Skip to end of metadata
Go to start of metadata

You can set up TLS certificates to enable encrypted connections from Xray to PostgreSQL, RabbitMQ or MongoDB.  

Securing PostgreSQL with TLS Support on Xray

  1. Copy these TLS parameters to /var/opt/jfrog/postgres/data/postgresql.conf.

    ssl = on
    ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
    ssl_prefer_server_ciphers = on
    ssl_cert_file = '/full/path/to/postgres/certificates/server.crt'
    ssl_key_file = '/full/path/to/postgres/certificates/server.key'
    ssl_ca_file = '/full/path/to/postgres/certificates/server_ca.crt'
  2. Verify that the certificates have the correct permissions.

    chown postgres /full/path/to/postgres/certificates/* && \
    chgrp postgres /full/path/to/postgres/certificates/* && \
    chmod 600 /full/path/to/postgres/certificates/*
  3. Change the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml file.

    postgres://xray:xray@postgres:5432/xraydb?sslrootcert=/full/path/to/xray/certificates/ca_certificate.crt&sslkey=/full/path/to/xray/certificates/client.key&sslcert=/full/path/to/xray/certificates/client.crt&sslmode=verify-ca
  4. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
    adduser xray --uid 1035 --gid 1035
  5. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*
  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all


Securing RabbitMQ with TLS Support on Xray

  1. Add these TLS settings to the /etc/rabbitmq/rabbitmq.conf file.

    loopback_users.guest = false
    listeners.tcp.default = 5672
    hipe_compile = false
    management.listener.port = 15672
    management.listener.ssl = true
    listeners.ssl.default = 5671
    ssl_options.cacertfile = /full/path/to/rabbitmq/certificates/ca_certificate.pem
    ssl_options.certfile   = /full/path/to/rabbitmq/certificates/server_certificate.pem
    ssl_options.keyfile    = /full/path/to/rabbitmq/certificates/server_key.pem
    ssl_options.verify     = verify_peer
    ssl_options.fail_if_no_peer_cert = false
  2. Modify the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml and add the TLS parameters.

    ver: 1.0
    XrayServerPort:             8000
    mqBaseUrl:                  amqps://guest:guest@<CERTIFIED_HOST>:5671/
    mongoUrl: [...]
    postgresqlUrl: [...]
    clientCaCertFilePath:      /full/path/to/xray/certificates/ca_certificate.pem
    clientCertFilePath:        /full/path/to/xray/certificates/server_certificate.pem
    clientCertKeyFilePath:     /full/path/to/xray/certificates/server_key.pem
  3. Verify that the certificates have the correct permissions.

    chown rabbitmq /full/path/to/rabbitmq/certificates/* && \
    chgrp rabbitmq /full/path/to/rabbitmq/certificates/* && \
    chmod 600 /full/path/to/rabbitmq/certificates/*
  4. Enable the TLS connection to RabbitMQ in Xray using the REST API.  

  5. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
    adduser xray --uid 1035 --gid 1035
  6. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*
  7. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all

    Management Console Address with TLS

    When TLS is enabled, the Management Console is located at https://<HOST>:15672.

Securing MongoDB with TLS Support on Xray

Configuring SSL on the MongoDB client-side

  1. Enable SSL on the MongoDB client-side by adding the following flag to the {Xray_Home}/config/xray_config.yaml file.

    mongoSsl : true

  2. You can add keys and certificates to the xray_config.yaml using one of the following methods.

    - Add as full paths.

    //Add keys and certificates
    mongoCaCertFilePath:    
    mongoCertFilePath:  
    mongoKeyFilePath:

    -  Add as environment variables.

    //Add environment variables
    "MONGO_CERT_FILE_PATH"
    "MONGO_CERT_KEY_FILE_PATH"
    "MONGO_CA_CERT_FILE_PATH"

  3. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*

  4. Setting up MongoDB with Client Certificate Validation.

    Configure MongoDB to work with SSL by adding the following to the full/path//mongod.conf file. For more information, see Setting up Mongod and Mongos with Client Certificate Validation.

    net:
       ssl:
          mode: requireSSL
          PEMKeyFile: full/path/mongodb.pem
          CAFile:    full/path//ca_certificate.pem

  5. Assign permissions to the certificates.

    In full/path/ folder:
    chown mongodb *.pem
    chgrp mongodb *.pem
    chmod 600 *.pem

  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all


Page Contents

 

  • No labels