2.4. Prerequisite Message Broker

⁠2.4. Prerequisite Message Broker

If you are deploying a full OpenStack cloud service, you will need to set up a working message broker for the following OpenStack components:

Block Storage
Compute
Networking
Orchestration

For Red Hat Enterprise Linux OpenStack Platform 5, the default message broker is RabbitMQ.

⁠2.4.1. Configure the Firewall for Message Broker Traffic

Before installing and configuring the message broker, you must allow incoming connections on the port it will use. The default port for message broker (AMQP) traffic is 5672.

To allow this the firewall must be altered to allow network traffic on the required port. All steps must be run while logged in to the server as the root user.

⁠

Procedure 2.11. Configuring the firewall for message broker traffic (for Red Hat Enterprise Linux 6-based systems)

Open the /etc/sysconfig/iptables file in a text editor.
Add an INPUT rule allowing incoming connections on port 5672 to the file. The new rule must appear before any INPUT rules that REJECT traffic.
```
-A INPUT -p tcp -m tcp --dport 5672  -j ACCEPT
```
Save the changes to the /etc/sysconfig/iptables file.
Restart the iptables service for the firewall changes to take effect.
```
# service iptables restart
```

⁠

Procedure 2.12. Configuring the firewall for message broker traffic (for Red Hat Enterprise Linux 7-based systems)

Add a rule allowing incoming connections on port 5672:
```
# firewall-cmd --permanent --add-port=5672/tcp
```
For the change to take immediate effect, add the rule to the runtime mode:
```
# firewall-cmd --add-port=5672/tcp
```

The firewall is now configured to allow incoming connections to the MariaDB database service on port 5672.

⁠2.4.2. Install and Configure the RabbitMQ Message Broker

As of Red Hat Enterprise Linux OpenStack Platform 5, RabbitMQ replaces QPid as the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.

To install RabbitMQ, run:

# yum install rabbitmq-server

Important

When installing the rabbitmq-server package, a guest user with a default guest password will automatically be created for the RabbitMQ service. Red Hat strongly advises that you change this default password, especially if you have IPv6 available. With IPv6, RabbitMQ may be accessible from outside the network.

You should be able to change the guest password after launching the rabbitmq-server server. See Section 2.4.2.1, “Launch the RabbitMQ Message Broker” for details.

⁠2.4.2.1. Launch the RabbitMQ Message Broker

After installing the RabbitMQ message broker and configuring the firewall to accept message broker traffic, launch the rabbitmq-server service and configure it to launch on boot:

For Red Hat Enterprise Linux 6 systems, use the service and chkconfig commands to start and enable the rabbitmq-server service

# service rabbitmq-server start
# chkconfig rabbitmq-server on

For Red Hat Enterprise Linux 7 systems, use the systemctl command to start and enable the rabbitmq-server service

# systemctl start rabbitmq-server.service
# systemctl enable rabbitmq-server

Important

To change the default guest password of RabbitMQ:

# rabbitmqctl change_password guest NEW_RABBITMQ_PASS

Replace NEW_RABBITMQ_PASS with a more secure password.

After launching RabbitMQ and changing the default password of the guest user, create a RabbitMQ user account for the Block Storage, Compute, Networking, and Orchestration services:

# rabbitmqctl add_user cinder CINDER_PASS
# rabbitmqctl add_user nova NOVA_PASS
# rabbitmqctl add_user neutron NEUTRON_PASS
# rabbitmqctl add_user heat HEAT_PASS

Replace CINDER_PASS, NOVA_PASS, NEUTRON_PASS, and HEAT_PASS with secure passwords for the Block Storage, Compute, Networking, and Orchestration services, respectively.

Next, add the necessary permissions to each of these RabbitMQ users:

# rabbitmqctl set_permissions cinder ".*" ".*" ".*"
# rabbitmqctl set_permissions nova ".*" ".*" ".*"
# rabbitmqctl set_permissions neutron ".*" ".*" ".*"
# rabbitmqctl set_permissions heat ".*" ".*" ".*"

⁠2.4.2.2. Enable SSL on the RabbitMQ Message Broker

The RabbitMQ message broker features built-in support for SSL, which you can use to secure traffic. You can configure SSL on RabbitMQ through the /etc/rabbitmq/rabbitmq.config configuration file. Before doing so, you will first need to create the certificates required for SSL communication.

The following procedure demonstrates how to create the necessary certificates using certutil.

⁠

Procedure 2.13. Creating and adding the certificates required for SSL communication

Create a directory in which to store the required certificates:
```
# mkdir /etc/pki/rabbitmq
```
Choose a secure certificate password and store it in a file within /etc/pki/rabbitmq:
```
# echo SSL_RABBITMQ_PW > /etc/pki/rabbitmq/certpw
```
Replace SSL_RABBITMQ_PW with the certificate password you wish to use. This password will be used later for further securing the necessary certificates..
Set the necessary file mode bits of the certificate directory and password file:
```
# chmod 700 /etc/pki/rabbitmq
# chmod 600 /etc/pki/rabbitmq/certpw
```
Create the certificate database files (*.db) in /etc/pki/rabbitmq, using the password in /etc/pki/rabbitmq/certpw:
```
# certutil -N -d /etc/pki/rabbitmq -f /etc/pki/rabbitmq/certpw
```
For a production environment, it is recommended that you use a reputable third-party Certificate Authority (CA) to sign your certificates. A third-party CA will require a Certificate Signing Request (CSR), which you can create by running:
```
# certutil -R -d /etc/pki/rabbitmq -s "CN=RABBITMQ_HOST" \
 -a -f /etc/pki/rabbitmq/certpw > RABBITMQ_HOST.csr
```
Replace RABBITMQ_HOST with the IP or hostname of the system hosting the RabbitMQ message broker. This command will produce a CSR named RABBITMQ_HOST.csr and a key file (keyfile.key). The key file will be used later when configuring the RabbitMQ message broker to use SSL.
Note
Some CAs may require additional values other than "CN=RABBITMQ_HOST".

Provide RABBITMQ_HOST.csr to your third-party CA for signing. Your CA should provide you with a signed certificate (server.crt) and a CA file (ca.crt). Add these files to your certificate database:

# certutil -A -d /etc/pki/rabbitmq -n RABBITMQ_HOST -f /etc/pki/rabbitmq/certpw \
 -t u,u,u -a -i /path/to/server.crt
# certutil -A -d /etc/pki/rabbitmq -n "Your CA certificate" \
 -f /etc/pki/rabbitmq/certpw -t CT,C,C -a -i /path/to/ca.crt

Alternatively, you can also create a self-signed certificate and key file if you do not have a Certificate Authority. To do so, run:

# certutil -S -d /etc/pki/rabbitmq -n RABBITMQ_HOST -s "CN=RABBITMQ_HOST" \
 -t "CT,," -x -f /etc/pki/rabbitmq/certpw -z /usr/bin/certutil

After creating the required certificates and key file, you can now configure the RabbitMQ message broker to use those certificates for secure communications. To do so, add the following section to the /etc/rabbitmq/rabbitmq.config configuration file:

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/path/to/ca.crt"},
                    {certfile,"/path/to/server.crt"},
                    {keyfile,"/path/to/keyfile.key"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

Note

If you are using a self-signed certificate, omit the following string:

{cacertfile,"/path/to/ca.crt"},

⁠2.4.2.3. Export an SSL Certificate for Clients

When SSL is enabled on a server, the clients require a copy of the SSL certificate to establish a secure connection.

The following example commands can be used to export a client certificate and the private key from the message broker's certificate database:

# pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
# openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>

For more information on SSL commands and options, refer to the OpenSSL Documentation. On Red Hat Enterprise Linux type: man openssl.