Re: RabbitMQ and Flink Certificates/SSL Guide Requ...

Billy · ‎Sep 07, 2021

Hello everyone,

I hate to say it but I have been having a lot of trouble with getting Apache Flink SSL and RabbitMQ SSL Platform Analytics 9.1 to work. I have been using the installer but many of the steps are vague and unclear. Does anyone have an example where they can show me or walk me through exactly what certificates and files need to be generated to get this to work correctly. Sorting through all the logs over and over again has been a learning experience but right now I just need this working. I have my Thingworx Foundation server and Analytics Server both working and they are in the same VLAN on separate machines. Platform Analytics is also going to be in the same VLAN and on its own machine. Flink and Rabbit MQ will be installed using the installer. All SSL options for Flink will be enabled. The only certificate I have from my companies internal CA is for the Thingworx Foundation server so people don't get warned when they try to login to composer by their web browser. Everything else for Platform Analytics I would prefer be self signed rather than working with my IT department.

This guide: https://support.ptc.com/help/thingworx/analytics/r9/en/index.html#page/analytics%2Fanalytics_install%2Fssl_support_for_rabbitmq.html%23 is not helping me.

And neither is this one: https://support.ptc.com/help/thingworx/analytics/r9/en/index.html#page/analytics%2Fanalytics_install%2Fssl_support_for_flink.html%23

I need to know exactly which certs to generate and which servers they need to go on. Which items are keystores and which are truststores. When is a trust store referring to javas cacerts and when is it a trust store we create. Which certs need to be in which keystores and which truststores and on which servers so all these things trust each other. I followed these instructions exactly as they are laid on and have still had many problems. I need more clarity on the RabbitMQ config files used with openSSL as well. Anyone willing to help out?? I am available for chats or phone calls and I am located in US Central time zone. Any assistance would be greatly appreciated.

-Billy

nsampat · ‎Sep 10, 2021

@Billy

Thank you for posting your question to the PTC Community.

Based on your description, it sounds like you are doing a decentralized deployment of ThingWorx Analytics Platform Analytics, typically we deploy all the components on one instance for sake of simplicity and management.

I would recommend that you open a case with Technical Support as there may be the need to exchanging log files, and other private identifiable information to further research and review your issues.

Regarding the Guides, those are the best available documents we have, and are up to date in their content.

You can open a case here: https://support.ptc.com/apps/case_logger_viewer/cs/auth/ssl/log

Regards,

Neel

Billy · ‎Sep 13, 2021

@nsampat

Thank you for the reply. When you refer to the decentralized deployment are you just talking about Analytics Server and Platform Analytics on the same machine? Or also including Thingworx Foundation on that same machine as well? My concern is running all 3 programs on one machine or even 2 of the 3 on one machine could cause performance issues. Thoughts?

jgreiner · ‎Sep 14, 2021

Hi Billy,

Yes it is a best practice to run these products on separate servers like you plan to do. I believe my colleague Neel was under the impression that you were trying to run just Platform Analytics components on 3 separate servers which is also possible but normally not necessary. When you try the installation, are there any errors returned? Could you share the error messages that you are receiving and at what step of the install the error occurs?

Warm Regards,

John

Billy · ‎Sep 15, 2021

@jgreiner I currently do not have the logs as I did a fresh install without any SSL enabled for RabbitMQ or Flink and have the Platform Analytics successfully connected to my Thingworx Foundation instance. Do you know if there is a manual procedure available to adding SSL to these after complete install of Platform Analytics 9.1? I think that would be easiest at this point. Then when I run into errors I can provide the logs. To be clear, RabbitMQ and Flink were installed on the same machine as Platform Analytics 9.1. I did not have instances of these on separate machines.

jgreiner · ‎Sep 15, 2021

Hi Billy,

Yes the easiest way to add the SSL certificates would be to run a modify/repair installation of Platform Analytics and the add the SSL information for those components at that time. You might want to add the SSL certificates 1 at a time if you run into issues so that could help you identify where the issue is occurring in the installation process.

Let me know if you have any other questions.

Warm Regards,

John

Billy · ‎Sep 15, 2021

@jgreiner I will give that a try and let you know what happens. Are you aware of any other resources that give clarity to the certificate creation other than the installation guide located at https://support.ptc.com/help/thingworx/analytics/r9/en/index.html#page/analytics%2Fanalytics_install%2Fssl_support_for_rabbitmq.html%23

Second question -> when creating the rabbitmq.conf config file for the RabbiqMQ certifcates and keystores what IP address needs to go in that file (see below). RabbitMQ created a virtual interface during install so what would this IP be? The servers actual fully qualified name such as (name).server.com or the IP of the virtual interface? Is there a way to know the IP of the virtual interface in advance? In my case it created one in the 172.x.x.x address space.

subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.2 = <IP address of the server where RabbitMQ will be installed>

nsampat · ‎Sep 28, 2021

@Billy ,

The guides you are referencing are the official documents we can provided. John's suggestion of performing a modify/repair installation and supplying the Certs during installation would be the best method and way to implement SSL for your deployment. If you require additional assistance with this, I would highly recommend opening a case as we will need to exchange private information such as logs, IP address, certs, and so forth if additional triage is required. You can open a case here: https://support.ptc.com/apps/case_logger_viewer/cs/auth/ssl/log

Regarding your second set of questions:

Second question -> when creating the rabbitmq.conf config file for the RabbiqMQ certifcates and keystores what IP address needs to go in that file (see below).

RabbitMQ created a virtual interface during install so what would this IP be?

It would be the IP of the machine its installed to with port 5672 for connections, and port 15672 for accessing the UI Web App. But this is dependent on what the Cert is issued to.

The servers actual fully qualified name such as (name).server.com or the IP of the virtual interface?

If you are using SSL, this value should be what ever the cert is issued to, this is something that is user generated and PTC cannot provide advice as each organization is unique in their best practices. e.g. If my IT Infra Security team provides me a cert for use, and its issued to a FQDN, I cannot use an IP address or basic domain name in the config. I would need to use the FQDN

Is there a way to know the IP of the virtual interface in advance?

Not sure if I understand this question, if you are installing Platform Analytics with the included Flink and RabbitMQ bundles, it would be the IP/FQDN/Hostname of the machine/instance it is installed to. The ports mentioned above are the default ports, and can be changed by the user.

Regards,

Neel

RabbitMQ and Flink Certificates/SSL Guide Request

RabbitMQ and Flink Certificates/SSL Guide Request