Versions Compared

Version Old Version 15 New Version Current
Changes made by

Julio Polo

Julio Polo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The next UH Message Broker upgrade will bring the following changes:

ItemPreviouslyChanged to…Comments
Software version

RabbitMQ 3.7.12

Erlang 21.2.6

RabbitMQ 3.11.13

Erlang 25.3

Going forward, RabbitMQ and Erlang will be updated to the most recent versions as part of our monthly patching.
Test server

Host: esb-test2.its.hawaii.edu

Host: esb-test1.its.hawaii.edu

All settings have been

esb-test1.its.hawaii.edu has data copied from esb-test2

to esb-test1

.its.hawaii.edu during January 2023.

Production serverHost: esb.hawaii.edu

Host name will remain the same, but the IP address will change.  Firewall rules

will be copied but

have been copied, and you should verify that your production

host for your application can reach esb.hawaii.edu

application will be able to reach this new IP address at port 5671.  See 'how to test the new broker' below.


SSL Certificate2048-bit cert

4096-bit cert signed by a new intermediate CA

Subject Alternative Name (SAN) extension to support host name associated with our perceived IP address.

Please update the Intermediate(s)/Root cert bundle as described in



TLS
and RabbitMQ Java ClientTLS

Versions 1.1 and 1.2 only.

No peer verification if your TLS client sends an optional client cert.

Secure renegotiation allowed.

Versions 1.2 and 1.3 only.

Peer verification performed if your TLS client sends an optional client cert.

Secure renegotiation disabled.


RabbitMQ Java ClientJava client 3.6.6 or higherAlthough we expect older clients to work, we recommend that you upgrade to the latest client
You

For proper security, you should eventually add code to verify

the

our server cert/trust chain and

check the

hostname.  The Java client does not do this out of the box. See TLS and RabbitMQ Java Client

If you are already doing this, please note that there is a new CA signing our server cert, although the root CA is the same so this should not be a problem. If you run into issues, you might need to install the intermediate(s)/root cert bundle as explained in TLS and RabbitMQ Java Client

RabbitMQ Perl ClientAnyEvent::RabbitMQ v1.16

AnyEvent::RabbitMQ v1.16 or latest version

Must also patch Net::AMQP::Common and add this line after line 239:

l => \&unpack_long_long_integer



Queues

Classic queues which are mirrored and synchronized across all 3 nodes unless the queue name begins with an underscore.

All queues will be converted to quorum queues.

You do not need to change anything in your application.

More on quorum queues:  https://www.rabbitmq.com/quorum-queues.html

Timeline

The upgrade is tentatively set for middle of June 2023

How to prepare

Point your test environment to esb-test1.its.hawaii.edu to verify that your application can publish and/or consume messages.  Do not point your production environment to our test environment as you do not want to mix production data with test data.

...

No change

We decided not to migrate to quorum queues with this upgrade.  The order of messages is changed when messages are requeued, and this is a problem for many applications.

Timeline

  • The upgrade will happen on July 16, 2023.

How to test the new broker

  1. TEST FIREWALL
    • This is to verify that you won't have issues with the new firewall:
    • Login to the system where your production application runs and connects to the UH Message Broker:
    • Run this openssl command:

      • openssl s_client -connect 128.171.138.176:5671
        The first few lines should look like this ((warning) it is not enough to get a single CONNECTED line!):

        No Format
        CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, O = Internet2, CN = InCommon RSA Server CA 2
verify return:1
...


  2. TEST CONSUMING MESSAGES
    • Set up or go to a test instance of your application
    • If you need to test from a host that has never connected to esb-test1 or esb-test2, please send us the IP address of this test host to its-iam-help@lists.hawaii.edu and wait for us to allow it through our firewall. You can also run the openssl command from step 1 above to check whether you are already allowed to connect.
    • Connect the test instance of your application to the following test broker:
      • Test broker host: esb-test1.its.hawaii.edu
      • Test broker port: 5671 (TLS 1.1 no longer supported, must use TLS 1.2 or 1.3

...

      • )
      • Test broker account and password: (same as esb-test2, contact us if you've never connected to esb-test2 before)
      • Test broker vhost: (same as esb-test2)
      • Test broker exchanges and queues: (same as esb-test2)
    • Verify that the test instance of your application can consume messages from the above test broker.

Have more questions? Contact its-iam-help@lists.hawaii.edu if you run into any issues.