This topic tells you how to modify apps not written in Java or Spring to use TLS to secure their connection with VMware Tanzu RabbitMQ for Tanzu Application Service on-demand service instances.
NoteIf your app is written in Java or Spring, refer to Activate TLS for Java and Spring Apps. For other types of apps, use the procedures in this topic.
The prerequisites for the procedures in this topic are:
To start using TLS for apps that are not written in Java or Spring, you must modify your app to use the correct protocol. The exact steps vary between client libraries. Consult the documentation for your library for the necessary configuration.
The following examples use the ruby-amqp/bunny library in GitHub. In these examples, VCAP_SERVICES
is an environment variable available from the app.
To modify your app:
If the operator enabled TLS using a certificate from a trusted authority:
Use the code below.
require 'json'
require 'bunny'
vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
uri = vcap_services['p.rabbitmq'][0]['credentials']['protocols']['amqp+ssl']['uri']
conn = Bunny.new(uri)
conn.start
If the operator used a self-signed CA certificate: Use the code below to configure the RabbitMQ client to use the same CA certificate, as well as a valid TLS certificate and key.
require 'json'
require 'bunny'
vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
uri = vcap_services['p.rabbitmq'][0]['credentials']['protocols']['amqp+ssl']['uri']
conn = Bunny.new(uri, tls_cert: PATH-TO-CERTIFICATE, tls_key: PATH-TO-KEY, tls_ca_certificates: [PATH-TO-CA-CERTIFICATE])
conn.start
Where:
PATH-TO-CERTIFICATE
is the path to your TLS certificatePATH-TO-KEY
is the path to your TLS keyPATH-TO-CA-CERTIFICATE
is the path to the self-signed CA certificate the operator usedIf connecting to a service-gateway instance: Use the code below to configure the RabbitMQ client to verify the identity of the service instance.
require 'json'
require 'bunny'
service_key = JSON.load(File.open(PATH-TO-SERVICE-KEY-JSON))
uri = service_key['protocols']['amqp+ssl']['uri']
conn = Bunny.new(uri, tls: true, verify_peer: true, tls_ca_certificates: [PATH-TO-CA-CERTIFICATE])
conn.start
Where:
PATH-TO-SERVICE-KEY-JSON
is the path to the service key in JSONPATH-TO-CA-CERTIFICATE
is the path to the CA certificate which signed the RabbitMQ server certificateAfter modifying your app, re-push it with cf push
.
CautionAny apps using an existing service instance must be rebound after enabling TLS for the instance.
To rebind an app using an existing service instance:
Stop the app by running:
cf stop APP-NAME
Unbind the app from the service instance by running:
cf unbind-service APP-NAME SERVICE-INSTANCE-NAME
Re-bind the app to the service instance by running:
cf bind-service APP-NAME SERVICE-INSTANCE-NAME
Restage the app by running:
cf restage APP-NAME
Your app now communicates securely with the Tanzu RabbitMQ for Tanzu Application Service service instance.