Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 16 Next »

What's changing

The next UH Message Broker upgrade will bring the following changes:

ItemPreviouslyChanged to…Comments
Software version

RabbitMQ 3.7.12

Erlang 21.2.6

RabbitMQ 3.11.13

Erlang 25.3

Going forward, RabbitMQ and Erlang will be updated to the most recent versions as part of our monthly patching.
Test server

Host: esb-test2.its.hawaii.edu

Host: esb-test1.its.hawaii.eduAll settings have been copied from esb-test2 to esb-test1
Production serverHost: esb.hawaii.edu

Host name will remain the same but IP address will change.  Firewall rules will be copied, but you should verify that your production application will be able to reach this new IP address at port 5671.


SSL Certificate2048-bit cert

4096-bit

Subject Alternative Name (SAN) extension to support host name associated with our perceived IP address.



TLS

Versions 1.1 and 1.2 only.

No peer verification if your TLS client sends an optional client cert.

Secure renegotiation allowed.

Versions 1.2 and 1.3 only.

Peer verification performed if your TLS client sends an optional client cert.

Secure renegotiation disabled.


RabbitMQ Java ClientJava client 3.6.6 or higherAlthough we expect older clients to work, we recommend that you upgrade to the latest client

Although not currently enforced, you should add code to verify our server cert and check the hostname.  The Java client does not do this out of the box. See TLS and RabbitMQ Java Client

If you are already doing this, please note that there is a new CA signing our server cert. You might need to install this new root CA cert or one of the other CA cert(s) as explained in TLS and RabbitMQ Java Client

RabbitMQ Perl ClientAnyEvent::RabbitMQ v1.16

AnyEvent::RabbitMQ v1.16 or latest version

Must also patch Net::AMQP::Common and add this line after line 239:

l => \&unpack_long_long_integer



Queues

Classic queues which are mirrored and synchronized across all 3 nodes unless the queue name begins with an underscore.

All queues will be converted to quorum queues.

You do not need to change anything in your application.

More on quorum queues:  https://www.rabbitmq.com/quorum-queues.html

Timeline

  • Please test the new broker by mid May 2023.
  • The upgrade is tentatively set for middle of June 2023

How to test the new broker

  1. This step is optional, but it will save you from a lot of troubleshooting if you are able to perform it
    1. Login to the system where your production application runs and connects to the UH Message Broker:
    2. Run this openssl command:

      • openssl s_client -connect 128.171.138.176:5671
        The first few lines should look like this

        CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, O = Internet2, CN = InCommon RSA Server CA 2
verify return:1
depth=0 C = US, ST = Hawaii, O = University of Hawaii at Manoa, CN = esb-test-future.its.hawaii.edu
verify return:1
write W BLOCK
---
Certificate chain
 0 s:/C=US/ST=Hawaii/O=University of Hawaii at Manoa/CN=esb-test-future.its.hawaii.edu
   i:/C=US/O=Internet2/CN=InCommon RSA Server CA 2
 1 s:/C=US/O=Internet2/CN=InCommon RSA Server CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
 3 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
---
  2. Set up a test instance of your application
    • Preferably, set up this test instance on the same host that runs your production application (this also verifies our firewall will allow you to connect when we upgrade).
    • If you need to test from a different host, please send us the IP address of this test host to its-iam-help@lists.hawaii.edu and wait for us to allow it through our firewall. You can also run the openssl command from step 1 above to check whether you are allowed through the firewall.
    • Regardless of where it runs, this test instance must not make production data changes.  Be sure to keep production and test instances of your application completely separate and independent.
  3. Connect the test instance of your application to the following test broker:
    • Test broker host: esb-test-future.its.hawaii.edu
    • Test broker port: 5671 (TLS 1.1 no longer supported, must use TLS 1.2 or 1.3)
    • Test broker account and password: (same as production broker)
    • Test broker vhost: (add future- prefix to whatever vhost you are using in production, e.g. if vhost is uhims, then use future-uhims in this test broker)
    • Test broker exchanges and queues: (same names as in production broker)
    • If your application production environment has been using TLS 1.1, you must now use TLS 1.2 or 1.3.
  4. Once connected to the above test broker, the test instance of your application can:
    • test consuming messages from its queues (queue names are the same, you only need to add the future- prefix to the vhost)
    • test publishing messages to exchanges (exchange names are the same, you only need to add the future- prefix to the vhost)

Please contact its-iam-help@lists.hawaii.edu if you run into any issues.


  • No labels