Configuration and Features
This document describes configurations and features related to a9s Messaging.
Audit Logs
An extensive log of actions executed on an a9s Messaging instance can be valuable for your organization for various reasons, including:
- Ensuring that your applications are functioning correctly.
- Investigating incidents by reviewing a chronological record of events.
- Validating that only known apps/users are accessing the a9s Messaging platform.
For these reasons we have an audit log feature for a9s Messaging that takes internal events from RabbitMQ
(e.g. connection.created, queue.created, binding.created, ...) and delivers them as Syslog (rfc5424) over TCP to
an endpoint of your choice (maybe an a9s LogMe2 instance).
Enable Globally
It can be achieved by using the following a9s Messaging custom parameters in the a9s SPI configuration or in the service plans configuration for the a9s Messaging.
Example when configuring the SPI:
(...)
rabbitmq-spi:
service_instance:
custom_param_config:
audit-log-endpoint:
default_value: syslog-tls://myd5963ba-fluentd.service.dc1.dsf2.a9ssvc:6514
modifiable: false
audit-log-ca-crt:
modifiable: false
default_value: |
-----BEGIN CERTIFICATE-----
(...) <ca-content-here>
-----END CERTIFICATE-----
(...)
Take a look at Custom Parameter Configuration documentation.
Legacy Port
In previous releases of a9s Messaging SSL and TCP listeners have been configured
on the same port (5672). If you need to maintain this behavior
we provide an OPS file ops/rabbitmq-legacy-port.yml.
Deploying with the OPS file
bosh deploy -d rabbitmq-service rabbitmq-service/rabbitmq-service.yml \
-o ops/rabbitmq-legacy-port.yml -l config/iaas-config.yml -l config/rabbitmq.yml
Management UI
The RabbitMQ Management UI can be enabled by using the Ops file ops/rabbitmq-enable-management-ui-as-route.yml which
can be found in anynines-deployment. Since each a9s Messaging Service Instance provides its own RabbitMQ Management UI,
we use the Route Registrar to dynamically register these routes.
Therefore, you need a router that can dynamically update its routes based on a NATS message bus
such as gorouter to use this feature.
When the Ops file is applied, a link is added to the a9s Service Dashboard so that the Application Developer can access it.
Due to the internal workings of the a9s Data Services the Ops file ops/rabbitmq-enable-management-ui-as-route.yml
references another Ops file which is used by the a9s Template Uploader Errand. For more information see
Template Uploader Errand: Template Ops Files.
TLS Configuration
As described in https://www.rabbitmq.com/ssl.html the operator can specify TLS/SSL configuration that changes a RabbitMQ server's behavior when it comes to SSL/TLS connections.
In particular the options rabbitmq.ssl.verify and rabbitmq.ssl.fail_if_no_peer_cert can be set. The settings' meaning is described in https://www.rabbitmq.com/ssl.html#peer-verification. E.g. set rabbitmq.ssl.verify to value verify_peer and rabbitmq.ssl.fail_if_no_peer_cert to value true in order for a RabbitMQ server to demand a TLS certificate from any client connecting. You can also enable it for existing instances with cf update-service [INSTANCE_NAME] -c '{"fail_if_no_peer_cert": true, "verify":"verify_peer"}'. In addition, this certificate must have been signed by a certificate authority that the RabbitMQ server trusts.