Broker Security (RabbitMQ)

Cloudify uses RabbitMQ as its broker, and supports configurable security.

Authentication

When installing, the Cloudify Manager must be provided with credentials for RabbitMQ. These will use default values if not overridden in the inputs.

Username

It is suggested that you change the username to something other than the default. It is recommended that you use only upper and lower case letters and numbers for the username.

The username can be set using the rabbitmq_username input to the manager blueprint.

Password

It is recommended that you set the password to something strong that is known only to those who are authorized.

It is recommended that the password is comprised of only ASCII characters, excluding quotes, line feeds, and dollar signs, as these may cause the password to be set incorrectly during the installation.

The password should be set using the rabbitmq_password input to the manager blueprint.

With external broker

If you are using an external broker you must have correctly configured the user on the external RabbitMQ broker. This user must have full permissions on the root (/) vhost.

No changes of configuration of the external broker will be performed during the installation.

Network Encryption

Communications with the broker can be secured (with some exceptions, see below) using SSL/TLS.

A certificate from a certificate authority is not required, as the provided public certificates will be ‘pinned’ (they will be the only certificates valid for connections to the broker).

Currently you will likely need to create the manager with a specified IP in order to appropriately create the certificate- see instructions for generating the certificate, below.

Generating a certificate

If you wish to generate a self-signed certificate, you can do so using the following command (assuming a manager IP of 192.0.2.10, command tested on Ubuntu Linux 14.04):

MANAGER_ADDRESS=192.0.2.10
openssl req -x509 -newkey rsa:2048 -sha256 -keyout private.key -out public.crt -days 1825 -nodes -subj "/CN=${MANAGER_ADDRESS} /subjectAltName=IP:127.0.0.1,DNS:localhost,IP:${MANAGER_ADDRESS}"

Note also that:

Using a certificate to secure broker communications

Once you have public and private certificates you will need to provide the following inputs to the manager blueprint:

rabbitmq_ssl_enabled: true
rabbitmq_cert_public: |
  -----BEGIN CERTIFICATE-----
  ... contents of PEM formatted public certificate- public.crt if using the key generation command listed above ...
  -----END CERTIFICATE-----
rabbitmq_cert_private: |
  -----BEGIN PRIVATE KEY-----
  ... contents of PEM formatted private key- private.key if using the key generation command listed above ...
  -----END PRIVATE KEY-----

Note the pipe followed by the indented, full PEM certificate including the BEGIN and END lines.

Once you have provided the certificate and completed the installation you should ensure that the private key (including the copy in the inputs file) is appropriately secured.

Using an External Broker

If you are using an external broker, you must have correctly configured the SSL/TLS on port 5671 on the broker with the appropriate private key. It must also listen on the standard unsecured port (5672).

Using an external broker reduces communications security due to some exceptions to the encryption - see below, which results in RabbitMQ credentials being transmitted insecurely over the network.

Do not provide the rabbitmq_cert_private input if you are using an external broker, however you must still specify the rabbitmq_ssl_enabled input as shown above.

No changes to the configuration of the external broker are performed during the installation process.

RabbitMQ SSL and TLS Exceptions

Several components are not currently secured via SSL (though password authentication will still apply). These components are only used internally to the Manager.

The unsecured components are:

All external communications (meaning those with agents that are deployed on compute nodes) are encrypted.