Security & Certificates

DREX uses a defence-in-depth model — TLS on every cross-machine hop, role-based RabbitMQ accounts, and per-adapter queues.

Most of the heavy lifting (CA, key generation, import) is handled by the installer, but understanding the basics helps when you stand up a new tier or

rotate certificates.

TLS Channels at a Glance

Channel | Port(s) | TLS? | AuthN style | Notes

Site → Central shovel | 5671 | ✅ | Mutual TLS | Site holds a client cert issued by Central.

Central RabbitMQ (local) | 5671 | ✅ | Username / Password (per adapter) | Management UI on 15671 (HTTPS).

Site RabbitMQ (local, vessel) | 5672 | ❌ | Username / Password | Internal traffic only, runs on a trusted LAN segment.

Cloud → Central | 5671 | ✅ | Mutual TLS | Certificate chain anchored to the same ABS CA.

Adapters running on the same host | n/a | — | n/a | Loop-back, no TLS required.

Tip – If you’re developing locally, you can set SkipCertificateImport = true in appsettings.json to bypass mutual-TLS. Never use this flag in production.

Certificate Lifecycle

  • Central installation

Installer.exe contacts the ABS certificate service, requests:

  • central-rabbitmq.cert.pem + central-rabbitmq.key.pem

  • cloud-rabbitmq.cert.pem + cloud-rabbitmq.key.pem

  • vessel-rabbitmq.cert.pem + vessel-rabbitmq.key.pem

  • Internal CA bundle ca.pem

Files are placed in C:\abs\installer\AdditionalFiles\certs.

  • Site installation

You copy ca.pem, vessel-rabbitmq.cert.pem, and vessel-rabbitmq.key.pem (generated by the Central install) to

C:\abs\installer\AdditionalFiles\certs on the site host.

The installer then:

  • Mounts the PEM files into the RabbitMQ container.

  • Configures the shovel client certificate for AMQPS.

  • Renew / Rotate

• Run Installer.exe rotate-certs on Central—new certs are issued and the local RabbitMQ is restarted.

• Copy the fresh vessel-rabbitmq.*.pem bundle to each site and re-run the site installer (no reboot required).

Drex containers on both sides auto-restart when they detect the certificate files have changed.

RabbitMQ Accounts vs. Certificates

• Site adapters authenticate to the local broker with UserName = <adapter-name> and a password supplied by the CC team.

No client certificate is needed.

• Shovel connection (Site → Central & Central → Cloud) uses the client certificate plus a dedicated shovel account created during install.

The account is restricted to the required vhost and shovel queue.

File Locations & Permissions

File | Path on host | Access should be limited to

CA bundle ca.pem | C:\abs\certificates | Local Administrators

Private keys *.key.pem | C:\abs\certificates | Local Administrators

RabbitMQ container mount target | C:\certs\ inside container | ContainerAdministrator only

The installer sets ACLs automatically; double-check with:

icacls C:\abs\certificates