This topic tells you how to modify apps not written in Java or Spring to use TLS to secure their connection with VMware Tanzu RabbitMQ for Tanzu Application Service on-demand service instances.

Note If your app is written in Java or Spring, see Activate TLS for Java and Spring Apps. For other types of apps, use the procedures in this topic.

Prerequisites

The prerequisites for the procedures in this topic are:

• The operator must complete these procedures in this order:
  1. Provide or Generate a CA Certificate
  2. Configure Security
• The developer must complete the procedures in Enable TLS for Your Service Instance.

Modify Your App for TLS

To start using TLS for apps that are not written in Java or Spring, you must modify your app to use the correct protocol. The exact steps vary between client libraries. Consult the documentation for your library for the necessary configuration.

The following examples use the ruby-amqp/bunny library in GitHub. In these examples, VCAP_SERVICES is an environment variable available from the app.

To modify your app:

• If the operator enabled TLS using a certificate from a trusted authority:
  Use the code below.

  require 'json'
  require 'bunny'
  
  vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
  uri = vcap_services['p.rabbitmq'][0]['credentials']['protocols']['amqp+ssl']['uri']
  conn = Bunny.new(uri)
  conn.start
  

• If the operator used a self-signed CA certificate: Use the code below to configure the RabbitMQ client to use the same CA certificate, as well as a valid TLS certificate and key.

  require 'json'
  require 'bunny'
  
  vcap_services = JSON.parse(ENV['VCAP_SERVICES'])
  uri = vcap_services['p.rabbitmq'][0]['credentials']['protocols']['amqp+ssl']['uri']
  conn = Bunny.new(uri, tls_cert: PATH-TO-CERTIFICATE, tls_key: PATH-TO-KEY, tls_ca_certificates: [PATH-TO-CA-CERTIFICATE])
  conn.start
  

  Where:

  • PATH-TO-CERTIFICATE is the path to your TLS certificate
  • PATH-TO-KEY is the path to your TLS key
  • PATH-TO-CA-CERTIFICATE is the path to the self-signed CA certificate the operator used

• If connecting to a service-gateway instance: Use the code below to configure the RabbitMQ client to verify the identity of the service instance.

  require 'json'
  require 'bunny'
  
  service_key = JSON.load(File.open(PATH-TO-SERVICE-KEY-JSON))
  uri = service_key['protocols']['amqp+ssl']['uri']
  conn = Bunny.new(uri, tls: true, verify_peer: true, tls_ca_certificates: [PATH-TO-CA-CERTIFICATE])
  conn.start
  

  Where:

  • PATH-TO-SERVICE-KEY-JSON is the path to the service key in JSON
  • PATH-TO-CA-CERTIFICATE is the path to the CA certificate which signed the RabbitMQ server certificate

Re-push or Rebind Your App

After modifying your app, re-push it with cf push.

Caution Any apps using an existing service instance must be rebound after enabling TLS for the instance.

To rebind an app using an existing service instance:

1. Stop the app by running:

   cf stop APP-NAME
   

2. Unbind the app from the service instance by running:

   cf unbind-service APP-NAME SERVICE-INSTANCE-NAME
   

3. Re-bind the app to the service instance by running:

   cf bind-service APP-NAME SERVICE-INSTANCE-NAME
   

4. Restage the app by running:

   cf restage APP-NAME
   

Your app now communicates securely with the Tanzu RabbitMQ for Tanzu Application Service service instance.