Integrating RabbitMQ with Microsoft Entra

Securing data transactions and maintaining compliance are critical in enterprise IT. As a leading RabbitMQ consulting company, we excel in deploying secure messaging solutions that meet these needs. RabbitMQ, an essential open-source message broker, enables reliable and flexible communication across distributed applications.

Microsoft Entra (formerly known as Azure Active Directory) is a comprehensive identity and access management solution designed to secure and manage user access across a range of environments, from on-premises systems to cloud services. As part of Microsoft’s security portfolio, Entra integrates advanced tools such as Azure Active Directory, Conditional Access, and Identity Governance to help organisations protect their applications and data from unauthorised access while ensuring compliance with various security standards. 

Integrating RabbitMQ with Microsoft Entra ID using OAuth 2.0 enhances this setup by providing a robust authentication framework that aligns with stringent security and audit requirements. This setup not only strengthens security but also facilitates better management of user identities and access controls, crucial for enterprise governance.

In this blog post, we detail the process of configuring RabbitMQ with Microsoft Entra ID to secure your messaging infrastructure, ensuring it is both compliant and efficient. Our focus is to equip enterprises with the knowledge to elevate their RabbitMQ deployments to meet the highest standards of security.

Prerequisites

Before proceeding with the integration of RabbitMQ and Microsoft Entra ID using OAuth 2.0, ensure the following prerequisites are met:

Setting Up Microsoft Entra ID

To integrate RabbitMQ with Microsoft Entra ID using OAuth 2.0, the first critical step is to set up an application within Microsoft Entra ID. This application will act as the identity provider, managing authentication and providing tokens that RabbitMQ can verify. The following steps will guide you through creating an application registration in the Microsoft Entra admin portal.

Create an Application Registration

This subsection explains how to register a new application in Microsoft Entra ID, which is essential for authenticating and authorising client applications that will interact with RabbitMQ.

1. Log into the Microsoft Entra admin portal:
   Access the Microsoft Entra admin portal. Enter your credentials to log in and reach the dashboard where you can manage your directory’s settings and applications.
   
2. Navigate to the ‘App Registrations’ section:
   Once logged in, find and click on the ‘App registrations’ section to manage and set up new applications.

3. Create a New Application:
Click on the option to create a new application. This step is crucial as it generates the identifiers needed for OAuth 2.0 integration.

Fill in the application details:

• Name: Enter a name for your application, such as ‘rabbitmq-oauth2’.
• Supported Account Types: Select ‘Accounts in this organisational directory only (Default Directory only – Single tenant)’.
• Select a Platform: Choose ‘Single-page application (SPA)’ from the drop-down list.
• Configure the Redirect URI: Set this to https://localhost:15671/js/oidc-oauth/login-callback.html.
  

4. Record Essential Information
Make note of the following for future configuration:

• Application (Client) ID
• Directory (Tenant) ID

5. Access the Endpoint Tab.
Navigate to the ‘Endpoints’ tab where you can find URLs and other endpoints related to your application.

6. Retrieve the OpenID Connect Metadata:
Locate and copy the URL of the OpenID Connect metadata document and open this URL in a browser to view the metadata.

Find and make a note of the ‘jwks_uri’ key value. This URL will be used later in the RabbitMQ configuration to validate tokens.

By following these steps, you’ll have set up an application in Microsoft Entra ID with all necessary configurations for integrating with RabbitMQ via OAuth 2.0. This setup ensures that your RabbitMQ service can authenticate users based on the trusted tokens issued by Microsoft Entra ID.

Create OAuth 2.0 Roles

App roles are essential components in Azure Active Directory (AD) that define the permissions granted to users and applications. During the app registration process in the Azure portal, you can define these roles. Once assigned, Entra ID issues a ‘roles claim’ for each role that the user or service principal has been granted, which your applications can use to enforce security policies.

Create a Role to Allow Access to Management UI

First, we will create a role specifically designed to provide access to the RabbitMQ Management UI. This role will ensure that only authorised users and applications can perform administrative actions within the UI.

1. Navigate to App Roles:
While in the ‘App registrations’ section of your application, click on ‘App roles’.

2. Create App Role
Click on ‘Create app role’.

Enter the following details:

• Display Name: Input a descriptive name for the role, such as ‘Management UI Admin’.
• Allowed Member Types: Choose ‘Both’ to allow this role to be assigned to both Users/Groups and Applications.
• Value: Use a unique tag combined with the Application ID, such as ‘Application_ID.tag:administrator’.
• Description: Briefly state the purpose of this role, e.g., “Admin access to the RabbitMQ Management UI”.
• Enable This App Role: Ensure this option is checked to activate the role.

Click on ‘Apply’.

Create a Role to Allow Configure Permission on All Resources

Next, we’ll create a role that permits configuration access across all resources within every RabbitMQ Vhost. 

1. Begin Creating Another App Role:
Click on ‘Create app role’ again to start the setup of a new role aimed at broader resource management.

2. Fill in Role Details:

On the form that appears, provide the necessary information:

• Display Name: For example, ‘Configure All Vhosts’.
• Allowed Member Types: Select ‘Both’.
• Value: Format this as ‘Application_ID.configure:/‘, which denotes configuration permissions across all vhosts.
• Description: Describe the role’s function, like “Permissions to configure all resources on all vhosts”.
• Enable This App Role: Check this box to make the role active.

3. Click on Apply

Assign App Roles to Users

With the roles created, you must now assign them to the appropriate users and applications within your organisation.

1. Go to Enterprise Applications:
Navigate to ‘Enterprise Applications’ within the Azure portal.

2. Select Your Application:

• Find and click on the application you’ve set up roles for.
• Select ‘Users and groups’.

3. Add User/Group:

• Click ‘Add user/group’ to start the assignment process.

• Select the users or groups by searching and choosing the relevant entries.

• Click ‘Select’ after making your selections.

4. Assign Roles:

• Under ‘Select a Role’, choose the appropriate role for the users/groups you’ve selected.

• If only one role is available, it will be automatically selected.
• Click ‘Select’ and then ‘Assign’ to finalise the assignment.

5. Repeat for Additional Roles:

• Perform these steps for each role you need to assign, ensuring all necessary permissions are properly allocated across your organisation.

Configure RabbitMQ to Use Entra ID for OAuth 2.0 Authentication

Having completed the setup on the Azure side, the next step is to configure RabbitMQ to leverage these Entra ID resources for authentication. This involves updating the RabbitMQ configuration to use Entra ID as the OAuth 2.0 authentication backend, specifically for the RabbitMQ Management UI.

Update RabbitMQ Configuration File

1. Locate and Edit the Configuration File:

• Open your rabbitmq.config file, which contains the advanced settings for RabbitMQ and update the configuration file with the Entra ID details obtained from the app registration process. Specifically, you need the Tenant ID, Application ID, and the JWKS URI. Here’s a sample configuration to guide you:

[
  {rabbit, [
    {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
  ]},
  {rabbitmq_management, [
    {oauth_enabled, true},
    {oauth_client_id, "PUT YOUR ENTRA ID APPLICATION ID"},
    {oauth_provider_url, "https://login.microsoftonline.com/AZURE_AD_TENANT_ID"}
  ]},
  {rabbitmq_auth_backend_oauth2, [
    {resource_server_id, <<"PUT YOUR ENTRA ID APPLICATION ID">>},
    {extra_scopes_source, <<"roles">>},
    {key_config, [
      {jwks_url, <<"PUT YOUR ENTRA ID JWKS URI VALUE">>}
    ]}
  ]}
].

2. Validate Configuration:

• After updating the configuration, it’s crucial to validate that all entries are correct and that RabbitMQ can successfully connect to Entra ID using these settings.

3. Restart RabbitMQ:

• Once the configuration file is correctly set up, restart RabbitMQ to apply the changes. This ensures that the OAuth 2.0 authentication backend is active and ready to authenticate users via Entra ID.

For the final step, we’ll setup RabbitMQ management UI.

Setting Up HTTPS for RabbitMQ Management UI

To meet Microsoft Entra ID’s requirements for HTTPS in OAuth 2.0 redirect URIs, it is necessary to configure RabbitMQ to use HTTPS. This section details the process of generating a self-signed root certificate and the necessary keys to securely enable HTTPS.

Decide whether to obtain your certificate from a trusted Certificate Authority (CA) or to generate a self-signed certificate. For production environments, it is recommended to use a certificate issued by a trusted CA.

If you choose to use a self-signed certificate for testing purposes, you can generate it using OpenSSL with the following commands. 

Generate Root Key

Create the Private Key:

The root key is essential for creating the self-signed root certificate. Generate it by running:

openssl genrsa 2048 > rabbitmq-ca.key

Generate Self-Signed Root Certificate

Create the Root Certificate:

Using the root key, generate a self-signed root certificate that will serve as your Certificate Authority (CA). Execute the following command:

openssl req -new -x509 -nodes -days 365 \
   -key rabbitmq-ca.key \
   -out rabbitmq-ca.crt \
   -subj "/C=US/ST=California/L=San Francisco/O=RabbitMQ/OU=OAuth 2.0 Tutorial/CN=RootCA"

Create Certificate Signing Request (CSR) and Associated Private Key

Generate CSR and Private Key:

Generate a new private key and a Certificate Signing Request (CSR). This CSR will be used to create the actual server certificate for RabbitMQ:

openssl req -newkey rsa:2048 -nodes \
   -keyout rabbitmq.key \
   -out rabbitmq.csr \
   -subj "/C=US/ST=California/L=San Francisco/O=RabbitMQ/OU=OAuth 2.0 Tutorial/CN=localhost"

Create Certificate

Sign the Certificate Using the Root CA:

Use the CSR and the root CA certificate to create the server certificate:

openssl x509 -req -days 365 \
   -in rabbitmq.csr \
   -out rabbitmq.crt \
   -CA rabbitmq-ca.crt \
   -CAkey rabbitmq-ca.key \
   -CAcreateserial

Configure SSL Certificate/Key Ownership

Set Proper Ownership:

Ensure that the files have the correct ownership, which RabbitMQ can utilise without permissions issues:

chown 999:999 rabbitmq-ca.crt rabbitmq.crt rabbitmq-ca.key

Configuring RabbitMQ to use HTTPS

Update RabbitMQ Configuration:

Modify your rabbitmq.config or advanced.config file to include settings for SSL/TLS. Here is a basic example to include:

[
  {rabbit, [
    {ssl_listeners, [5671]},
    {ssl_options, [{cacertfile,"/path/to/rabbitmq-ca.crt"},
                   {certfile,"/path/to/rabbitmq.crt"},
                   {keyfile,"/path/to/rabbitmq.key"}]}
  ]}
].

Restart RabbitMQ

After configuring the SSL settings, restart RabbitMQ to apply the new configuration:

sudo systemctl restart rabbitmq-server

Verify RabbitMQ Management UI access

With RabbitMQ now set up to use Microsoft Entra ID via OAuth 2.0 and SSL/TLS for secure communications, the next step is to ensure that the RabbitMQ Management UI is accessible and functioning as expected.

Accessing the RabbitMQ Management UI

Navigate to the Management UI:

Open your browser and go to the RabbitMQ Management UI at https://localhost:15671. Since you are using a self-signed certificate, your browser may display a security warning. Proceed by accepting the security exception or bypassing the warning, depending on your browser settings.

Log In Using Your Entra ID:

Click on the “Click here to log in” button. You will be redirected to authenticate using your Microsoft Entra ID. If it’s your first time logging in, you may need to consent to the application requesting access to your information, depending on your organisation’s Entra ID policies.

Understanding the Authentication Token

Token Reception:

Upon successful authentication, Microsoft Entra ID will issue an access token similar to the one shown below. This token includes various claims that detail your identity and permissions within the system.

Token Structure and Permissions:

RabbitMQ is configured to interpret roles from the access token to determine user permissions. The {extra_scopes_source, <<“roles”>>} setting in RabbitMQ uses the roles claim to assign appropriate permissions based on the roles assigned to the user in Microsoft Entra ID.

Example of an Access Token:

{
  "aud": "4b59613b-5d34-4e81-92d2-e99ad2395503",
  "iss": "https://sts.windows.net/77a3be15-6d5d-42e6-a9ee-e08f018dfe1e/",
  "iat": 1655740039,
  "nbf": 1655740039,
  "exp": 1655744211,
  "acr": "1",
  "aio": "AUQAu/mSKMCjnk8fBjvNhnWDbKvoP8unnehOzczlGhxDNsYMX==",
  "amr": [
    "wia"
  ],
  "appid": "2a241755-cf3f-4f5e-8d3c-eb2b0b89903d",
  "appidacr": "1",
  "email": "foo@example.com",
  "idp": "https://sts.windows.net/b3f4f7c2-72ce-4192-aba4-d6c7719b5766/",
  "in_corp": "true",
  "ipaddr": "xxx.xxx.xxx.xxx",
  "name": "Foo Bar",
  "oid": "cf2df3b4-03df-4e1e-b5c0-f232932aaead",
  "rh": "lv6PE48fG6OfF4QJR8xukSqV0Cv96P3QXe2eHaCNHxK.",
  "roles": [
    " 8ca154f1-cc60-422b-9dd6-fdd7b4c006a3.tag:monitoring",
    " 8ca154f1-cc60-422b-9dd6-fdd7b4c006a3.configure:*/*"
  ],
  "scp": "User.Read",
  "sub": " 2L0HdjPLf3Lk70t3Zlpi4Ef",
  "tid": "1ffc6121-590e-4aa5-bf47-c348674069cb",
  "unique_name": "foo@example.com",
  "uti": " RC58lVOl5t5pq6gZEQTy5h5",
  "ver": "1.0"
}

Conclusion

In this blog post, we’ve outlined the detailed steps necessary to integrate RabbitMQ with Microsoft Entra ID using OAuth 2.0, enhanced with SSL/TLS for secure communications. By following these guidelines, your RabbitMQ deployment is now equipped to leverage Microsoft Entra ID for robust authentication, ensuring that only authorised users can access the RabbitMQ Management UI.

Key takeaways:

• Secure Setup: We’ve demonstrated how to generate and configure SSL/TLS certificates to secure the RabbitMQ Management UI, meeting the security requirements of OAuth 2.0.
• OAuth 2.0 Integration: The integration process with Microsoft Entra ID enhances RabbitMQ with a powerful, scalable authentication mechanism that aligns with enterprise security standards.
• Permission Management: By configuring RabbitMQ to interpret OAuth 2.0 tokens, we’ve enabled detailed control over user permissions, ensuring that users have appropriate access based on their roles within the organisation.

This setup not only secures your message broker but also integrates it seamlessly with existing enterprise identity management systems, streamlining both security and operations. By employing these best practices, your RabbitMQ installation is better protected and more compliant with modern security standards.