RabbitMQ Ciphers

The cipher algorithms that are utilized by RabbitMQ can be configured to meet customer requirements using the following steps:

  1. Navigate to the server which is hosting the RabbitMQ service and stop the service.

  2. Navigate to the Rabbit configuration location, generally located at:

    1. C:\Program Files\SailPoint\RabbitMQ\data\rabbitmq.config

  3. With the desired cipher, update the current configuration to include the cipher section to the existing config file in both sections.

    OR

    Use the following example script to replace the current config file after updating the cipher section with the desired ciphers.

     

    Here is an example script:

    Copy 
    [{rabbitmq_management,
         [{listener,
              [{ssl_opts,
                   [           {ciphers,  [
                                "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384",
                                ]},
            {keyfile,
                        "C:/Program Files/SailPoint/RabbitMQ/certificates/key.pem"},
                    {certfile,
                        "C:/Program Files/SailPoint/RabbitMQ/certificates/rabbitmq.cer"},
                    {cacertfile,
                        "C:/Program Files/SailPoint/RabbitMQ/certificates/ca.cer"}]},
               {ssl,true},
               {port,15671}]}]},
               {ssl, [{versions, ['tlsv1.2', 'tlsv1.1', tlsv1]}]},
     {rabbit,
         [
         {tcp_listeners, []},
         {log,[{file,[{level,error}]}]},
          {ssl_options,
              [           
               {versions, ['tlsv1.2']},
               {ciphers,  [
                                "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384",
                                ]},
               {keyfile,
                   "C:/Program Files/SailPoint/RabbitMQ/certificates/key.pem"},
               {certfile,
                   "C:/Program Files/SailPoint/RabbitMQ/certificates/rabbitmq.cer"},
               {cacertfile,
                   "C:/Program Files/SailPoint/RabbitMQ/certificates/ca.cer"},
               {fail_if_no_peer_cert,false},
               {verify,verify_peer}]},
          {ssl_listeners,[5671]}]}].

 

Note: To find which ciphers are available, run a PowerShell command Get-TlsCipherSuite on the RabbitMQ machine. This will populate a list with a set of IANA names which can be used to search the site Ciphersuite Info to locate the OpenSSL name, which is what RabbitMQ configuration supports.

  1. Restart the RabbitMQ service.

    Note: If the configuration file is not properly updated, the service will fail to start.

  2. Wait a few minutes and then login to the Admin Client.

  3. Navigate to the Health Center > Infrastructure tab and verify RabbitMQ is green.