Insights: Encrypt RabbitMQ Service Communication

Insights: Encrypt RabbitMQ service communication

Issue Description: By default the RabbitMQ service communicates unencrypted. This could potentially be a security finding.

Resolution:
Approach #1: Turn on the firewall to ensure that all communication remains local. This is mentioned in the Insights Installation document.

Approach #2: Encrypt the RabbitMQ service.

Encrypting the RabbitMQ Service

  1. Update the configuration file for RabbiMQ with the attached rabbitmq.config file.
    1. Back up the original file.
    2. RabbitMQ file is located at C:\ProgramData\Sisense\RabbitMQ\rabbitmq.config
    3. The updated file specified ports 5671 and 15671 for the RabbitMQ services
  2. Place the certificates in the RabbitMQ folder.
    • See the Section: Getting the certificates
    • Name the certificates as follows
      • The CA cert - cacert.pem
      • The public key - public.pem
      • The private key - private.pem
  3. Remove the default port configuration from the RabbitMQ default configuration
    • Make a backup of the file: C:\Program Files\Sisense\infra\Rabbitmq\ebin\rabbit.app
    • Open the file and make the following change:
      • On line 10 of the file there should be the following entry: {tcp_listeners, [5672]},
      • Change it to: {tcp_listeners, []},
    • Save the file.
  4. Modify etc/hosts
    • Open: C:\Windows\System32\drivers\etc\hosts
      • This can be done from an admin command prompt. Soo: notepad C:\Windows\System32\drivers\etc\hosts
    • Add the following line:
      • 127.0.0.1 <insights hostname>
      • So if my Insights URL was https://insights.uipath.com, then the string to add would be: 127.0.0.1 insights.uipath.com
  5. Allow the Root CA to be trusted - Open the system environment variables for windows
    • Just search for 'Edit the System Environment Variables' in the Windows search bar.
    • In the dialog that opens up, select 'Environment Variables...'
    • Add the system variable 'NODE_EXTRA_CA_CERTS'
    • For the value set it to 'C:\ProgramData\Sisense\RabbitMQ\cacert.pem'
    • Restart the server.
  6. Restart the Sisense.Broker service in Services.msc
    • Open Services.msc from the windows search bar
    • Locate Sisense.Broker and restart it
  7. Verify the service started correctly
    • Go to C:\ProgramData\Sisense\RabbitMQ\log
    • The rabbit@Orchestrator.log file should be updating. Open it up.
    • Search for started SSL Listener on [::]:5671 - If this is found, it means the changes were applied correctly.
    • It might take a few minutes for the log to fully update.
    • If the changes were not applied correctly, there the following dump file: C:\ProgramData\Sisense\RabbitMQ\log\erl_crash.dump
    • If this occurs it means there is a typo in the modified configuration. Double check that step 1 was done correctly.
  8. Update the connection string
    • Go to localhost:3030 in the Insights server.
    • Scroll down to the message broker section.
    • Change the connection string to amqps://<InsightsHostName>:5671
      • So if my Insights URL was https://insights.uipath.com, the connection string would be: amqps://insights.uipath.com:5671
  9. Enable TLS and add the certificate file information.
    • For CA Certificate and Private Certificate add the open the cacert.pem file and copy in the contents.
    • For Private Certificate copy in the contents of private.pem
  10. Afterwards click the test button. Once the string is verified save.
  11. Post this, verify that everything is still working. If any issues are encountered, please take a screenshot and share that and a description of the issue with support.

Getting the Certificates

  1. Go to the Insights admin login URL
    • https://<insights url>/app/account/login
  2. Click on the secure icon and view the certificate. This may very by browser but in almost all cases its the lock icon in front of the URL. In Firefox its the most complicated, so we recommend using Chrome.
    • For Chrome
      • Click the Lock Icon
      • Select "Certificate"
  3. In the new dialog, go to 'Details' and in the lower right of the screen select "Copy To File.."
  4. Go through the dialog options. When selecting the Format, choose 'Base-64 encoded X.509 (.CER)'
  5. Save the file and name it cacert.pem
  6. After saving the file, click OK in the certificate dialog.
  7. Make a copy of this file and call it public.pem
  8. Copy these files to the Insights server
  9. On the Insights Server go to http://localhost:3030
  10. On the page that opens, go to the section 'SSL Key' and copy the private key.
  11. Open a notepad, copy in the private key and name the file private.pem