Preparing for TLS

Note: Pivotal Platform is now part of VMware Tanzu. In v1.20 and later, VMware Tanzu RabbitMQ [VMs] is named VMware Tanzu RabbitMQ for VMs.

Page last updated:

This topic provides an overview of how to prepare for using Transport Layer Security (TLS) with VMware Tanzu RabbitMQ for VMs to secure communication between apps and service instances.

Warning: This procedure involves restarting all of the VMs in your deployment to apply a CA certificate. The operation can take a long time to complete.

Note: This certificate is shared by multiple tiles. If you have already done this procedure, you do not need to repeat it.

However, an operator must rotate the this certificate if it expires or if it becomes compromised. For instructions about how to rotate your CA certificate follow the steps in Rotating CA Certificates.

Overview

When you use TLS, you are provisioned a Tanzu RabbitMQ server with a certificate. With this certificate, apps and clients can establish an encrypted connection with the service.

Through BOSH CredHub, Ops Manager generates a server certificate using a Certificate Authority (CA) certificate.

If you do not want to use the CA certificate generated, you can provide your own CA certificate and add it through the CredHub CLI. For an overview of the purpose and functionality of the CredHub component, see CredHub.

Apps and clients use this CA certificate to check that the server certificate is trustworthy. A trustworthy server certificate allows apps and clients to securely communicate with the Tanzu RabbitMQ server.

VMware Tanzu Application Service for VMs (TAS for VMs) shares the CA certificate public component in the following ways:

  • TAS for VMs provisions a copy of the CA certificate in the trusted store of each container’s operating system. Apps written in Java and Spring automatically discover the CA certificate in the trusted store.

  • TAS for VMs supplies the public CA certificate in an environment variable called VCAP_SERVICES that exists in every container. Apps not written in Java and Spring can retrieve the public component of the CA certificate from VCAP_SERVICES and use it to establish an encrypted connection with the data service.

Generated or Provided CA Certificate

Ops Manager can generate a CA certificate for TLS to use.

Alternatively, you can choose to provide your own CA certificate for TLS to use.

Workflow

The workflow you follow to prepare for TLS depends on whether you use the CA certificate generated by Ops Manager or if you bring your own CA certificate.

If Using the Generated CA Certificate

To use the CA certificate that Ops Manager generates through CredHub, follow this workflow to enable TLS for VMware Tanzu RabbitMQ for VMs:

  1. An operator adds the CredHub-generated certificate to Ops Manager by performing the procedures:

    1. Find the CredHub Credentials in Ops Manager below
    2. Add the CA Certificate below

    These procedures are unnecessary if you are on TAS for VMs v2.7.21 or later, v2.8.4 or later, v2.9.4 or later, or v2.10.

  2. An operator enables TLS in the tile configuration while installing Tanzu RabbitMQ. See Enable TLS in Tanzu RabbitMQ below.

  3. A developer enables TLS for an existing service instance. See Enable TLS for Your Service Instance below.

  4. A developer modifies their app to communicate securely with the Tanzu RabbitMQ server:

If Providing Your Own CA Certificate

To provide your own CA certificate instead of using the one that Ops Manager generates, follow this workflow to enable TLS for VMware Tanzu RabbitMQ for VMs:

  1. An operator provides a CA certificate to CredHub by performing the procedures:
    1. Find the CredHub Credentials in Ops Manager below
    2. Set a Custom CA Certificate below
    3. Add the CA Certificate below. This procedure is unnecessary if you are on TAS for VMs v2.7.21 or later, v2.8.4 or later, v2.9.4 or later, or v2.10.
  2. An operator enables TLS in the tile configuration while installing Tanzu RabbitMQ. See Enable TLS in Tanzu RabbitMQ below.
  3. A developer enables TLS for an existing service instance. See Enable TLS for Your Service Instance below.
  4. A developer modifies their app to communicate securely with the Tanzu RabbitMQ server:

Find the CredHub Credentials in Ops Manager

Do this procedure if you are providing your own CA certificate or if you are using any of the following versions of TAS for VMs:

  • v2.7.20 or earlier
  • v2.8.3 or earlier
  • v2.9.3 or earlier

To find the BOSH CredHub client name and client secret:

  1. In the Ops Manager Installation Dashboard, click the BOSH Director tile.
  2. Click the Credentials tab.
  3. In the BOSH Director section, click the link to the BOSH Commandline Credentials. Screenshot of the BOSH Director section of the credentials tab in the BOSH Director tile.
A red box indicates the location of 'BOSH Commandline Credentials', which is 14 rows
down underneath 'Uaa Bbr Client Credentials'. Each row has a link titled 'Link to credentials'.
  4. Record the values for BOSH_CLIENT and BOSH_CLIENT_SECRET.

    Here is an example of the credentials page:

    {"credential":"BOSH_CLIENT=ops_manager
    BOSH_CLIENT_SECRET=abCdE1FgHIjkL2m3n-3PqrsT4EUVwXy5
    BOSH_CA_CERT=/var/tempest/workspaces/default/root_ca_certificate
    BOSH_ENVIRONMENT=10.0.0.5 bosh "}
    

    The BOSH_CLIENT is the BOSH CredHub client name and the BOSH_CLIENT_SECRET is the BOSH CredHub client secret.

Set a Custom CA Certificate

Prerequisite: To complete this procedure, you need to have the Credhub CLI. For installation instructions, see credhub-cli on GitHub.

Do this procedure if you are providing your own custom CA certificate instead of using the one generated by Ops Manager or CredHub.

To add a custom CA Certificate to CredHub:

  1. Record the information needed to log in to the BOSH Director VM by following the procedure in Gather Credential and IP Address Information.

  2. Log in to the Ops Manager VM by following the procedure in Log in to the Ops Manager VM with SSH.

  3. Set the API target of the CredHub CLI as your CredHub server by running:

    credhub api  \
        https://BOSH-DIRECTOR-IP:8844 \
        --ca-cert=/var/tempest/workspaces/default/root_ca_certificate
    

    Where BOSH-DIRECTOR-IP is the IP address of the BOSH Director VM.

    For example:

    $ credhub api \
        https://10.0.0.5:8844 \
        --ca-cert=/var/tempest/workspaces/default/root_ca_certificate

  4. Log in to CredHub by running:

    credhub login \
        --client-name=CREDHUB-CLIENT-NAME \
        --client-secret=CREDHUB-CLIENT-SECRET
    

    Where

    For example:

    $ credhub login \
            --client-name=credhub \
            --client-secret=abcdefghijklm123456789

  5. Use the CredHub CLI to provide a CA certificate.

    Note: Your deployment can have multiple CA certificates. VMware recommends a dedicated CA certificate for services.

    Create a new file called root.pem with the contents of the certificate. Then, run the following command, specifying the path to root.pem and the private key for the certificate. For example:
    $ credhub set \
            --name="/services/tls_ca" \
            --type="certificate" \
            --certificate=./root.pem \
            --private=ERKSOSMFF...

Add the CA Certificate

Prerequisite: To complete this procedure, you need to have the Credhub CLI. For installation instructions, see credhub-cli on GitHub.

Do this procedure if you are using any of the following versions of TAS for VMs:

  • v2.7.20 or earlier
  • v2.8.3 or earlier
  • v2.9.3 or earlier

To add the CA Certificate to Ops Manager:

  1. Record the CA certificate by running:

    credhub get \
       --name=/services/tls_ca \
       -k ca
    
  2. Navigate to the Ops Manager Installation Dashboard > BOSH Director > Security.

  3. Append the contents of the CA certificate you recorded in the previous step into Trusted Certificates.

  4. Click Save.

Enable TLS in Tanzu RabbitMQ

To enable TLS in the Tanzu RabbitMQ tile:

  1. Enable TLS by doing one of the following:
  2. Navigate to Ops Manager Installation Dashboard > Review Pending Changes.
  3. Ensure that the CA certificate is deployed to all VMs by selecting:
    • VMware Tanzu Application Service for VMs
    • VMware Tanzu RabbitMQ for VMs
    • The Upgrade All On-Demand Service Instances errand
  4. Click Apply Changes. This restarts all the VMs in your deployment and applies your CA certificate.
Was this helpful?
What can we do to improve?