Modifying Apps for TLS
Warning: RabbitMQ for Pivotal Platform v1.15 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
Note: If your app is written in Java or Spring, see Activate TLS for Java and Spring Apps. For other types of apps, use the procedures in this topic.
This topic provides instructions to developers to modify apps that are not written in Java or Spring to use TLS to secure their connection with RabbitMQ on-demand service instances.
The following are prerequisites to procedures in this topic:
- The operator must complete these procedures, in this order:
- The developer must complete the procedures in Configure TLS for Your Service Instance.
To start using TLS for apps that are not written in Java or Spring, you must modify your app to use the correct protocol.
To modify your app, do the following:
Use one of the code snippets below.
In these examples,
VCAP_SERVICESis an environment variable available from the app.
Option 1: If the operator enabled TLS using a certificate from a trusted authority, use the code below.
require 'json' require 'bunny' vcap_services = JSON.parse(ENV['VCAP_SERVICES']) uri = vcap_services['p.rabbitmq']['credentials']['protocols']['amqp+ssl']['uris'].sample conn = Bunny.new(uri) conn.start
Option 2: If the operator used a self-signed ceritificate, configure the RabbitMQ client to use the same CA certificate, and valid certificate and key. Use the example code below, replacing the variables for
require 'json' require 'bunny' vcap_services = JSON.parse(ENV['VCAP_SERVICES']) uri = vcap_services['p.rabbitmq']['credentials']['protocols']['amqp+ssl']['uris'].sample conn = Bunny.new(uri, tls_cert: PATH_TO_CERTIFICATE, tls_key: PATH_TO_KEY, tls_ca_certificates: [PATH_TO_CA_CERTIFICATE]) conn.start
After modifying your app, repush it with
WARNING: Any apps using an existing service instance must be rebound after enabling TLS for the instance.
Follow these steps to rebind an app using an existing service intance:
- Stop the app. For example:
$ cf stop my-app
- Unbind the app from the service instance. For example:
$ cf unbind-service my-app my-service-instance
- Re-bind the app to the service instance. For example:
$ cf bind-service my-app my-service-instance
- Restage the app. For example:
$ cf restage my-app
Your app should now communicate securely with the RabbitMQ service instance.