Enable TLS communication in RabbitMQ
To enable TLS you must manually configure the port used by the TLS listener as well as its certificate and corresponding key.
Note: To generate certificates and keys, follow the recommendations provided in the TLS Support page of the official RabbitMQ documentation.
To enable TLS communication do the following:
-
Open the
%ALLUSERSPROFILE%\RabbitMQ\advanced.config
configuration file.
Note: If they do not exist, create theRabbitMQ
folder and theadvanced.config
file. -
Add the following lines:
[ {rabbit, [ {tcp_listeners, []}, {ssl_listeners, [5671]}, {ssl_options, [{certfile,"C:\\path\\to\\server\\cert.pem"}, {keyfile,"C:\\path\\to\\server\\key.pem"}]} ]} ].
This configuration does the following:
-
Disables all non-TLS listeners (
tcp_listeners
)Note: You must also ensure that the
RABBITMQ_NODE_PORT
environment variable is not set for this configuration to be effective. -
Creates an TLS listener on port 5671 (
ssl_listeners
) -
Configures the certificate and its key to be used by the TLS listener (
ssl_options
)
To apply these settings do the following:
-
In the Configuration Tool, open the Cache tab.
-
Set the Port parameter to the same port as in the configuration file (in the example above, the Port value would be
5671
). -
Click "Create/Upgrade Service".
Alternatively, check Install and configure RabbitMQ using the command-line for more information on how to apply the settings using the command-line.
Configuring the certificate canonical name
If the canonical name used in the certificate does not match the host name of the machine running the RabbitMQ service, you must manually configure a parameter in the server.hsconf
file.
Do the following:
-
Open the
server.hsconf
file and check if there's a section namedCacheInvalidationConfiguration
in the file.
If the section does not exist, you can add it automatically by doing the following:- Open Configuration Tool.
- Open the Cache tab and fill in the configuration values for the RabbitMQ service.
- Close the Configuration Tool and, in the "Configuration changed" dialog box, confirm that you wish to save your changes by clicking "Yes".
The
CacheInvalidationConfiguration
section should now exist inserver.hsconf
. -
In
server.hsconf
, set the value of theTlsServerCanonicalName
parameter in theCacheInvalidationConfiguration
section to the certificate canonical name. -
Open Configuration Tool and click "Apply and Exit" to apply the new setting.