You can set up TLS certificates to enable encrypted connections from Xray to PostgreSQL, RabbitMQ or MongoDB.  

Securing PostgreSQL with TLS Support on Xray

  1. Copy these TLS parameters to /var/opt/jfrog/postgres/data/postgresql.conf.

    ssl = on
    ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
    ssl_prefer_server_ciphers = on
    ssl_cert_file = '/full/path/to/postgres/certificates/server.crt'
    ssl_key_file = '/full/path/to/postgres/certificates/server.key'
    ssl_ca_file = '/full/path/to/postgres/certificates/server_ca.crt'
  2. Verify that the certificates have the correct permissions.

    chown postgres /full/path/to/postgres/certificates/* && \
    chgrp postgres /full/path/to/postgres/certificates/* && \
    chmod 600 /full/path/to/postgres/certificates/*
  3. Change the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml file.

    postgres://xray:xray@postgres:5432/xraydb?sslrootcert=/full/path/to/xray/certificates/ca_certificate.crt&sslkey=/full/path/to/xray/certificates/client.key&sslcert=/full/path/to/xray/certificates/client.crt&sslmode=verify-ca
  4. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
    adduser xray --uid 1035 --gid 1035
  5. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*
  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all


Securing RabbitMQ with TLS Support on Xray

  1. Add these TLS settings to the /etc/rabbitmq/rabbitmq.conf file.

    loopback_users.guest = false
    listeners.tcp.default = 5672
    hipe_compile = false
    management.listener.port = 15672
    management.listener.ssl = true
    listeners.ssl.default = 5671
    ssl_options.cacertfile = /full/path/to/rabbitmq/certificates/ca_certificate.pem
    ssl_options.certfile   = /full/path/to/rabbitmq/certificates/server_certificate.pem
    ssl_options.keyfile    = /full/path/to/rabbitmq/certificates/server_key.pem
    ssl_options.verify     = verify_peer
    ssl_options.fail_if_no_peer_cert = false
  2. Modify the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml and add the TLS parameters.

    ver: 1.0
    XrayServerPort:             8000
    mqBaseUrl:                  amqps://guest:guest@<CERTIFIED_HOST>:5671/
    mongoUrl: [...]
    postgresqlUrl: [...]
    clientCaCertFilePath:      /full/path/to/xray/certificates/ca_certificate.pem
    clientCertFilePath:        /full/path/to/xray/certificates/server_certificate.pem
    clientCertKeyFilePath:     /full/path/to/xray/certificates/server_key.pem
  3. Verify that the certificates have the correct permissions.

    chown rabbitmq /full/path/to/rabbitmq/certificates/* && \
    chgrp rabbitmq /full/path/to/rabbitmq/certificates/* && \
    chmod 600 /full/path/to/rabbitmq/certificates/*
  4. Enable the TLS connection to RabbitMQ in Xray using the REST API.  

  5. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
    adduser xray --uid 1035 --gid 1035
  6. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*
  7. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all

    When TLS is enabled, the Management Console is located at https://<HOST>:15672.

Securing MongoDB with TLS Support on Xray

Configuring SSL on the MongoDB client-side

  1. Enable SSL on the MongoDB client-side by adding the following flag to the {Xray_Home}/config/xray_config.yaml file.

    mongoSsl : true

  2. You can add keys and certificates to the xray_config.yaml using one of the following methods.

    - Add as full paths.

    //Add keys and certificates
    mongoCaCertFilePath:    
    mongoCertFilePath:  
    mongoKeyFilePath:

    -  Add as environment variables.

    //Add environment variables
    "MONGO_CERT_FILE_PATH"
    "MONGO_CERT_KEY_FILE_PATH"
    "MONGO_CA_CERT_FILE_PATH"

  3. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*

  4. Setting up MongoDB with Client Certificate Validation.

    Configure MongoDB to work with SSL by adding the following to the full/path//mongod.conf file. For more information, see Setting up Mongod and Mongos with Client Certificate Validation.

    net:
       ssl:
          mode: requireSSL
          PEMKeyFile: full/path/mongodb.pem
          CAFile:    full/path//ca_certificate.pem

  5. Assign permissions to the certificates.

    In full/path/ folder:
    chown mongodb *.pem
    chgrp mongodb *.pem
    chmod 600 *.pem

  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all