Modifying Apps for TLS

Note: Pivotal Platform is now part of VMware Tanzu. In v1.20 and later, VMware Tanzu RabbitMQ [VMs] is named VMware Tanzu RabbitMQ for VMs.

Note: If your app is written in Java or Spring, see Activate TLS for Java and Spring Apps. For other types of apps, use the procedures in this topic.

This topic explains how to modify apps not written in Java or Spring to use TLS to secure their connection with VMware Tanzu RabbitMQ for VMs on-demand service instances.

Prerequisites

The prerequisites for the procedures in this topic are:

Modify Your App for TLS

To start using TLS for apps that are not written in Java or Spring, you must modify your app to use the correct protocol. The exact steps vary between client libraries. Consult the documentation for your library for the necessary configuration.

The following examples use the ruby-amqp/bunny library in GitHub. In these examples, VCAP_SERVICES is an environment variable available from the app.

To modify your app:

  • If the operator enabled TLS using a certificate from a trusted authority:
    Use the code below.

    require 'json'
    require 'bunny'
    
    vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
    uri = vcap_services['p.rabbitmq'][0]['credentials']['protocols']['amqp+ssl']['uri']
    conn = Bunny.new(uri)
    conn.start
    


  • If the operator used a self-signed CA certificate: Use the code below to configure the RabbitMQ client to use the same CA certificate, as well as a valid TLS certificate and key.

    require 'json'
    require 'bunny'
    
    vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
    uri = vcap_services['p.rabbitmq'][0]['credentials']['protocols']['amqp+ssl']['uri']
    conn = Bunny.new(uri, tls_cert: PATH-TO-CERTIFICATE, tls_key: PATH-TO-KEY, tls_ca_certificates: [PATH-TO-CA-CERTIFICATE])
    conn.start
    

    Where:

    • PATH-TO-CERTIFICATE is the path to your TLS certificate
    • PATH-TO-KEY is the path to your TLS key
    • PATH-TO-CA-CERTIFICATE is the path to the self-signed CA certificate the operator used

  • If connecting to a service-gateway instance: Use the code below to configure the RabbitMQ client to verify the identity of the service instance.

    require 'json'
    require 'bunny'
    
    service_key = JSON.load(File.open(PATH-TO-SERVICE-KEY-JSON))
    uri = service_key['protocols']['amqp+ssl']['uri']
    conn = Bunny.new(uri, tls: true, verify_peer: true, tls_ca_certificates: [PATH-TO-CA-CERTIFICATE])
    conn.start
    

    Where:

    • PATH-TO-SERVICE-KEY-JSON is the path to the service key in JSON
    • PATH-TO-CA-CERTIFICATE is the path to the CA certificate which signed the RabbitMQ server certificate

Re-push or Rebind Your App

After modifying your app, re-push it with cf push.

Warning: Any apps using an existing service instance must be rebound after enabling TLS for the instance.

To rebind an app using an existing service instance:

  1. Stop the app by running:

    cf stop APP-NAME
    
  2. Unbind the app from the service instance by running:

    cf unbind-service APP-NAME SERVICE-INSTANCE-NAME
    
  3. Re-bind the app to the service instance by running:

    cf bind-service APP-NAME SERVICE-INSTANCE-NAME
    
  4. Restage the app by running:

    cf restage APP-NAME
    

Your app now communicates securely with the Tanzu RabbitMQ service instance.

Was this helpful?
What can we do to improve?