This plugin provides support for TLS (x509) certificate whitelisting. All plugins which use the global TLS options will be configured with the same whitelist.
This plugin whitelists the .PEM formatted TLS certificates in a given
directory, refreshing at configurable intervals, or when rabbitmqctl eval 'rabbit_trust_store:refresh().'
is invoked.
While RabbitMQ can be configured to accepted self-signed certificates
through various TLS socket options, namely the ca_certs
and
partial_chain
properties, this configuration is somewhat static.
There is no convenient means with which to change it in realtime, that
is, without making configuration changes to TLS listening sockets.
make dist
will build the plugin and put build artifacts under the ./plugins
directory.
Configure the trust store with a directory of whitelisted certificates and a refresh interval:
{rabbitmq_trust_store,
[{directory, "$HOME/rabbit/whitelist"}, %% trusted certificate directory path
{refresh_interval, {seconds, 30}} %% refresh interval in seconds (only)
]}
Setting refresh_interval
to 0
seconds will disable automatic refresh.
Certificates are distinguished by their filename:
Changing the contents of a certificate file will NOT change the whitelist to correspond with that change.
Write a PEM
formatted certificate file to the configured directory
to whitelist it. This contains all the necessary information to
authorize a client which presents the very same ceritificate to the
server.
Delete the certificate file from the configured directory to remove it from the whitelist.
When the trust-store starts it configures TLS listening sockets,
whitelists the certificates in the given directory, then accepting
sockets can query the trust-store with their client's certificate. It
refreshes the whitelist to correspond with changes in the directory's
contents, installing and removing certificate details, after a refresh
interval or a manual refresh (by invoking a rabbitmqctl eval 'rabbit_trust_store:refresh().'
from the commandline).
(c) Pivotal Software Inc, 2007-20016
Released under the MPL, the same license as RabbitMQ.