511. Integrating with RabbitMQ

This section provides steps for setting up a RabbitMQ (event-based message queue) broker and integrating it with Foretify Manager, in order to utilize advanced services such as the Python Rules Service.

Note

This section describes how to set up and run Dockerized RabbitMQ, assuming familiarity with Docker. For more information, refer to official Docker documentation.

511.1 Run RabbitMQ

Installing and running RabbitMQ can be done by following the official documentation site.

RabbitMQ can also be started using a docker image:

Shell command: Start a RabbitMQ docker image in daemon

docker run -it -d --rm --name rabbitmq -p 5672:5672 -p 15672:15672 rabbitmq:3.13-management

Note

The default broker is configured with the following values: - Ports: 5672 for the application API (message production and consumption), 15672 for web-based management.
- Credentials: username (guest) and password (guest)
- Virtual host: /

Further configurations can be done following similar steps to run secured RabbitMQ.

511.2 Configure Foretify Manager with RabbitMQ

Configure the connection details in Foretify Manager's application.properties:

application.properties - connection details for non-SSL RabbitMQ broker

spring.rabbitmq.enabled=true
spring.rabbitmq.host=<broker-hostname>
spring.rabbitmq.port=<broker-port>
spring.rabbitmq.username=<broker-user>
spring.rabbitmq.password=<broker-password>
#spring.rabbitmq.virtual-host=/

Note

The virtual-host must be unique for each Foretify Manager server connected to a RabbitMQ broker instance. When multiple servers are used (e.g., staging and production environments), virtual-host needs to be configured separately for all.

511.3 Run Secured RabbitMQ

To set up the broker with SSL enabled (using self-signed certificate):

Create or provide the following files (and place them in /etc/rabbitmq/):
RabbitMQ broker certificate and private key (.pem file).
CA certificate (.pem file).
Create a rabbit.conf file and set up the SSL ports:

rabbit.conf

listeners.ssl.default            = 5671
ssl_options.cacertfile           = /etc/rabbitmq/ca_certificate.pem
ssl_options.certfile             = /etc/rabbitmq/certificate.pem
ssl_options.keyfile              = /etc/rabbitmq/private_key.pem
ssl_options.verify               = verify_peer  # 'verify_none' to not allow peer verification (mTLS)
ssl_options.fail_if_no_peer_cert = true # 'false' to allow non-mTLS, secured connection 

management.ssl.port              = 15671
management.ssl.cacertfile        = /etc/rabbitmq/ca_certificate.pem
management.ssl.certfile          = /etc/rabbitmq/certificate.pem
management.ssl.keyfile           = /etc/rabbitmq/private_key.pem
management.ssl.verify            = verify_none
management.ssl.fail_if_no_peer_cert = false

!!! note In this configuration file, the management plugin does not allow mTLS connection. For more information regarding the configuration files, refer to RabbitMQ's official documentation.

To disable non-SSL ports, create an advanced.conf file:
advanced.conf
```
[
{rabbit,
[{tcp_listeners, []}
]}
].
```

511.3.1 Configure a secured RabbitMQ image

To run a secured RabbitMQ broker via a Docker image, create a custom image based on the default image as follows:

Create a Dockerfile:

Dockerfile

FROM rabbitmq:3.13-management

# Copy config file
COPY rabbitmq.conf /etc/rabbitmq/rabbitmq.conf

# Copy advanced configuration file, if needed
COPY advanced.config /etc/rabbitmq/advanced.config

# Copy certificates
COPY rmq_private_key.pem /etc/rabbitmq/private_key.pem
COPY rmq_certificate.pem /etc/rabbitmq/certificate.pem
COPY ca_certificate.pem /etc/rabbitmq/ca_certificate.pem

EXPOSE 5671 15671

!!! note Configuration files (and certificates, if needed) should be located in the same directory as the Dockerfile

In the directory where Dockerfile is located, create the rmq-ssl image:

Shell command: run the Foretify Manager docker image (example)

docker build -t rmq-ssl .

Run the image, using RabbitMQ's standard SSL ports 5671 and 15671:

Shell command: run the Foretify Manager docker image in daemon (example)

docker run -it -d --rm --name rabbitmq -p 5671:5671 -p 15671:15671 rmq-ssl

511.4 Configure Foretify Manager with secured RabbitMQ

To configure Foretify Manager with secured RabbitMQ, in addition to the default configurations, include the following additional settings in application.properties:

application.properties - secure RabbitMQ

fmanager.ssl.trustStore=<trust-store-path>
fmanager.ssl.trustStorePassword=<trust-store-password>
...
spring.rabbitmq.enabled=true
spring.rabbitmq.host=<broker-host-address>
spring.rabbitmq.port=<broker-port> # 5671 in the secured docker image configuration above
spring.rabbitmq.username=<broker-user>
spring.rabbitmq.password=<broker-password> 
#spring.rabbitmq.virtual-host=/
spring.rabbitmq.ssl.enabled=true

# uncomment lines below when RabbitMQ's certificate is self-signed:
#spring.rabbitmq.ssl.trust-store=file:${fmanager.ssl.trustStore} 
#spring.rabbitmq.ssl.trust-store-password=${fmanager.ssl.trustStorePassword}

511.4.1 Secure Foretify Manager configuration

In case Foretify Manager is secured, configure and provide the key-store for the connection to the broker in application.properties:

application.properties - secure RabbitMQ with secured Foretify Manager

fmanager.ssl.trustStore=<key-store-path>
fmanager.ssl.trustStorePassword=<key-store-password>
...
spring.rabbitmq.ssl.key-store=${server.ssl.key-store}
spring.rabbitmq.ssl.key-store-password=${server.ssl.key-store-password}

511.5 Integrating with Amazon MQ

To set a connection with an Amazon MQ broker, set up the following fields in application.properties:

application.properties - Amazon MQ connection details

spring.rabbitmq.enabled=true
spring.rabbitmq.host=<amazon-broker-id>.mq.<region>.amazonaws.com
spring.rabbitmq.port=5671
spring.rabbitmq.username=<broker-user>
spring.rabbitmq.password=<broker-password>
#spring.rabbitmq.virtual-host=/
spring.rabbitmq.ssl.enabled=true