification will not be performed.   #
########################################################################

"ssl" :
{
    # Specify the SSL Protocol to use.
    # If the configuration is not specified, "TLSv1.2" will be used
    # by default.
    # JRE 8 supports "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
    #
    "ssl_protocol" : "TLSv1.2",
    #
    # The location of the SSL certificate, key files.
    #
    # Relative pathing can be used, i.e. '.' to mean current directory,
    # '../server.pem' or '../../server.pem' etc. If neither relative 
    # nor absolute (using '/') path is used then $MOOGSOFT_HOME is 
    # prepended to it.
    # i.e. "config/server.pem" becomes "$MOOGSOFT_HOME/config/server.pem"
    #
    # Specify the server certificate.
    #
    "server_cert_file" : "server.pem",
    #
    # Enable client authentication by specifying the client certificate
    # and key files below. 
    # The key file has to be in PKCS#8 format.
    #
    "client_cert_file" : "client.pem",
    "client_key_file"  : "client.key"
}
Express SSL

Moogsoft Onprem can be configured to connect to the RabbitMQ server without validating any certificates or attempting to authorize the client.

If the RabbitMQ server has been configured to reject clients that do not present valid certificates then this SSL mode will not work, Moogsoft Onprem will need to be configured with the correct certificates and keys to establish connectivity. To enable express SSL mode simply uncomment "ssl" configuration block, optionally specify the "ssl_protocol" configuration:

Express SSL

"ssl" :
{
    # Specify the SSL Protocol to use.
    # If the configuration is not specified, "TLSv1.2" will be used
    # by default.
    # JDK 8 supports "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
    #
    "ssl_protocol" : "TLSv1.2"
}
Custom SSL

Moogsoft Onprem can be configured to connect to the RabbitMQ server using a specific server certificate, and if RabbitMQ has been enabled with Client Authentication then Moogsoft Onprem can be configured with the client key and client certificate to authenticate with RabbitMQ.

Client Authentication is optional functionality, to run Moogsoft Onprem with just a specific server certificate simply comment out the client_cert_file and client_key_file entries.

Note

If Client Authentication is used, the "client_key_file" must be in a PKCS#8 Format. The following command can be run to convert a private key in to PKCS#8 format:

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in key.pem -out client.key

An example of Moogsoft Onprem specifying full SSL configuration, connecting to a RabbitMQ which requires Client Authentication. The example also shows how you can organise the server and client SSL files in sub-folders:

Custom SSL

"ssl" :
{
    # Specify the SSL Protocol to use.
    # If the configuration is not specified, "TLSv1.2" will be used
    # by default.
    # JRE 8 supports "TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"
    #
    "ssl_protocol" : "TLSv1.2",
    #
    # The location of the SSL certificate, key files.
    #
    # Relative pathing can be used, i.e. '.' to mean current directory,
    # '../server.pem' or '../../server.pem' etc. If neither relative 
    # nor absolute (using '/') path is used then $MOOGSOFT_HOME is 
    # prepended to it.
    # i.e. "config/server.pem" becomes "$MOOGSOFT_HOME/config/server.pem"
    #
    # Specify the server certificate.
    #
    "server_cert_file" : "server/server.pem",
    #
    # Enable client authentication by specifying the client certificate
    # and key files below. 
    # The key file has to be in PKCS#8 format.
    #
    "client_cert_file" : "client/client.pem",
    "client_key_file"  : "client/client.key"
}

Note

To disable SSL connectivity with the Message Bus, change the port number for the brokers back to the non-SSL port (typically 5672) and comment out the "ssl" section in system.conf.

Generate Certificates

tls-gen will generate a CA, server, and client certificate (requires Python3):

$ git clone https://github.com/michaelklishin/tls-gen tls-gen
$ cd tls-gen/basic/
$ make -e PASSWORD=Defame-Spotty5-Gloater-Exemplify-Unimpeded

This generates the certificates and places them in ./result/:

$ cd result
$ ls
ca_certificate.pem ca_key.pem client_certificate.pem client_key.p12 client_key.pem server_certificate.pem server_key.p12 server_key.pem

Convert the client certificate to PKCS8 format:

$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in client_$(hostname)_key.pem -out client_$(hostname)_key.pkcs8

Place these files somewhere accessible by user 'moogsoft':

$ mkdir -p /usr/share/moogsoft/ssl
$ cp -f ./* /usr/share/moogsoft/ssl/
$ chown -R moogsoft:moogsoft /usr/share/moogsoft/ssl
$ chmod 644 /usr/share/moogsoft/ssl/*
Configure RabbitMQ Server

Modify RabbitMQ configuration to enable SSL on port 5671 (/etc/rabbitmq/rabbitmq.config). This is done by adding the "ssl_listeners" and "ssl_options" directives.:

$ cat /etc/rabbitmq/rabbitmq.config

%% -*- mode: erlang -*-
%% ----------------------------------------------------------------------------
%% Default MooMS RabbitMQ configuration file.
%%
%% See http://www.rabbitmq.com/configure.html for details.
%% ----------------------------------------------------------------------------
[
  {rabbit,
  [
    {loopback_users, []},
    {default_user, },
    {default_pass, },
    {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},
    {cluster_partition_handling, autoheal},
    {ssl_listeners, [5671]},
    {ssl_options, [
      {cacertfile, "/usr/share/moogsoft/ssl/ca_certificate.pem"},
      {certfile, "/usr/share/moogsoft/ssl/server_certificate.pem"},
      {keyfile, "/usr/share/moogsoft/ssl/server_key.pem"},
      {password, "Defame-Spotty5-Gloater-Exemplify-Unimpeded"},
      {verify, verify_peer},
      {fail_if_no_peer_cert, true},
      {versions, ['tlsv1.3', 'tlsv1.2']}
    ]}
  ]}
].

The value for server and client certificate must be updated to include the system hostname, in this format: server_$(hostname)_certificate.pem and server_$(hostname)_key.pem.

A user may also disable plaintext listeners by adding:

{tcp_listeners, []},

...above "ssl_listeners".

Restart rabbitmq-server to apply the changes:

$ systemctl restart rabbitmq-server

Verify it is listening on the configured port, 5671:

# netstat -tulpn | grep 5671
tcp6 0 0 :::5671 :::* LISTEN 25536/beam.smp

Check with rabbitmqctl:

$ rabbitmqctl status
......
Listeners

Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS            <---- We can see the TLS listener here
......
Configure AIOps

Modify system.conf to point to the SSL enabled RabbitMQ. Under 'mooms' section:

 "brokers" : [
   {
     "host" : "localhost",
     "port" : 5671
   }
 ],
 ,"ssl" :
 {
   "ssl_protocol"     : "TLSv1.2",
   "server_cert_file" : "ssl/server_certificate.pem",
   "client_cert_file" : "ssl/client_certificate.pem",
   "client_key_file"  : "ssl/client_key.pkcs8"
 }

Restart all moog processes on this machine to apply the new system.conf changes:

$ systemctl restart moogfarmd
$ systemctl restart apache-tomcat
$ systemctl restart $lam1
$ systemctl restart $lam2
Wrapping Up

You can now port the system.conf changes to any host in your HA environment so that they will utilize SSL when communicating with MooMs (RabbitMQ).

Extra
# cd /home/user/tls-gen/basic
# make help
python3 profile.py --help
Usage: profile.py [options] (generate|clean|regenerate|verify|info)

Options:
 -h, --help show this help message and exit
 -p PASSWORD, --password=PASSWORD
 Private key password
 -n COMMON_NAME, --common-name=COMMON_NAME
 Certificate CN (Common Name)
 --client-alt-name=CLIENT_ALT_NAME
 SAN (subject Alternative Name) for the client
 --server-alt-name=SERVER_ALT_NAME
 SAN (subject Alternative Name) for the server
 -b KEY_BITS, --key-bits=KEY_BITS
 Number of private key bits
 -e, --use-ecc Should Elliptic Curve Cryptography be used?
 -c ECC_CURVE, --ecc-curve=ECC_CURVE
 ECC curve to use (see 'openssl ecparam -list_curves')
 -V VALIDITY_DAYS, --days-of-validity=VALIDITY_DAYS
 For how many days should generated certificates be
 valid?
# make PASSWORD=rfugDkKj3mjeSvxy
python3 profile.py regenerate --password "rfugDkKj3mjeSvxy" \
--common-name user-pc \
--client-alt-name user-pc \
--server-alt-name user-pc \
--days-of-validity 3650 \
--key-bits 2048
Removing /home/user/tls-gen/basic/testca
Removing /home/user/tls-gen/basic/result
Removing /home/user/tls-gen/basic/server
Removing /home/user/tls-gen/basic/client
Will generate a root CA and two certificate/key pairs (server and client)
=> [openssl_req]
Generating a RSA private key
................+++++
....................................+++++
writing new private key to '/home/user/tls-gen/basic/testca/private/cakey.pem'
-----
=> [openssl_x509]
Will generate leaf certificate and key pair for server
Using user-pc for Common Name (CN)
Using parent certificate path at /home/user/tls-gen/basic/testca/cacert.pem
Using parent key path at /home/user/tls-gen/basic/testca/private/cakey.pem
Will use RSA...
=> [openssl_genrsa]
Generating RSA private key, 2048 bit long modulus (2 primes)
...................................................+++++
..........................................+++++
e is 65537 (0x010001)
=> [openssl_req]
Ignoring -days; not generating a certificate
=> [openssl_ca]
Using configuration from /tmp/tmpww3an1us
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user-pc'
organizationName :ASN.1 12:'server'
localityName :ASN.1 12:'$$$$'
Certificate is to be certified until Apr 21 19:15:40 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Will generate leaf certificate and key pair for client
Using user-pc for Common Name (CN)
Using parent certificate path at /home/user/tls-gen/basic/testca/cacert.pem
Using parent key path at /home/user/tls-gen/basic/testca/private/cakey.pem
Will use RSA...
=> [openssl_genrsa]
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................................................................................+++++
.......................................................+++++
e is 65537 (0x010001)
=> [openssl_req]
Ignoring -days; not generating a certificate
=> [openssl_ca]
Using configuration from /tmp/tmpww3an1us
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'user-pc'
organizationName :ASN.1 12:'client'
localityName :ASN.1 12:'$$$$'
Certificate is to be certified until Apr 21 19:15:41 2029 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
Done! Find generated certificates and private keys under ./result!
python3 profile.py verify
Will verify generated certificates against the CA...
Will verify client certificate against root CA
/home/user/tls-gen/basic/result/client_certificate.pem: OK
Will verify server certificate against root CA
/home/user/tls-gen/basic/result/server_certificate.pem: OK
# make info
python3 profile.py info
Will display client certificate info


Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 2 (0x2)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
 Validity
 Not Before: Apr 24 19:15:41 2019 GMT
 Not After : Apr 21 19:15:41 2029 GMT
 Subject: CN = user-pc, O = client
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public-Key: (2048 bit)
 Modulus:
 00:d3:ae:4d:08:39:f1:d8:5f:d5:e9:fc:b2:b0:bb:
 28:ea:d6:bf:f5:cf:35:27:1c:ef:51:0c:33:d8:9b:
 28:48:18:88:28:d1:d2:68:1c:21:ec:d8:8d:27:f8:
 83:42:00:50:6e:36:50:a4:73:77:df:25:27:0f:de:
 9f:a8:2f:c6:b8:b2:74:01:30:6d:cd:c0:b4:1f:b1:
 10:ab:4a:0d:d3:90:7e:36:45:5c:2c:be:24:eb:d9:
 4a:2d:07:fd:90:8f:b5:f9:d6:f8:92:04:33:0f:4d:
 36:0c:c2:ce:63:26:0d:c0:ec:63:43:05:bb:e0:24:
 3c:f2:50:e5:5b:38:f6:3f:c6:da:01:bb:36:3a:a5:
 5e:24:04:18:b8:c1:10:fe:cb:88:66:65:4e:0c:12:
 07:3a:00:b1:44:b2:2f:b3:2f:43:fd:66:9a:3a:b1:
 91:fb:9b:b2:14:cd:cf:96:fd:3f:37:2d:13:97:f8:
 b9:1d:83:14:a0:78:f3:c6:c6:16:72:d9:e2:3b:cb:
 ed:2e:d4:4b:1c:b5:19:5d:15:cc:9e:a8:86:71:e4:
 f8:f8:35:cb:ad:c3:ff:bf:f6:2c:e7:4a:4e:8c:e7:
 8d:98:f7:82:cb:ab:82:20:45:a7:97:33:cc:30:09:
 e1:eb:26:a3:04:0b:95:cc:dc:cd:b1:cf:39:af:0d:
 e8:11
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 X509v3 Key Usage:
 Digital Signature, Key Encipherment
 X509v3 Extended Key Usage:
 TLS Web Client Authentication
 X509v3 Subject Alternative Name:
 DNS:user-pc, DNS:user-pc, DNS:localhost
 Signature Algorithm: sha256WithRSAEncryption
 28:0f:f1:75:b3:60:ce:ed:47:3e:8b:38:bc:9b:30:b0:5c:b4:
 30:96:ca:a2:d3:78:4b:39:b8:79:09:b2:5c:c5:62:68:dc:85:
 44:1d:07:62:04:f1:85:0b:03:ce:75:63:c8:be:af:43:39:87:
 b6:52:be:9e:e3:1c:ef:22:5f:88:6d:24:76:b9:dc:a1:59:51:
 50:90:15:e8:e1:ff:a1:8e:25:b7:0e:41:ea:92:6e:45:c1:30:
 2e:10:dc:cb:b7:c7:53:d4:ad:d0:e2:e4:88:cb:45:5f:13:78:
 d7:fe:9f:59:ca:92:da:a3:bd:33:60:af:e9:2b:8c:67:0c:69:
 b1:56:aa:94:ba:74:a4:00:c2:ec:5f:7b:7f:72:4a:f9:61:bc:
 48:30:6b:25:73:c3:af:91:bd:43:25:09:61:d9:94:36:28:23:
 f3:a3:ad:0a:08:e0:d6:69:2c:d3:d7:bf:21:b6:80:3a:12:ec:
 4a:7e:a4:6a:5e:5a:79:24:6e:81:12:b2:bf:ef:d5:a2:12:bc:
 55:5f:05:29:77:43:c1:d8:aa:df:80:c8:00:cc:89:d9:45:a8:
 90:cf:74:9e:bb:ba:f5:77:1e:f7:8d:38:5f:ad:7b:02:83:62:
 80:ea:9a:65:f6:4b:3e:60:6b:ad:23:0c:7f:b5:61:6f:1f:6a:
 cc:90:e9:f1
Will display server certificate info


Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 1 (0x1)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
 Validity
 Not Before: Apr 24 19:15:40 2019 GMT
 Not After : Apr 21 19:15:40 2029 GMT
 Subject: CN = user-pc, O = server
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public-Key: (2048 bit)
 Modulus:
 00:ed:78:f3:94:32:85:28:70:b0:e2:41:d4:4a:5b:
 00:10:41:15:a1:2b:32:63:06:05:53:12:05:45:d0:
 16:b0:48:39:3d:e9:ed:dd:3a:20:c6:a5:b8:9e:1c:
 bd:17:d3:e7:6a:0e:62:b3:ba:83:ab:33:40:0f:33:
 b4:9f:53:3b:fa:e7:2f:e6:7d:8a:20:a7:6e:af:81:
 89:a5:d6:9a:74:c1:4b:e6:ae:54:64:0d:88:0e:a2:
 af:ad:76:87:90:8e:00:e1:dc:f3:31:a4:f1:a8:a5:
 bd:0d:a6:06:9e:e6:5c:f6:a7:46:31:3f:c6:1f:81:
 8e:75:dd:a2:5a:e8:a8:dc:0d:1e:3f:0f:25:b4:49:
 1d:13:37:a6:3e:20:e1:fe:ce:a9:52:d3:9b:ab:ae:
 73:e6:13:fc:49:ab:51:26:14:93:f7:da:0b:a2:05:
 fd:5d:00:d7:00:f6:c7:21:99:fb:b2:7c:80:1e:6d:
 d8:b0:24:fb:d0:2b:af:0e:c8:72:b6:79:3d:b2:c4:
 b2:c0:03:79:42:a4:88:2f:65:e9:f4:c6:4d:34:99:
 43:54:6b:9a:8a:c3:15:c9:83:b4:89:f0:33:6d:c8:
 06:e3:a4:f8:7c:fd:8e:c5:b8:40:bb:e3:bf:43:c3:
 7f:bb:6d:9c:0c:f3:47:0e:a1:65:95:b5:de:88:75:
 d5:b1
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 X509v3 Key Usage:
 Digital Signature, Key Encipherment
 X509v3 Extended Key Usage:
 TLS Web Server Authentication
 X509v3 Subject Alternative Name:
 DNS:user-pc, DNS:user-pc, DNS:localhost
 X509v3 Subject Key Identifier:
 7D:DF:38:73:E3:76:E8:F7:96:29:BB:24:A1:CE:49:9B:65:14:01:5C
 X509v3 Authority Key Identifier:
 keyid:6A:0F:27:3B:5B:CA:77:C3:72:CD:4B:61:53:2E:60:C6:44:5F:11:21

Signature Algorithm: sha256WithRSAEncryption
 5c:3a:76:35:44:db:77:93:16:c6:0d:2c:b3:ed:46:d2:e0:56:
 39:4b:fd:b9:a8:95:0b:08:2e:67:f1:11:a6:66:a9:29:04:64:
 ed:82:1f:af:96:e4:be:c1:f6:04:39:61:52:41:2d:c2:9d:0b:
 31:ae:bf:0a:3f:62:8e:d8:2c:4e:d8:57:b4:5b:85:10:20:d2:
 a6:da:6c:33:ae:57:ad:c6:a7:80:85:5a:3b:cd:09:27:5a:cd:
 64:e0:ff:b7:8a:10:d2:67:e7:df:e7:1d:62:fc:5b:cb:66:75:
 92:db:08:cf:97:7e:fe:98:d5:2a:35:ad:65:c8:12:a4:ee:8e:
 e7:5a:eb:65:12:dd:2a:1a:ec:00:c1:0c:ae:75:4a:d4:70:b4:
 eb:bc:a9:c7:6d:33:56:f7:ab:c4:8a:61:4b:98:ef:0b:74:d1:
 c9:1b:f5:8c:49:68:b2:82:cb:fc:79:dd:71:a5:a6:d7:3a:89:
 57:24:dc:4e:44:de:f3:cc:bb:47:4b:50:61:76:7b:5d:78:71:
 bb:51:ce:f5:1c:7d:e7:0b:66:34:d3:5f:0b:b9:1b:35:98:ff:
 e0:27:22:ac:19:43:c4:61:a2:d8:26:29:cb:a7:76:ef:35:31:
 57:6a:38:42:89:96:9c:f0:a2:0c:c8:49:73:df:e0:9c:7b:b4:
 3b:7f:47:3e
Additional Documentation

See the following RabbitMQ docs for more information: