RabbitMQ on Atria v15

RabbitMQ on Atria v15

RabbitMQ Overview

  1. RabbitMQ is an Open Source Message Broker, it is a lightweight and easy to deploy platform that enables Atria service components to securely communicate asynchronously with each other.
  2. RabbitMQ is a core part of Atria’s modernisation and replaces the Microsoft MessageQueue technology which has been in Atria for the past 15 years.
  3. Rabbit provides a communication backbone to Atria and enables us to reduce the complexity involved in the different aspects of provisioning.  Consumers (services) make an outbound connection to the broker and subscribe to queues in order to receive and process messages.
  4. Messages are sent over encrypted channels using AMQPS, this is an industry standard for secure messaging.
  5. RabbitMQ should run along as a background service and by default we will install this onto the Provisioning Server. Find out more at https://rabbitmq.com 

RabbitMQ Installation

Erlang Installation

Before installing RabbitMQ, Please install the latest version of Erlang - Erlang is a programming language that RabbitMQ uses for Messaging.
Please navigate to the Erlang website (Downloads - Erlang/OTP) and select the "Download Windows Installer" button as shown below. The latest  version should always be selected


RabbitMQ Installation

The Atria Installer domain account can also be used to install RabbitMQ
For Atria 15+ RabbitMQ is a required core component.   This should be installed on the Provisioning Server.  Open the Hyperlink to go to the RabbitMQ website (https://www.rabbitmq.com/install-windows.html#installer), Please select the highlighted link (As shown in the screenshot below) and install the RabbitMQ Application 

Now, after these two pieces of software are installed (Erlang and RabbitMQ), using PowerShell, navigate to the below file path
'C:\Program Files\RabbitMQ Server\rabbitmq_server-\sbin\'

For example, we have RabbitMQ Server 3.8.11 installed, so we navigate to the folder path of 'C:\Program FIles\RabbitMQ Server\rabbitmq_server-3.8.11\sbin'

Enable Management Web UI

  1. .\rabbitmq-plugins enable rabbitmq_management


Once the above command successfully runs, you can access the management environment via http://localhost:15672/#
Here is the login page when management plugin is successfully working:

image.png

Default Username and Password id: guest

Here is the look of the management dashboard once you successfully login:

image.png


Add admin user

Next, we need to configure a RabbitMQ Web Account
This is purely an account for administering RabbitMQ
Please configure a new account for this and set the password in commands below. This will need to be used later in the configuration, so please save these credentials in a secure location.
  1. .\rabbitmqctl add_user 'rabbitmq admin account username' 'rabbitmq admin account password'
  2. .\rabbitmqctl set_permissions -p / 'rabbitmq admin account username' ".*" ".*" ".*"
  3. .\rabbitmqctl set_user_tags 'rabbitmq admin account username' administrator

Delete default guest user

Next, we need to remove the inbuilt "Guest" account - Please do this with the command below.
  1. .\rabbitmqctl delete_user guest


Setup the Windows Firewall for RabbitMQ

Next, we need to set Inbound Rules on the Provisioning Server where RabbitMQ is installed. Please do this with the command below
  1. New-NetFirewallRule -DisplayName "RabbitMQ" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 5672,5671,15672,15671

RabbitMQ Configuration for Atria

Setup RabbitMQ CNAME Record:

Add a host record to your DNS server to ensure rabbitmq instance can be accessible by atria:
CNAMETarget serverNotes
RabbitMQ FQDN

i.e. AtriaMessaging.domain.local
This indicates to the server name where you have installed your Rabbitmq instance (Provisioning Server)Where RabbitMQ server will be installed.



After setting up the DNS record, you may test to load the RabbitMQ Web Management UI on your browser (i.e. http://atriamessaging.domain.local)

SSL Configuration

Certificates
Extracting .PEM format certificates from .PFX - Most of the time windows based certificates come in the .pfx format, as RabbitMQ needs these in a PEM format, we need to convert them to this format.
For this guide, we are using OpenSSL. This can be installed from this link (https://slproweb.com/products/Win32OpenSSL.html)

After this is installed, navigate to the path via Command Prompt that the openSSL was installed to (By default, this is 'C:\Program Files\OpenSSL-Win64\bin'). 
For example, I navigated to this path, and now I have the option to run commands against openssl.exe


Copy the .pfx certificate to a easy to access path (I'd recommend C:\Program FIles\OpenSSL-Win64\bin\Certs)


We can use openssl to convert from pfx to pem using the command below:
  1. .\openssl pkcs12 -in 'Certs\a101labs.pfx' -out Certs\cacertfile.pem
  2. .\openssl rsa -in 'Certs\cacertfile.pem' -out Certs\keyfile.pem
With these two files, (cacertfile.pem and keyfile.pem) you can now continue onto the next Configuration step


RabbitMQ AMQPS Config

Create a RabbitMQ.conf file in the C:\Users\{InstallUser}\AppData\Roaming\RabbitMQ
Replace InstallUser with the user that installed RabbitMQ, you may need to check the roaming folder of other users, but the RabbitMQ folder will already exist.  

Add this content to the file to configure SSL  
  1. listeners.ssl.default = 5671
  2. ssl_options.cacertfile        = /path/to/server_certificate.pem
  3. ssl_options.certfile          = /path/to/server_certificate.pem
  4. ssl_options.keyfile            = /path/to/server_key.pem
  5. ssl_options.verify            =  verify_none
  6. ssl_options.fail_if_no_peer_cert = false
  7. management.ssl.port        = 15671
  8. management.ssl.cacertfile = /path/to/server_certificate.pem
  9. management.ssl.certfile    = /path/to/server_certificate.pem
  10. management.ssl.keyfile    = /path/to/server_key.pem
SSL Certificate File Path depends on where you placed the certs.
A quick way of doing this is with run and going to the below path



So, the full configuration file will look like the below with the relevant paths


After adding this file you need to:  
  1. Stop RabbitMQ service  (Via Windows Services)
  2. Remove the RabbitMQ service using the tool in the start menu called "RabbitMQ Service - remove"(see screenshot below)
  3. Re-install RabbitMQ service using the tool in the start menu called "RabbitMQ Service - (re)Install" (see screenshot below)
  

FAQ

Inquiry/Question
Answer
Does RabbitMQ only need to be installed on the main provisioning server or also on remote ad provisioning servers?
RabbitMQ will only be installed and configured on the Main Provisioning Server
Do all provisioning servers need to be able to reach all provisioning servers via ports 15671 and 15672?
The ports, (15671 – HTTPS, 15672 – HTTP, 5671 – AMQPS, 5672 - AMQP) will only be for the main provisioning server.We can keep SSL and Non-SSL Ports in the meantime just in case issues arise when setting it up
Do remote AD webservices need to be connected with open ports according to the specifications to the main provisioning server or to the remote ad provisioning server?
By default web services are passing through 8095 together with the ports to contact the web and main provisioning, as we move forward all request will pass through AtriaHTTPTunnel (8101) and AtriaExternalApi (front-end web server via 80/443)
For which domain names do the certificates for RabbitMQ need to apply?
The RabbitMQ certificate will be under the main domain. It will then be configured for the remote environment to point to the FQDN of the RabbitMQ and be accessible
Does the SSL certificate for RabbitMQ then needs to be trusted not only in the primary location but also in all remote Ads as well?
Yes, the SSL certificate for RabbitMQ should be trusted on all remote ADs. You need to add the aliases to the certificate SAN

Example: 
     Internal FQDN: atriamessaging.internal.local
     Public FQDN: atriameeaging.company.com
     Server FQDN: prov01.internal.local

The copy of the internal RootCA will be applied on the remote ADs (if self-signed), otherwise if this is a known certificate signer (verisign, etc)

The FQDN should be resolvable on the DNS of the remote AD.


    • Related Articles

    • Atria Billing Setup User Guide

      Objective This article describes how to configure Atria to utilize the latest billing features. This document outlines the billing setup attributes that should be configured.    Applies to Introduced in Atria version 12.0.0 Billing Setup Overview To ...
    • Atria v15 Clean Installation

      Overview This article outlines the clean install process for the Atria Platform. System Requirements In order to install Atria v15 you MUST complete the prerequisite components noted in the following article: ...
    • Atria v15+ System Requirements

      Overview The following article provides the prerequisites necessary for the deployment of Atria v15+ into your environment. System Requirements Environment Core servers for the platform should be domain joined. Before you can deploy Atria the Active ...
    • Display Patterns for Billing Line Descriptions

      Purpose: When generating billing data, two descriptions are generated for each billable item - Line description (detailed) and summary descriptions.   The Summary Description serves two purpose: Used as a template for your invoice lines and reporting ...
    • Billing Rules Engine User Guide

      Objective This article describes how to use the Atria billing rules engine to identify specific Atria entities as non-billable.   Applies to Introduced in Atria version 12.0.0 Billing Rule Feature Overview Many entities - customers, services, users, ...