Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

2.3. Install the Message Broker

If you are deploying a full Red Hat OpenStack Platform environment, you must set up a working message broker for the following OpenStack components:
  • Block Storage service
  • Compute service
  • OpenStack Networking
  • Orchestration service
  • Image service
  • Telemetry service

2.3.1. Install the RabbitMQ Message Broker Package

RabbitMQ is the default (and recommended) message broker. The RabbitMQ messaging service is provided by the rabbitmq-server package.
Install RabbitMQ:
# yum install rabbitmq-server

2.3.2. Configure the Firewall for Message Broker Traffic

Before installing and configuring the message broker, allow incoming connections on the port it will use. The default port for message broker (AMQP) traffic is 5672. All steps in this procedure must be performed on the server hosting the messaging service, while logged in as the root user.

Procedure 2.8. Configuring the Firewall for Message Broker Traffic

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing incoming connections on port 5672. The new rule must appear before any INPUT rules that REJECT traffic.
    -A INPUT -p tcp -m tcp --dport 5672  -j ACCEPT
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service for the firewall changes to take effect:
    # systemctl restart iptables.service

2.3.3. Launch and Configure the RabbitMQ Message Broker

Procedure 2.9. Launching and Configuring the RabbitMQ Message Broker for Use with OpenStack

  1. Launch the rabbitmq-server service and configure it to start at boot time:
    # systemctl start rabbitmq-server.service
    # systemctl enable rabbitmq-server.service
  2. When the rabbitmq-server package is installed, a guest user with a default guest password is automatically created for the RabbitMQ service. Red Hat strongly advises that you change this default password, especially if you have IPv6 available. With IPv6, RabbitMQ may be accessible from outside the network. Change the default guest password:
    # rabbitmqctl change_password guest NEW_RABBITMQ_PASS
    Replace NEW_RABBITMQ_PASS with a more secure password.
  3. Create a RabbitMQ user account for the Block Storage service, the Compute service, OpenStack Networking, the Orchestration service, the Image service, and the Telemetry service:
    # rabbitmqctl add_user cinder CINDER_PASS
    # rabbitmqctl add_user nova NOVA_PASS
    # rabbitmqctl add_user neutron NEUTRON_PASS
    # rabbitmqctl add_user heat HEAT_PASS
    # rabbitmqctl add_user glance GLANCE_PASS
    # rabbitmqctl add_user ceilometer CEILOMETER_PASS
    Replace CINDER_PASS, NOVA_PASS, NEUTRON_PASS, HEAT_PASS, GLANCE_PASS, and CEILOMETER_PASS with secure passwords for each service.
  4. Grant each of these RabbitMQ users read and write permissions to all resources:
    # rabbitmqctl set_permissions cinder ".*" ".*" ".*"
    # rabbitmqctl set_permissions nova ".*" ".*" ".*"
    # rabbitmqctl set_permissions neutron ".*" ".*" ".*"
    # rabbitmqctl set_permissions heat ".*" ".*" ".*"
    # rabbitmqctl set_permissions glance ".*" ".*" ".*"
    # rabbitmqctl set_permissions ceilometer ".*" ".*" ".*"

2.3.4. Enable SSL on the RabbitMQ Message Broker

The RabbitMQ message broker features built-in support for SSL, which you can use to secure traffic. Create the certificates required for SSL communication, and configure SSL on RabbitMQ through the /etc/rabbitmq/rabbitmq.config configuration file.

Procedure 2.10. Enabling SSL on the RabbitMQ Message Broker

  1. Create a directory in which to store the required certificates:
    # mkdir /etc/pki/rabbitmq
  2. Choose a secure certificate password and store it in a file within the /etc/pki/rabbitmq directory:
    # echo SSL_RABBITMQ_PW > /etc/pki/rabbitmq/certpw
    Replace SSL_RABBITMQ_PW with a certificate password. This password will be used later for further securing the necessary certificates.
  3. Set the permissions for the certificate directory and password file:
    # chmod 700 /etc/pki/rabbitmq
    # chmod 600 /etc/pki/rabbitmq/certpw
  4. Create the certificate database files (*.db) in the /etc/pki/rabbitmq directory, using the password in the /etc/pki/rabbitmq/certpw file:
    # certutil -N -d /etc/pki/rabbitmq -f /etc/pki/rabbitmq/certpw
  5. For a production environment, it is recommended that you use a reputable third-party Certificate Authority (CA) to sign your certificates. Create a Certificate Signing Request (CSR) for a third-party CA:
    # certutil -R -d /etc/pki/rabbitmq -s "CN=RABBITMQ_HOST" \
     -a -f /etc/pki/rabbitmq/certpw > RABBITMQ_HOST.csr
    Replace RABBITMQ_HOST with the IP or host name of the server hosting the RabbitMQ message broker. This command produces a CSR named RABBITMQ_HOST.csr and a key file (keyfile.key). The key file will be used later when configuring the RabbitMQ message broker to use SSL.

    Note

    Some CAs may require additional values other than "CN=RABBITMQ_HOST".
  6. Provide RABBITMQ_HOST.csr to your third-party CA for signing. Your CA should provide you with a signed certificate (server.crt) and a CA file (ca.crt). Add these files to your certificate database:
    # certutil -A -d /etc/pki/rabbitmq -n RABBITMQ_HOST -f /etc/pki/rabbitmq/certpw \
     -t u,u,u -a -i /path/to/server.crt
    # certutil -A -d /etc/pki/rabbitmq -n "Your CA certificate" \
     -f /etc/pki/rabbitmq/certpw -t CT,C,C -a -i /path/to/ca.crt
  7. Configure the RabbitMQ message broker to use the certificate files for secure communications. Open the /etc/rabbitmq/rabbitmq.config configuration file in a text editor, and edit the rabbit section as follows:
    1. Find the line that reads:
         %% {ssl_listeners, [5671]},
      Uncomment the setting by removing the percent signs:
         {ssl_listeners, [5671]},
    2. Scroll down to the line that reads:
         %% {ssl_options, [{cacertfile,           "/path/to/testca/cacert.pem"},
      Replace this line and the next few lines which comprise the ssl_options section with the following content:
         {ssl_options, [{cacertfile,           "/path/to/ca.crt"},
                        {certfile,             "/path/to/server.crt"},
                        {keyfile,              "/path/to/keyfile.key"},
                        {verify,               verify_peer},
                        {versions,             ['tlsv1.2','tlsv1.1',tlsv1]},
                        {fail_if_no_peer_cert, false}]}
      • Replace /path/to/ca.crt with the absolute path to the CA certificate.
      • Replace /path/to/server.crt with the absolute path to the signed certificate.
      • Replace /path/to/keyfile.key with the absolute path to the key file.
  8. Disable SSLv3 by editing the rabbitmq.config to include support for only specific TLS encryption versions:
    {rabbit, [
    {ssl_options, [{versions, ['tlsv1.2','tlsv1.1',tlsv1]}]},
    ]}
  9. Restart the RabbitMQ service for the change to take effect:
    # systemctl restart rabbitmq-server.service

2.3.5. Export an SSL Certificate for Clients

When SSL is enabled on a server, the clients require a copy of the SSL certificate to establish a secure connection.
The following example commands can be used to export a client certificate and the private key from the message broker's certificate database:
# pk12util -o <p12exportfile> -n <certname> -d <certdir> -w <p12filepwfile>
# openssl pkcs12 -in <p12exportfile> -out <clcertname> -nodes -clcerts -passin pass:<p12pw>
For more information on SSL commands and options, see the OpenSSL Documentation. On Red Hat Enterprise Linux, see the openssl manual page.