Preparing for TLS

Warning: RabbitMQ for Pivotal Cloud Foundry v1.16 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.

Overview
Workflow
Find the CredHub Credentials in Ops Manager
Add the CA Certificate
Enable TLS in RabbitMQ for PCF

Page last updated:

This topic provides an overview of how to prepare for using Transport Layer Security (TLS) with RabbitMQ for Pivotal Cloud Foundry to secure communication between apps and service instances.

This topic explains how to provide an existing CA certificate to BOSH CredHub and generate a new CA certificate with BOSH CredHub.

Warning: This procedure involves restarting all of the VMs in your deployment to apply a CA certificate. The operation can take a long time to complete.

Note: This certificate is shared by multiple tiles. If you have already done this procedure, you do not need to repeat it.

However, an operator must rotate the this certificate if it expires or if it becomes compromised. For instructions about how to rotate your CA certificate follow the steps in Rotating CA Certificates.

Overview

When you use TLS, you are provisioned a RabbitMQ for PCF server with a certificate. With this certificate, apps and clients can establish an encrypted connection with the service.

CredHub generates a server certificate using a Certificate Authority (CA) certificate. You can either provide the CA or generate it using CredHub. For an overview of the purpose and functionality of the CredHub component, see CredHub.

Apps and clients use this CA certificate to check that the server certificate is trustworthy. A trustworthy server certificate allows apps and clients to securely communicate with the RabbitMQ for PCF server.

Pivotal Application Service (PAS) shares the CA certificate public component in the following ways:

PAS provisions a copy of the CA certificate in the trusted store of each container’s operating system. Apps written in Java and Spring automatically discover the CA certificate in the trusted store.
PAS supplies the public CA certificate in an environment variable called VCAP_SERVICES that exists in every container. Apps not written in Java and Spring can retrieve the public component of the CA certificate from VCAP_SERVICES and use it to establish an encrypted connection with the data service.

Prerequisite

Before you do the procedures in this topic, you must install the Credhub CLI. For instructions, see credhub-cli on GitHub.

Workflow

The following workflow describes enabling TLS for RabbitMQ for Pivotal Cloud Foundry:

An operator provides a CA certificate to CredHub by performing the procedures in Find the CredHub Credentials in Ops Manager and in Add the CA Certificate below.
An operator enables TLS in the tile configuration while installing RabbitMQ for PCF. See Enable TLS in RabbitMQ for PCF below.
A developer enables TLS for an existing service instance. See Enable TLS for Your Service Instance
A developer modifies their app to communicate securely with the RabbitMQ for PCF server:
- For Java or Spring apps: See Activate TLS for Java and Spring Apps.
- For all other apps: See Modifying Apps for TLS

Find the CredHub Credentials in Ops Manager

To find the BOSH CredHub client name and client secret:

In the Ops Manager Installation Dashboard, click the BOSH Director tile.
Click the Credentials tab.
In the BOSH Director section, click the link to the BOSH Commandline Credentials.
Record the values for BOSH_CLIENT and BOSH_CLIENT_SECRET.

Here is an example of the credentials page:
```
{"credential":"BOSH_CLIENT=ops_manager
BOSH_CLIENT_SECRET=abCdE1FgHIjkL2m3n-3PqrsT4EUVwXy5
BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate
BOSH_ENVIRONMENT=10.0.0.5 bosh "}
```
The BOSH_CLIENT is the BOSH CredHub client name and the BOSH_CLIENT_SECRET is the BOSH CredHub client secret.

Add the CA Certificate

To generate and add the CA Certificate to Ops Manager:

Record the information needed to log in to the BOSH Director VM by following the procedure in Gather Credential and IP Address Information.
Log in to the Ops Manager VM by following the procedure in Log in to the Ops Manager VM with SSH.

Set the API target of the CredHub CLI as your CredHub server by running:

credhub api  \
    https://BOSH-DIRECTOR-IP:8844 \
    --ca-cert=/var/tempest/workspaces/default/root_ca_certificate

Where BOSH-DIRECTOR-IP is the IP address of the BOSH Director VM. For example:

$ credhub api \
    https://10.0.0.5:8844 \
    --ca-cert=/var/tempest/workspaces/default/root_ca_certificate

Log in to CredHub by running:
```
credhub login \
    --client-name=CREDHUB-CLIENT-NAME \
    --client-secret=CREDHUB-CLIENT-SECRET
```
Where
- CREDHUB-CLIENT-NAME is the value you recorded for BOSH_CLIENT in Find the CredHub Credentials in Ops Manager above.
- CREDHUB-CLIENT-SECRET is the value you recorded for BOSH_CLIENT_SECRET in Find the CredHub Credentials in Ops Manager above.
  For example:
```
$ credhub login \
    --client-name=credhub \
    --client-secret=abcdefghijklm123456789
```
If you are using Ops Manager v2.6 or later, skip this step and the next step. Otherwise, find out if a services CA certificate already is present by running the following command:
```
credhub get --name="/services/tls_ca"
```
If you already have a certificate at the services/tls_ca path, skip the next step.
Use the CredHub CLI to generate a CA certificate or provide an existing one.
Note: Your deployment can have multiple CA certificates. VMware recommends a dedicated CA certificate for services.
- If you do not have a CA certificate: Use the CredHub CLI to generate one by running:
```
$ credhub generate \
    --name="/services/tls_ca" \
    --type="certificate" \
    --is-ca \
    --common-name="rootCA"
```
  Note: When you run the above command, the generated certificate is valid for one year by default. You can use the --duration flag to set the validity period to a specific time. For example, if you add --duration=1825 to the above command, the generated certificate is valid for five years.
- If you have an existing CA certificate that you want to use: Create a new file called root.pem with the contents of the certificate. Then run the following command, specifying the path to root.pem and the private key for the certificate:
```
$ credhub set \
    --name="/services/tls_ca" \
    --type="certificate" \
    --certificate=./root.pem \
    --private=ERKSOSMFF...
```
Record the certificate portion from the CA certificate by running:
```
credhub get \
   --name=/services/tls_ca \
   -k ca
```
Navigate to the Ops Manager Installation Dashboard > BOSH Director > Security.
Append the contents of the CA certificate you recorded in the previous step into Trusted Certificates.
Click Save.

Enable TLS in RabbitMQ for PCF

To enable TLS in the RabbitMQ for PCF tile:

Enable TLS by doing one of the following:
- If you are configuring TLS for an existing installation: Follow the procedure in Configure Security.
- If you are configuring TLS for a new installation: Follow the procedures in Installing and Configuring RabbitMQ for PCF, including enabling TLS in the Configure Security section.
Navigate to Ops Manager Installation Dashboard > Review Pending Changes.
Ensure that the CA certificate is deployed to all VMs by selecting:
- Pivotal Application Service
- RabbitMQ for Pivotal Cloud Foundry
- The Upgrade All On-Demand Service Instances errand
Click Apply Changes. This restarts all the VMs in your deployment and applies your CA certificate.

Create a pull request or raise an issue on the source for this page in GitHub