You can set up TLS certificates to enable encrypted connections from Xray to PostgreSQL, RabbitMQ or MongoDB.
Copy these TLS parameters to /var/opt/jfrog/postgres/data/postgresql.conf.
ssl = on ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' ssl_prefer_server_ciphers = on ssl_cert_file = '/full/path/to/postgres/certificates/server.crt' ssl_key_file = '/full/path/to/postgres/certificates/server.key' ssl_ca_file = '/full/path/to/postgres/certificates/server_ca.crt' |
Verify that the certificates have the correct permissions.
chown postgres /full/path/to/postgres/certificates/* && \ chgrp postgres /full/path/to/postgres/certificates/* && \ chmod 600 /full/path/to/postgres/certificates/* |
Change the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml file.
postgres://xray:xray@postgres:5432/xraydb?sslrootcert=/full/path/to/xray/certificates/ca_certificate.crt&sslkey=/full/path/to/xray/certificates/client.key&sslcert=/full/path/to/xray/certificates/client.crt&sslmode=verify-ca |
Make sure you have an Xray user and group.
groupadd -g 1035 xray && \ adduser xray --uid 1035 --gid 1035 |
Assign permissions to the certificates.
chown xray /full/path/to/xray/certificates/* && \ chgrp xray /full/path/to/xray/certificates/* && \ chmod 600 /full/path/to/xray/certificates/* |
Restart all the Xray services.
bash /opt/jfrog/xray/scripts/xray.sh restart all |
Add these TLS settings to the /etc/rabbitmq/rabbitmq.conf file.
loopback_users.guest = false listeners.tcp.default = 5672 hipe_compile = false management.listener.port = 15672 management.listener.ssl = true listeners.ssl.default = 5671 ssl_options.cacertfile = /full/path/to/rabbitmq/certificates/ca_certificate.pem ssl_options.certfile = /full/path/to/rabbitmq/certificates/server_certificate.pem ssl_options.keyfile = /full/path/to/rabbitmq/certificates/server_key.pem ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = false |
Modify the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml and add the TLS parameters.
ver: 1.0 XrayServerPort: 8000 mqBaseUrl: amqps://guest:guest@<CERTIFIED_HOST>:5671/ mongoUrl: [...] postgresqlUrl: [...] clientCaCertFilePath: /full/path/to/xray/certificates/ca_certificate.pem clientCertFilePath: /full/path/to/xray/certificates/server_certificate.pem clientCertKeyFilePath: /full/path/to/xray/certificates/server_key.pem |
Verify that the certificates have the correct permissions.
chown rabbitmq /full/path/to/rabbitmq/certificates/* && \ chgrp rabbitmq /full/path/to/rabbitmq/certificates/* && \ chmod 600 /full/path/to/rabbitmq/certificates/* |
Enable the TLS connection to RabbitMQ in Xray using the REST API.
Make sure you have an Xray user and group.
groupadd -g 1035 xray && \ adduser xray --uid 1035 --gid 1035 |
Assign permissions to the certificates.
chown xray /full/path/to/xray/certificates/* && \ chgrp xray /full/path/to/xray/certificates/* && \ chmod 600 /full/path/to/xray/certificates/* |
Restart all the Xray services.
bash /opt/jfrog/xray/scripts/xray.sh restart all |
When TLS is enabled, the Management Console is located at https://<HOST>:15672. |
Enable SSL on the MongoDB client-side by adding the following flag to the {Xray_Home}/config/xray_config.yaml file.
|
You can add keys and certificates to the xray_config.yaml using one of the following methods.
- Add as full paths.
|
- Add as environment variables.
|
Assign permissions to the certificates.
|
Setting up MongoDB with Client Certificate Validation.
Configure MongoDB to work with SSL by adding the following to the full/path//mongod.conf file. For more information, see Setting up Mongod and Mongos with Client Certificate Validation.
|
Assign permissions to the certificates.
|
Restart all the Xray services.
bash /opt/jfrog/xray/scripts/xray.sh restart all |
|