You can set up TLS certificates to enable encrypted connections from Xray to PostgreSQL, RabbitMQ or MongoDB.  

Securing PostgreSQL with TLS Support on Xray

  1. Copy these TLS parameters to /var/opt/jfrog/postgres/data/postgresql.conf.

    ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
ssl_prefer_server_ciphers = on
ssl_cert_file = '/full/path/to/postgres/certificates/server.crt'
ssl_key_file = '/full/path/to/postgres/certificates/server.key'
ssl_ca_file = '/full/path/to/postgres/certificates/server_ca.crt'

  2. Verify that the certificates have the correct permissions.

    chown postgres /full/path/to/postgres/certificates/* && \
chgrp postgres /full/path/to/postgres/certificates/* && \
chmod 600 /full/path/to/postgres/certificates/*

  3. Change the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml file.

    postgres://xray:xray@postgres:5432/xraydb?sslrootcert=/full/path/to/xray/certificates/ca_certificate.crt&sslkey=/full/path/to/xray/certificates/client.key&sslcert=/full/path/to/xray/certificates/client.crt&sslmode=verify-ca

  4. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
adduser xray --uid 1035 --gid 1035

  5. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
chgrp xray /full/path/to/xray/certificates/* && \
chmod 600 /full/path/to/xray/certificates/*

  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all


Securing RabbitMQ with TLS Support on Xray

  1. Add these TLS settings to the /etc/rabbitmq/rabbitmq.conf file.

    loopback_users.guest = false
listeners.tcp.default = 5672
hipe_compile = false
management.listener.port = 15672
management.listener.ssl = true
listeners.ssl.default = 5671
ssl_options.cacertfile = /full/path/to/rabbitmq/certificates/ca_certificate.pem
ssl_options.certfile   = /full/path/to/rabbitmq/certificates/server_certificate.pem
ssl_options.keyfile    = /full/path/to/rabbitmq/certificates/server_key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false

  2. Modify the connection string in the /var/opt/jfrog/xray/config/xray_config.yaml and add the TLS parameters.

    ver: 1.0
XrayServerPort:             8000
mqBaseUrl:                  amqps://guest:guest@<CERTIFIED_HOST>:5671/
mongoUrl: [...]
postgresqlUrl: [...]
clientCaCertFilePath:      /full/path/to/xray/certificates/ca_certificate.pem
clientCertFilePath:        /full/path/to/xray/certificates/server_certificate.pem
clientCertKeyFilePath:     /full/path/to/xray/certificates/server_key.pem

  3. Verify that the certificates have the correct permissions.

    chown rabbitmq /full/path/to/rabbitmq/certificates/* && \
chgrp rabbitmq /full/path/to/rabbitmq/certificates/* && \
chmod 600 /full/path/to/rabbitmq/certificates/*

  4. Enable the TLS connection to RabbitMQ in Xray using the REST API.  

  5. Make sure you have an Xray user and group.

    groupadd -g 1035 xray && \
adduser xray --uid 1035 --gid 1035

  6. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
chgrp xray /full/path/to/xray/certificates/* && \
chmod 600 /full/path/to/xray/certificates/*

  7. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all

    When TLS is enabled, the Management Console is located at https://<HOST>:15672.

Securing MongoDB with TLS Support on Xray

Configuring SSL on the MongoDB client-side

  1. Enable SSL on the MongoDB client-side by adding the following flag to the {Xray_Home}/config/xray_config.yaml file.

    mongoSsl : true

  2. You can add keys and certificates to the xray_config.yaml using one of the following methods.

    - Add as full paths.

    //Add keys and certificates
    mongoCaCertFilePath:    
    mongoCertFilePath:  
    mongoKeyFilePath:

    -  Add as environment variables.

    //Add environment variables
    "MONGO_CERT_FILE_PATH"
    "MONGO_CERT_KEY_FILE_PATH"
    "MONGO_CA_CERT_FILE_PATH"

  3. Assign permissions to the certificates.

    chown xray /full/path/to/xray/certificates/* && \
    chgrp xray /full/path/to/xray/certificates/* && \
    chmod 600 /full/path/to/xray/certificates/*

  4. Setting up MongoDB with Client Certificate Validation.

    Configure MongoDB to work with SSL by adding the following to the full/path//mongod.conf file. For more information, see Setting up Mongod and Mongos with Client Certificate Validation.

    net:
       ssl:
          mode: requireSSL
          PEMKeyFile: full/path/mongodb.pem
          CAFile:    full/path//ca_certificate.pem

  5. Assign permissions to the certificates.

    In full/path/ folder:
    chown mongodb *.pem
    chgrp mongodb *.pem
    chmod 600 *.pem

  6. Restart all the Xray services.

    bash /opt/jfrog/xray/scripts/xray.sh restart all