Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Overview

You can set up TLS certificates to enable encrypted connections from Xray to PostgreSQL or RabbitMQ.  

Page Contents

 


Securing PostgreSQL with TLS Support on Xray

  1. Copy these TLS parameters to /var/opt/jfrog/postgres/data/postgresql.conf.

    ssl = on
    ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
    ssl_prefer_server_ciphers = on
    ssl_cert_file = '/full/path/to/postgres/certificates/server.crt'
    ssl_key_file = '/full/path/to/postgres/certificates/server.key'
    ssl_ca_file = '/full/path/to/postgres/certificates/server_ca.crt'
  2. Verify that the certificates have the correct permissions.

    chown postgres /full/path/to/postgres/certificates/* && \
    chgrp postgres /full/path/to/postgres/certificates/* && \
    chmod 600 /full/path/to/postgres/certificates/*
  3. Change the connection string in the /var/opt/jfrog/xray/var/etc/system.yaml file.

    postgres://xray:xray@postgres:5432/xraydb?sslrootcert=/full/path/to/xray/certificates/ca_certificate.crt&sslkey=/full/path/to/xray/certificates/client.key&sslcert=/full/path/to/xray/certificates/client.crt&sslmode=verify-ca
  4. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
    adduser xray --uid 1035 --gid 1035
  5. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*
  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all

Securing RabbitMQ with TLS Support on Xray

  1. Generate certificates for RabbitMQ and Xray.

    The name "CN=rabbitmq" (which appears twice in the following code) should be a resolvable DNS, and should be used in the system.yaml file when providing the shared.rabbitMq.url (see step 6 below).

    #Create a CA Auth CSR file
     openssl req -new -nodes -text -out ca.csr -keyout ca-key.pem -subj "/CN=certificate-authority"
    #Create the server Key and Cert
      openssl x509 -req -in ca.csr -text -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey ca-key.pem -out ca-cert.pem
     openssl req -new -nodes -text -out server.csr -keyout server-key.pem -subj "/CN=rabbitmq"
     openssl x509 -req -in server.csr -text -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
    #Create the client CSR and Cert
     openssl req -new -nodes -text -out client.csr -keyout client-key.pem -subj "/CN=rabbitmq"
  2. Copy the ca and server certificates to the following directory.

    Docker Compose
    ls -ltr <mounted directory>/xray/var/data/rabbitmq/certs/
    total 3
    -rw-r--r-- 1 999 docker 1704 Oct 11 15:57 server-key.pem
    -rw-r--r-- 1 999 docker  993 Oct 11 15:57 server-cert.pem
    -rw-r--r-- 1 999 docker 1127 Oct 11 15:57 ca-cert.pem
    DEB / RPM
    ls -ltr /opt/jfrog/xray/var/data/rabbitmq/certs/
    total 3
    -rw-r--r-- 1 999 docker 1704 Oct 11 15:57 server-key.pem
    -rw-r--r-- 1 999 docker  993 Oct 11 15:57 server-cert.pem
    -rw-r--r-- 1 999 docker 1127 Oct 11 15:57 ca-cert.pem
    Linux Archive
    ls -ltr JFROG_HOME/xray/var/data/rabbitmq/certs/
    total 3
    -rw-r--r-- 1 999 docker 1704 Oct 11 15:57 server-key.pem
    -rw-r--r-- 1 999 docker  993 Oct 11 15:57 server-cert.pem
    -rw-r--r-- 1 999 docker 1127 Oct 11 15:57 ca-cert.pem
  3. Modify the certificate permissions for the RabbitMQ user.

    Docker Compose
    chown -R 999:999 <mounted directory>/xray/var/data/rabbitmq/certs
    DEB / RPM
    chown -R xray:xray /opt/jfrog/xray/var/data/rabbitmq/certs
    Linux Archive
    ## default user and group is xray:xray
    chown -R <xray user>:<xray group> JFROG_HOME/xray/var/data/rabbitmq/certs
  4. Copy the ca and server certificates to the following directory.

    Docker Compose
    ls -ltr <mounted directory>/xray/var/data/server/certs/
    total 3
    -rw-r--r-- 1 xray xray 1127 Oct 11 15:55 ca-cert.pem
    -rw-r--r-- 1 xray xray  993 Oct 11 15:55 client-cert.pem
    -rw-r--r-- 1 xray xray 1704 Oct 11 15:55 client-key.pem
    RPM / DEB
    ls -ltr /opt/jfrog/xray/var/data/server/certs/
    total 3
    -rw-r--r-- 1 xray xray 1127 Oct 11 15:55 ca-cert.pem
    -rw-r--r-- 1 xray xray  993 Oct 11 15:55 client-cert.pem
    -rw-r--r-- 1 xray xray 1704 Oct 11 15:55 client-key.pem
    Linux Archive
    ls -ltr JFROG_HOME/xray/var/data/server/certs/
    total 3
    -rw-r--r-- 1 xray xray 1127 Oct 11 15:55 ca-cert.pem
    -rw-r--r-- 1 xray xray  993 Oct 11 15:55 client-cert.pem
    -rw-r--r-- 1 xray xray 1704 Oct 11 15:55 client-key.pem
  5. For Self-signed Certificates Only

    To ensure that the client trusts self-signed certificates (only), you will need to perform the following steps according to the OS you are using.

    For Docker

    You will need to mount a root ca bundle into each Xray container:

    volumes:
          - /etc/localtime:/etc/localtime:ro
          - "${ROOT_DATA_DIR}/var:/var/opt/jfrog/xray"
          - /opt/jfrog/xray/app/third-party/rabbitmq/rabbitmq-root-ca.crt:/etc/ssl/certs/ca-certificates.crt

    For Linux Archive/Native OS: Debian 8/9/10, Ubuntu 16/18/20

    Copy your root certificate into /usr/local/share/ca-certificates/ and then run the update-ca-certificates command.

    # cp rabbitmq-root-ca.crt /usr/local/share/ca-certificates/
    # update-ca-certificates
    Updating certificates in /etc/ssl/certs...
    1 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d...Adding debian:rabbitmq-root-ca.pem
    done.
    done.

    For Linux Archive/Native OS: CentOS 6/7/8, RHEL 6/7/8

    Copy your root certificate into /etc/pki/ca-trust/source/anchors/ and then run the update-ca-trust command.

    # cp rabbitmq-root-ca.crt /etc/pki/ca-trust/source/anchors/
    # update-ca-trust

    Note that on CentOS 6/RHEL 6 you will have to run an additional command - update-ca-trust force-enable.

    After you add your own root certificate into the system bundle - you can verify the certificate with the following command:

    # openssl verify -verbose /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt
    /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt: OK
    
    # openssl verify -verbose /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt
    /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt: OK
    Otherwise we will get the error
    
    # openssl verify -verbose /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt
    /opt/jfrog/xray/var/data/server/certs/rabbitmq-client.crt: CN = rabbitmq
    error 20 at 0 depth lookup:unable to get local issuer certificate
    
    # openssl verify -verbose /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt
    /opt/jfrog/xray/var/data/rabbitmq/certs/rabbitmq-server.crt: CN = rabbitmq
    error 20 at 0 depth lookup:unable to get local issuer certificate
  6. Modify the certificate permissions for the Xray user.

    Docker Compose
    chown -R 1035:1035 <mounted directory>/xray/var/data/server/certs
    RPM / DEB
    chown -R xray:xray /opt/jfrog/xray/var/data/server/certs/
    Linux Archive
    ## default user and group is xray:xray
    chown -R <xray user>:<xray group> JFROG_HOME/xray/var/data/server/certs/



  7. Modify /opt/jfrog/xray/var/etc/system.yaml (under the shared folder) in the following way.

    shared:
      rabbitMq:
        url: amqps://9fac35$aes256$xt92Y4pRTJ5WVXOZNVv0shared:
        rabbitMq:
           url: amqps://9fac35$aes256$xt92Y4pRTJ5WVXOZNVv0_39M83TDfH08AfkopDCyveU9HeZFo7lT@rabbitmq:5671/
        clientCaCertFilePath: /opt/jfrog/xray/data/server/certs/ca-cert.pem
        clientCertFilePath: /opt/jfrog/xray/data/server/certs/client-cert.pem
        clientCertKeyFilePath: /opt/jfrog/xray/data/server/certs/client-key.pem
        ## By default RabbitMQ will always be running; "autoStop" will make sure that RabbitMQ stops along with the Xray service
        ## This is applicable only to non-Docker Compose installers
        autoStop: true
        node:
            rabbitmqConf:
               - name: ssl_options.cacertfile
               value: /opt/jfrog/xray/var/data/rabbitmq/certs/ca-cert.pem
               - name: ssl_options.certfile
               value: /opt/jfrog/xray/var/data/rabbitmq/certs/server-cert.pem
               - name: ssl_options.keyfile
               value: /opt/jfrog/xray/var/data/rabbitmq/certs/server-key.pem
               - name: ssl_options.verify
               value: verify_peer
               - name: ssl_options.fail_if_no_peer_cert
               value: false
               - name: management.listener.ssl
               value: true
               - name: listeners.ssl.default
               value: 5671_39M83TDfH08AfkopDCyveU9HeZFo7lT@rabbitmq:5671/
        clientCaCertFilePath: /opt/jfrog/xray/data/server/certs/ca-cert.pem
        clientCertFilePath: /opt/jfrog/xray/data/server/certs/client-cert.pem
        clientCertKeyFilePath: /opt/jfrog/xray/data/server/certs/client-key.pem
        ## By default RabbitMQ will always be running; "autoStop" will make sure that RabbitMQ stops along with the Xray service
        ## This is applicable only to non-Docker Compose installers 
        autoStop: true
        node:
          rabbitmqConf:
            - name: ssl_options.cacertfile
            value: /opt/jfrog/xray/var/data/rabbitmq/certs/ca-cert.pem
            - name: ssl_options.certfile
            value: /opt/jfrog/xray/var/data/rabbitmq/certs/server-cert.pem
            - name: ssl_options.keyfile
            value: /opt/jfrog/xray/var/data/rabbitmq/certs/server-key.pem
            - name: ssl_options.verify
            value: verify_peer
            - name: ssl_options.fail_if_no_peer_cert
            value: false
            - name: management.listener.ssl
            value: true
            - name: listeners.ssl.default
            value: 5671
  8. Enable the TLS connection to RabbitMQ in Xray using the REST API.
  9. This step is applicable only for Docker Compose. 

    cd  <path to extracted compose directory>/jfrog-xray-<version>-compose/
    ## Export the TLS port in the docker-compose-rabbitmq.yaml (docker-compose.yaml for older versions of 3.x) and add under services -> rabbitmq -> ports.
    - 5671:5671
    # Restart RabbitMQ services
    docker-compose -p xray-rabbitmq -f docker-compose-rabbitmq.yaml down
    docker-compose -p xray-rabbitmq -f docker-compose-rabbitmq.yaml up -d
  10. Restart Xray services.

    Docker Compose
    docker-compose -p xray -f docker-compose.yaml down
    docker-compose -p xray -f docker-compose.yaml up -d
    RPM / DEB
    systemctl stop xray.service
    systemctl start xray.service
    
    ## For Centos 6 and RHEL 6
    # service xray stop
    # service xray start 
    Linux Archive
    /opt/jfrog/xray/bin/xray.sh stop
    /opt/jfrog/xray/bin/xray.sh start 

    Management Console Address with TLS

    When TLS is enabled, the Management Console is located in https://<HOST>:15672.


Trusting Self-Signed Certificates

When an Xray instance/node is configured to go through an SSL proxy that uses a self-signed certificate, you may encounter the following issue when performing tasks such as an online database sync:

2021-07-20T14:47:47.500Z [33m[jfxr ][0m [1m[31m[ERROR][0m [c080f44e606d159 ] [samplers:91                   ] [main                ] Failed to read response from jxrayUrl. Error: Get "https://jxray.jfrog.io/api/v1/system/ping": x509: certificate signed by unknown authority
  1. To overcome this issue, you will need to import the Proxy certificate into each Xray instance/pod by placing it under the following path within the Xray machine/container/pods:/etc/ssl/certs/.
  2. Next, you will need to restart Xray.
    The path shown above is the default directory used by Go applications (such as Xray) when importing SSL certificates.
  • No labels
Copyright © 2021 JFrog Ltd.