Skip to content

RabbitMQ Ciphers

The cipher algorithms used by RabbitMQ can be configured to meet customer requirements using the following steps:

  1. Navigate to the server that is hosting the RabbitMQ service and stop the service.
  2. Navigate to the RabbitMQ configuration location, generally located at C:\Program Files\SailPoint\RabbitMQ\data\rabbitmq.config.
  3. With the desired cipher, update the current configuration to include the cipher section in the existing config file in both sections.

    OR

  4. Use the following example script to replace the current config file after updating the cipher section with the desired ciphers.

Example Script:

  [{rabbitmq_management,
     [{listener,
           [{ssl_opts,
                 [           {ciphers,  [
                             "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384",
                             ]},
        {keyfile,
                    "C:/Program Files/SailPoint/RabbitMQ/certificates/key.pem"},
                 {certfile,
                    "C:/Program Files/SailPoint/RabbitMQ/certificates/rabbitmq.cer"},
                 {cacertfile,
                    "C:/Program Files/SailPoint/RabbitMQ/certificates/ca.cer"}]},
           {ssl,true},
           {port,15671}]}]},
           {ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
  {rabbit,
     [
     {tcp_listeners, []},
     {log,[{file,[{level,error}]}]},
        {ssl_options,
           [           
           {versions, ['tlsv1.2']},
           {ciphers,  [
                             "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384",
                             ]},
           {keyfile,
                 "C:/Program Files/SailPoint/RabbitMQ/certificates/key.pem"},
           {certfile,
                 "C:/Program Files/SailPoint/RabbitMQ/certificates/rabbitmq.cer"},
           {cacertfile,
                 "C:/Program Files/SailPoint/RabbitMQ/certificates/ca.cer"},
           {fail_if_no_peer_cert,false},
           {verify,verify_peer}]},
        {ssl_listeners,[5671]}]}].

Note

To find which ciphers are available, run a PowerShell command Get-TlsCipherSuite on the RabbitMQ machine. This will populate a list with a set of IANA names which can be used to search the site Ciphersuite Info to locate the OpenSSL name, which is what RabbitMQ configuration supports.

  1. Restart the RabbitMQ service.

    Note

    If the configuration file is not properly updated, the service will fail to start.

  2. Wait a few minutes and then login to the Admin Client.

  3. Navigate to the Health Center > Infrastructure tab and verify RabbitMQ is green.