RabbitMQ Installation
RabbitMQ Overview
RabbitMQ is an Open Source Message Broker, it is a lightweight, robust and easy to deploy platform that enables Atria service components to securely communicate asynchronously with each other.
Messages are sent over encrypted channels using AMQPS, this is an industry standard for secure messaging.
RabbitMQ runs as a background service, by default we install this onto the Provisioning Server. Find out more at https://rabbitmq.com
RabbitMQ Installation
Prior to Installation, setup the RabbitMQ_BASE Path
This will be a folder location where the files, logs and config for RabbitMQ will be stored. This is important as it ensures it is not stored in the User's profile.
-
Create a directory to where RabbitMQ_BASE path will be pointed going forward (i.e. C:\AtriaRabbitMQ)
-
Set the EnvironmentVariable. Open PowerShell (admin) then run the commands:
$rabbitdir = 'C:\AtriaRabbitMQ'
[Environment]::SetEnvironmentVariable("RABBITMQ_BASE", $rabbitdir, "Machine")
This can be done manually as well as through the UI.
- Restart PowerShell and Verify that the EnvironmentVariable is set properly.
[Environment]::GetEnvironmentVariables()
Install Erlang
Before installing RabbitMQ, you will need to install Erlang. Erlang is the underlying programming language that RabbitMQ is built upon. Erlang is regularly updated and it's important that you install a version that is supported by RabbitMQ. Check here to see the current versions and compatability before installing.
Navigate to the Erlang website (Downloads - Erlang/OTP) and select the Download Windows Installer button as shown below. Ealier versions can be found on the right-hand side of the page if required.
Once downloaded, open the installer and proceed with the install of Erlang. If you experience any issues with the install of Erlang or compatiblity with RabbitMQ, please conntact our support at support@getatria.com.
Install RabbitMQ
The Atria Installer domain account can also be used to install RabbitMQ
RabbitMQ is a required core component. This should be installed on the Provisioning Server. Open the Hyperlink to go to the RabbitMQ website (https://www.rabbitmq.com/install-windows.html#installer), Please select the highlighted link (As shown in the screenshot below) to download the RabbitMQ Application installer.
Now, after these two pieces of software are installed (Erlang and RabbitMQ), using PowerShell, navigate to the below file path
C:\Program Files\RabbitMQ Server\rabbitmq_server-version\sbin\
For example, we have RabbitMQ Server 3.8.11 installed, so we navigate to the folder path of 'C:\Program Files\RabbitMQ Server\rabbitmq_server-3.8.11\sbin'
Enable Management Web UI
.\rabbitmq-plugins enable rabbitmq_management
Once the above command successfully runs, restart the RabbitMQ service.
You can then access the management environment on the server via https://atriamessaging:15671/ or using your FQDN (e.g. https://atriamessaging.domain.com:15671/).
If you are not using SSL, you will need to use 15672.
Here is the login page when management plugin is successfully working:
Login with the default Username and Password:
- Username:
guest - Password:
guest
Here is the look of the management dashboard once you successfully login:
Create Admin User
Next, we need to configure a RabbitMQ Web Account.
This is purely an account for administering RabbitMQ.
Please configure a new account for this and set the password in commands below. This will need to be used later in the configuration, so please save these credentials in a secure location.
You will need to run these commands from:
C:\Program Files\RabbitMQ Server\rabbitmq_server-version\sbin\
.\rabbitmqctl add_user 'rabbitmq admin account username' 'rabbitmq admin account password'
.\rabbitmqctl set_permissions -p / 'rabbitmq admin account username' ".*" ".*" ".*"
.\rabbitmqctl set_user_tags 'rabbitmq admin account username' administrator
Delete default guest user
Remove the inbuilt "Guest" account - Please do this with the command below.
.\rabbitmqctl delete_user guest
RabbitMQ Configuration for Atria
Setup RabbitMQ CNAME Record:
Add a host record to your DNS server to ensure rabbitmq instance can be accessible by atria:
| CNAME | Target server | Notes |
|---|---|---|
| AtriaMessaging | This indicates to the server name where you have installed your Rabbitmq instance (Provisioning Server) | Where RabbitMQ server will be installed. |
After setting up the DNS record, you should test the RabbitMQ Web Management UI on your browser (i.e. http://atriamessaging.domain.local:15672))
Ensure Network Connectivity for RabbitMQ
Use the following Powershell command on the Web Server to test the network connectivity between the Web Server and Provisioning Server for RabbitMQ:
tnc -ComputerName atriamessaging -Port 5672
You will need to have configured the CNAME record and Firewall as mentioned in the previous step and in Prerequisites.
SSL Configuration
Ensure Network Connectivity on 5671
Use the following Powershell command on the Web Server to test the network connectivity between the Web Server and Provisioning Server for RabbitMQ using AMPQs:
tnc -ComputerName atriamessaging -Port 5671
Certificates
Windows based certificates usually come in the .pfx format, however, RabbitMQ requires these to be in a .pem format, in this step we will convert the certificate to the correct format.
For this guide, we are using OpenSSL. This can be installed from this link: (https://slproweb.com/products/Win32OpenSSL.html)
After this is installed, navigate to the path via Command Prompt that the openSSL was installed to (By default, this is 'C:\Program Files\OpenSSL-Win64\bin'). For example, I navigated to this path, and now I have the option to run commands against openssl.exe
Copy the .pfx certificate to a easy to access path (I'd recommend C:\Program FIles\OpenSSL-Win64\bin\Certs)
We can use OpenSSL to convert from .pfx to .pem and create a keyfile using the commands below:
.\openssl pkcs12 -in Certs\(Certificate Name).pfx -out Certs\cacertfile.pem
.\openssl rsa -in Certs\cacertfile.pem -out Certs\keyfile.pem
With these two files, (cacertfile.pem and keyfile.pem) you can now continue onto the next Configuration step
RabbitMQ AMQPS Config
Create a file named RabbitMQ.conf in the RABBITMQ_BASE path that was set. (C:\AtriaRabbitMQ)
Add this content to the file to configure SSL:
listeners.ssl.default = 5671
ssl_options.cacertfile = /path/to/cacertfile.pem
ssl_options.certfile = /path/to/cacertfile.pem
ssl_options.keyfile = /path/to/keyfile.pem
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
management.ssl.port = 15671
management.ssl.cacertfile = /path/to/cacertfile.pem
management.ssl.certfile = /path/to/scacertfile.pem
management.ssl.keyfile = /path/to/keyfile.pem
We recommend to use the RABBITMQ_BASE path for storing the SSL Certificates. A "Certs" folder can be created on the same location. (C:\AtriaRabbitMQ\Certs)
Otherwise, it can be a folder location where your certs are stored.
So, the full configuration file will look like the below with the relevant paths.
App Settings Messaging URL:
At this point in the process, the messaging URL within the config service files needs to be updated to use SSL. Please contact someone from Atria to assist with this.
After the config has been updated:
- Stop the RabbitMQ service (Via Windows Services)
- Remove the RabbitMQ service using the tool in the start menu called "RabbitMQ Service - remove"(see screenshot below)
- Re-install RabbitMQ service using the tool in the start menu called "RabbitMQ Service - (re)Install" (see screenshot below)
- In Windows Services, restart the following services in order:
- RabbitMQ
- Atria Config Service
- Atria PlatformAPI Service
- Atria Agent
- Atria Provisioning Service
The start menu shortcuts will only be available to the user who installed RabbitMQ. If you are using a different user account or don't see the start menu shortcuts, follow the below steps.
Re-installing RabbitMQ
- In PowerShell, navigate to the path of the server installation:
C:\Program Files\RabbitMQ Server\rabbitmq_server-version\sbin\
- Run the following commands in order:
.\rabbitmq-service.bat stop
.\rabbitmq-service.bat remove
.\rabbitmq-service.bat install
.\rabbitmq-service.bat start
- In Windows Services, restart the following services in order:
- RabbitMQ
- Atria Config Service
- Atria PlatformAPI Service
- Atria Agent
- Atria Provisioning Service
FAQ - Messaging
Does RabbitMQ only need to be installed on the main provisioning server or also on remote ad provisioning servers?
RabbitMQ will only be installed and configured on the Main Provisioning Server
Do all provisioning servers need to be able to reach all provisioning servers via ports 15671 and 15672?
The ports, (15671 – HTTPS, 15672 – HTTP, 5671 – AMQPS, 5672 - AMQP) will only be for the main provisioning server.We can keep SSL and Non-SSL Ports in the meantime just in case issues arise when setting it up
Do remote AD webservices need to be connected with open ports according to the specifications to the main provisioning server or to the remote ad provisioning server?
By default web services are passing through 8095 together with the ports to contact the web and main provisioning, as we move forward all request will pass through AtriaHTTPTunnel (8101) and AtriaExternalApi (front-end web server via 80/443)
For which domain names do the certificates for RabbitMQ need to apply?**
The RabbitMQ certificate will be under the main domain. It will then be configured for the remote environment to point to the FQDN of the RabbitMQ and be accessible.
Does the SSL certificate for RabbitMQ then needs to be trusted not only in the primary location but also in all remote Ads as well?
Yes, the SSL certificate for RabbitMQ should be trusted on all remote ADs. You need to add the aliases to the certificate SAN Example:
Internal FQDN: atriamessaging.internal.local
Public FQDN: atriameeaging.company.com
Server FQDN: prov01.internal.local
The copy of the internal RootCA will be applied on the remote ADs (if self-signed), otherwise if this is a known certificate signer (verisign, etc) The FQDN should be resolvable on the DNS of the remote AD.