# Configuring a RabbitMQ broker
A configuration contains all the settings for your RabbitMQ broker in Cuttlefish format. You can create a configuration before creating any brokers. You can then apply the configuration to one or more brokers.
## Attributes
A broker configuration has several attributes, for example:
+ A name (MyConfiguration)
+ An ID (c-1234a5b6-78cd-901e-2fgh-3i45j6k178l9)
+ An Amazon Resource Name (ARN) (arn:aws:mq:us-east-2:123456789012:configuration:c-1234a5b678cd-901e-2fgh-3i45j6k178l9)
For a full list of configuration attributes, see the following in the Amazon MQ REST API Reference:
+ [REST Operation ID: Configuration](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration.html)
+ [REST Operation ID: Configurations](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configurations.html)
For a full list of configuration revision attributes, see the following:
+ [REST Operation ID: Configuration Revision](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revision.html)
+ [REST Operation ID: Configuration Revisions](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/rest-api-configuration-revisions.html)
Topics
+ [Creating and applying RabbitMQ broker configurations](rabbitmq-creating-applying-configurations.md)
+ [Edit a Amazon MQ for RabbitMQ Configuration Revision](edit-current-rabbitmq-configuration-console.md)
+ [Configurable values for RabbitMQ on Amazon MQ](configurable-values.md)
+ [ARN support in RabbitMQ configuration](arn-support-rabbitmq-configuration.md)
# Creating and applying RabbitMQ broker configurations
A *configuration* contains all of the settings for your RabbitMQ broker in Cuttlefish format. You can create a configuration before creating any brokers. You can then apply the configuration to one or more brokers
The following examples show how you can create and apply a RabbitMQ broker configuration using the AWS Management Console.
**Important**
You can only **delete** a configuration using the `DeleteConfiguration` API. For more information, see [Configurations](https://docs.aws.amazon.com/amazon-mq/latest/api-reference/configurations-configuration-id.html) in the *Amazon MQ API Reference*.
## Create a New Configuration
To apply a configuration to your broker, you must first create the configuration.
1. Sign in to the [Amazon MQ console](https://console.aws.amazon.com/amazon-mq/).
1. On the left, expand the navigation panel and choose **Configurations**.
![\[Amazon MQ navigation panel showing Brokers and Configurations options.\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/images/amazon-mq-tutorials-create-configuration.png)
1. On the **Configurations** page, choose **Create configuration**.
1. On the **Create configuration** page, in the **Details** section, type the **Configuration name** (for example, `MyConfiguration`) and select a **Broker engine** version.
To learn more about RabbitMQ engine versions supported by Amazon MQ for RabbitMQ, see [Managing Amazon MQ for RabbitMQ engine versions](rabbitmq-version-management.md).
1. Choose **Create configuration**.
## Create a New Configuration Revision
After you create a configuration, you must edit the configuration using a configuration revision.
1. From the configuration list, choose ***MyConfiguration***.
**Note**
The first configuration revision is always created for you when Amazon MQ creates the configuration.
On the ***MyConfiguration*** page, the broker engine type and version that your new configuration revision uses (for example, **RabbitMQ 3.xx.xx**) are displayed.
1. On the **Configuration details** tab, the configuration revision number, description, and broker configuration in Cuttlefish format are displayed.
**Note**
Editing the current configuration creates a new configuration revision.
1. Choose **Edit configuration** and make changes to the Cuttlefish configuration.
1. Choose **Save**.
The **Save revision** dialog box is displayed.
1. (Optional) Type `A description of the changes in this revision`.
1. Choose **Save**.
The new revision of the configuration is saved.
**Important**
Making changes to a configuration does *not* apply the changes to the broker immediately. To apply your changes, you must wait for the next maintenance window or [reboot the broker](amazon-mq-rebooting-broker.md).
Currently, you can't delete a configuration.
## Apply a Configuration Revision to Your Broker
After creating the configuration revision, you can apply the configuration revision to your broker.
1. On the left, expand the navigation panel and choose **Brokers**.
![\[Amazon MQ navigation panel showing Brokers and Configurations options.\]](http://docs.aws.amazon.com/amazon-mq/latest/developer-guide/images/amazon-mq-tutorials-apply-configuration.png)
1. From the broker list, select your broker (for example, **MyBroker**) and then choose **Edit**.
1. On the **Edit *MyBroker*** page, in the **Configuration** section, select a **Configuration** and a **Revision** and then choose **Schedule Modifications**.
1. In the **Schedule broker modifications** section, choose whether to apply modifications **During the next scheduled maintenance window** or **Immediately**.
**Important**
Single instance brokers are offline while being rebooted. For cluster brokers, only one node is down at a time while the broker reboots.
1. Choose **Apply**.
Your configuration revision is applied to your broker at the specified time.
# Edit a Amazon MQ for RabbitMQ Configuration Revision
The following instructions describe how to edit a configuration revision for your broker.
1. Sign in to the [Amazon MQ console](https://console.aws.amazon.com/amazon-mq/).
1. From the broker list, select your broker (for example, **MyBroker**) and then choose **Edit**.
1. On the ***MyBroker*** page, choose **Edit**.
1. On the **Edit *MyBroker*** page, in the **Configuration** section, select a **Configuration** and a **Revision** and then choose **Edit**.
**Note**
Unless you select a configuration when you create a broker, the first configuration revision is always created for you when Amazon MQ creates the broker.
On the ***MyBroker*** page, the broker engine type and version that the configuration uses (for example, **RabbitMQ 3.xx.xx**) are displayed.
1. On the **Configuration details** tab, the configuration revision number, description, and broker configuration in Cuttlefish format are displayed.
**Note**
Editing the current configuration creates a new configuration revision.
1. Choose **Edit configuration** and make changes to the Cuttlefish configuration.
1. Choose **Save**.
The **Save revision** dialog box is displayed.
1. (Optional) Type `A description of the changes in this revision`.
1. Choose **Save**.
The new revision of the configuration is saved.
**Important**
Making changes to a configuration does *not* apply the changes to the broker immediately. To apply your changes, you must wait for the next maintenance window or [reboot the broker](amazon-mq-rebooting-broker.md).
Currently, you can't delete a configuration.
# Configurable values
You can set the value of the following broker configuration options by modifying the broker configuration file in the AWS Management Console.
In addition to the values described in the following table, Amazon MQ supports additional broker configuration options related to authentication and authorization as well as resource limits. For more information about these configuration options, see
+ [OAuth 2.0 configuration](configure-oauth2.md)
+ [LDAP configuration](configure-ldap.md)
+ [HTTP configuration](configure-http.md)
+ [SSL configuration](configure-ssl.md)
+ [mTLS configuration](configure-mtls.md)
+ [ARN support](arn-support-rabbitmq-configuration.md)
+ [Resource limits](rabbitmq-resource-limits-configuration.md)
+ [AMQP client SSL configuration](rabbitmq-amqp-client-ssl-configuration.md)
| Configuration | Default Value | Recommended Value | Values | Applicable Versions | Description |
| --- | --- | --- | --- | --- | --- |
| consumer\$1timeout | 1800000 ms (30 minutes) | 1800000 ms (30 minutes) | 0 to 2,147,483,647 ms. Amazon MQ also supports the value 0, which means "infinite". | All versions | A timeout on consumer delivery acknowledgement to detect when consumers do not ack deliveries. |
| heartbeat | 60 seconds | 60 seconds | 60 to 3600 seconds | All versions | Defines the time before a connection is considered unavailable by RabbitMQ. |
| management.restrictions.operator\$1policy\$1changes.disabled | true | true | true, false | All versions | Turns off making changes to the operator policies. If you make this change, you are highly encouraged to include the HA properties in your own operator policies. |
| quorum\$1queue.property\$1equivalence.relaxed\$1checks\$1on\$1redeclaration | true | true | true, false | All versions | When set to TRUE, your application avoids a channel exception when redeclaring a quorum queue. |
| secure.management.http.headers.enabled | true | true | true, false | All versions | Turns on unmodifiable HTTP security headers. |
## Configuring consumer delivery acknowledgement
You can configure consumer\$1timeout to detect when consumers do not ack deliveries. If the consumer does not send an acknowledgment within the timeout value, the channel will be closed. For example, if you are using the default value 1800000 milliseconds, if the consumer does not send a delivery acknowledgement within 1800000 milliseconds, the channel will be closed. Amazon MQ also supports the value 0, which means "infinite".
## Configuring heartbeat
You can configure a heartbeat timeout to find out when connections are disrupted or have failed. The heartbeat value defines the time limit before a connection is considered down.
## Configuring operator policies
The default operator policy on each virtual host has the following recommended HA properties:
```
{
"name": "default_operator_policy_AWS_managed",
"pattern": ".*",
"apply-to": "all",
"priority": 0,
"definition": {
"ha-mode": "all",
"ha-sync-mode": "automatic"
}
}
```
Changes to the operator policies via the AWS Management Console or Management API are not available by default. You can enable changes by adding the following line to the broker configuration:
```
management.restrictions.operator_policy_changes.disabled=false
```
If you make this change, you are highly encouraged to include the HA properties in your own operator policies.
## Configuring relaxed checks on queue declaration
If you have migrated your classic queues to quorum queues but not updated your client code, you can avoid a channel exception when redeclaring a quorum queue by configuring quorum\$1queue.property\$1equivalence.relaxed\$1checks\$1on\$1redeclaration set to true.
## Configuring HTTP security headers
The secure.management.http.headers.enabled configuration enables the following HTTP security headers:
+ [X-Content-Type-Options: nosniff](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options): prevents browsers from performing content sniffing, algorithms that are used to deduce the file format of websites.
+ [X-Frame-Options: DENY](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options): prevents others from embedding the management plugin into a frame on their own website to deceive others
+ [Strict-Transport-Security: max-age=47304000; includeSubDomains](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security): enforces browsers to use HTTPS when making subsequent connections to the website and its subdomains for a long period of time (1.5 years).
Amazon MQ for RabbitMQ brokers created on versions 3.10 and above will have secure.management.http.headers.enabled set to true by default. You can turn on these HTTP security headers by setting secure.management.http.headers.enabled to true. If you wish to opt out of these HTTP security headers, set secure.management.http.headers.enabled to false.
# Configuring OAuth 2.0 authentication and authorization
For information about OAuth 2.0 configuration options and setting up OAuth 2.0 authentication for your brokers, see [Supported OAuth 2.0 configurations](oauth-for-amq-for-rabbitmq.md#oauth-tutorial-supported-configs) and [Using OAuth 2.0 authentication and authorization](oauth-tutorial.md).
# Configuring LDAP authentication and authorization
For information about LDAP configuration options and setting up LDAP authentication for your brokers, see [Supported LDAP configurations](ldap-for-amq-for-rabbitmq.md#ldap-supported-configs) and [Using LDAP authentication and authorization](rabbitmq-ldap-tutorial.md).
# Configuring HTTP authentication and authorization
For information about HTTP authentication configuration values and setting up HTTP authentication for your brokers, see [HTTP authentication and authorization](http-for-amq-for-rabbitmq.md) and [Using HTTP authentication and authorization](rabbitmq-http-tutorial.md).
**Note**
The HTTP authentication plugin is only available for Amazon MQ for RabbitMQ version 4 and above.
# Configuring SSL certificate authentication
For information about SSL certificate authentication configuration values and setting up SSL certificate authentication for your brokers, see [SSL certificate authentication](ssl-for-amq-for-rabbitmq.md) and [Using SSL certificate authentication](rabbitmq-ssl-tutorial.md).
**Note**
The SSL certificate authentication plugin is only available for Amazon MQ for RabbitMQ version 4 and above.
# Configuring mTLS
Amazon MQ for RabbitMQ supports mutual TLS (mTLS) for secure connections to various endpoints and external services. mTLS provides enhanced security by requiring both client and server to authenticate using certificates.
**Note**
The use of private certificate authorities for mTLS is only available for Amazon MQ for RabbitMQ version 4 and above.
**Important**
Amazon MQ for RabbitMQ enforces the use of AWS ARNs for certificate and private key files. See [ARN support in RabbitMQ configuration](arn-support-rabbitmq-configuration.md) for more details.
**Topics**
+ [AMQP endpoint](#mtls-amqp-endpoint)
+ [RabbitMQ management plugin](#mtls-management-plugin)
+ [RabbitMQ OAuth 2.0 plugin](#mtls-oauth2-plugin)
+ [RabbitMQ HTTP authentication plugin](#mtls-http-plugin)
+ [RabbitMQ LDAP plugin](#mtls-ldap-plugin)
+ [AMQP client connections](#mtls-amqp-client)
## AMQP endpoint
Configure mTLS for client connections to the AMQP endpoint. This is used with SSL certificate authentication. For supported configurations, see [SSL certificate authentication](ssl-for-amq-for-rabbitmq.md).
## RabbitMQ management plugin
Configure mTLS for connections to the RabbitMQ management interface.
**Note**
Strict mTLS is not supported for the management API.
`aws.arns.management.ssl.cacertfile`
Certificate authority file for validating client certificates connecting to the management interface.
`management.ssl.verify`
Peer verification mode. Supported values: `verify_none`, `verify_peer`
`management.ssl.depth`
Maximum certificate chain depth for verification.
`management.ssl.hostname_verification`
Hostname verification mode. Supported values: `wildcard`, `none`
The following SSL configuration values are not supported:
### View complete list
+ `management.ssl.cert`
+ `management.ssl.client_renegotiation`
+ `management.ssl.dh`
+ `management.ssl.dhfile`
+ `management.ssl.fail_if_no_peer_cert`
+ `management.ssl.honor_cipher_order`
+ `management.ssl.honor_ecc_order`
+ `management.ssl.key.RSAPrivateKey`
+ `management.ssl.key.DSAPrivateKey`
+ `management.ssl.key.PrivateKeyInfo`
+ `management.ssl.log_alert`
+ `management.ssl.password`
+ `management.ssl.psk_identity`
+ `management.ssl.reuse_sessions`
+ `management.ssl.secure_renegotiate`
+ `management.ssl.versions.$version`
+ `management.ssl.sni`
## RabbitMQ OAuth 2.0 plugin
Configure mTLS for connections from Amazon MQ to the OAuth 2.0 identity provider. For supported configurations, see [OAuth 2.0 authentication and authorization](oauth-for-amq-for-rabbitmq.md).
## RabbitMQ HTTP authentication plugin
Configure mTLS for connections from Amazon MQ to the HTTP authentication server. For supported configurations, see [HTTP authentication and authorization](http-for-amq-for-rabbitmq.md).
## RabbitMQ LDAP plugin
Configure mTLS for connections from Amazon MQ to the LDAP server. For supported configurations, see [LDAP authentication and authorization](ldap-for-amq-for-rabbitmq.md).
## AMQP client connections
Configure TLS peer verification for AMQP client connections used by federation and shovel. For more information, see [AMQP client SSL configuration](rabbitmq-amqp-client-ssl-configuration.md).
**Important**
Amazon MQ does not currently support configuring client certificates for AMQP client connections. As a result, federation and shovel cannot connect to mTLS-enabled brokers that require client certificate authentication.
# Resource Limit Configuration
Amazon MQ for RabbitMQ supports configuring broker resource limits from RabbitMQ 4 onwards. When you create a broker, Amazon MQ automatically applies default values to these resource limits. These defaults act as guardrails to protect your broker availability while accommodating common customer usage patterns. You can customize your broker behavior by changing the limit configuration values to better match your specific workload requirements. For more details about default and maximum allowed values, see [Amazon MQ for RabbitMQ sizing guidelines](rabbitmq-sizing-guidelines.md).
## Resource names and configuration keys
| Resource Name | Configuration Key |
| --- | --- |
| Connection | connection\$1max |
| Channel | channel\$1max\$1per\$1node |
| Queue | cluster\$1queue\$1limit |
| Vhost | vhost\$1max |
| Shovel | runtime\$1parameters.limits.shovel |
| Exchange | cluster\$1exchange\$1limit |
| Consumer per channel | consumer\$1max\$1per\$1channel |
| Maximum message size | max\$1message\$1size |
## How to override resource limits
You can override resource limits using the Amazon MQ API and Amazon MQ console.
The following example shows how to override the queue count default limit using the AWS CLI:
```
aws mq update-configuration --configuration-id --data "$(echo "cluster_queue_limit=500" | base64 --wrap=0)"
```
A successful invocation creates a configuration revision. You must associate the configuration to your RabbitMQ broker and reboot the broker to apply the override. For more details see [RabbitMQ Broker Configurations](rabbitmq-broker-configuration-parameters.md)
## Resource limit override errors
Associating or creating a broker with configuration values outside the supported range results in an error response similar to the following:
```
Configuration Revision N for configuration:cluster_queue_limit has limit: of value: 100000000 larger than maximum allowed limit:5000
```
# ARN support in RabbitMQ configuration
Amazon MQ for RabbitMQ supports AWS ARNs for the values of some RabbitMQ configuration settings. This is enabled by the RabbitMQ community plugin [rabbitmq-aws](https://github.com/amazon-mq/rabbitmq-aws). This plugin is developed and maintained by Amazon MQ and can also be used in self-hosted RabbitMQ brokers not managed by Amazon MQ.
**Important considerations**
The resolved ARN values retrieved by the aws plugin are passed directly to the RabbitMQ process at runtime. They are not stored elsewhere on the RabbitMQ node.
Amazon MQ for RabbitMQ requires an IAM role that can be assumed by Amazon MQ to access the configured ARNs. This is configured by setting `aws.arns.assume_role_arn`.
Users calling CreateBroker or UpdateBroker APIs with a broker configuration that includes an IAM role must have the `iam:PassRole` permission for that role.
The IAM role must exist in the same AWS account as the RabbitMQ broker. All ARNs in the configuration must be present in the same AWS region as the RabbitMQ broker.
Amazon MQ adds IAM global conditional keys `aws:SourceAccount` and `aws:SourceArn` when assuming the IAM role. These values must be used in the IAM policy attached to the role for [confused deputy protection](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html).
**Topics**
+ [Supported keys](#arn-support-supported-keys)
+ [IAM policy samples](#arn-support-iam-policy-samples)
+ [Access validation](#arn-support-validation)
+ [Related broker quarantine states](#arn-support-quarantine-states)
+ [Example scenario](#arn-support-example-scenario)
## Supported keys
`aws.arns.assume_role_arn`
IAM role ARN that Amazon MQ assumes to access other AWS resources. Required when any other ARN configuration is used.
### AMQP endpoint
| Configuration key | Description |
| --- | --- |
| aws.arns.ssl\$1options.cacertfile | Certificate authority file for SSL/TLS client connections. Amazon MQ requires using Amazon S3 or to store the certificate. |
### RabbitMQ management plugin
| Configuration key | Description |
| --- | --- |
| aws.arns.management.ssl.cacertfile | Certificate authority file for management interface SSL/TLS connections. Amazon MQ requires using Amazon S3 or to store the certificate. |
### RabbitMQ OAuth 2.0 plugin
| Configuration key | Description |
| --- | --- |
| aws.arns.auth\$1oauth2.https.cacertfile | Certificate authority file for OAuth 2.0 HTTPS connections. Amazon MQ requires using Amazon S3 or to store the certificate. |
### RabbitMQ HTTP authentication plugin
| Configuration key | Description |
| --- | --- |
| aws.arns.auth\$1http.ssl\$1options.cacertfile | Certificate authority file for HTTP authentication SSL/TLS connections. Amazon MQ requires using Amazon S3 or to store the certificate. |
| aws.arns.auth\$1http.ssl\$1options.certfile | Certificate file for mutual TLS connections between Amazon MQ and the HTTP authentication server. Amazon MQ requires using Amazon S3 or to store the certificate. |
| aws.arns.auth\$1http.ssl\$1options.keyfile | Private key file for mutual TLS connections between Amazon MQ and the HTTP authentication server. Amazon MQ requires using AWS Secrets Manager to store the private key. |
### RabbitMQ LDAP plugin
| Configuration key | Description |
| --- | --- |
| aws.arns.auth\$1ldap.ssl\$1options.cacertfile | Certificate authority file for LDAP SSL/TLS connections. Amazon MQ requires using Amazon S3 or to store the certificate. |
| aws.arns.auth\$1ldap.ssl\$1options.certfile | Certificate file for mutual TLS connections between Amazon MQ and the LDAP server. Amazon MQ requires using Amazon S3 or to store the certificate. |
| aws.arns.auth\$1ldap.ssl\$1options.keyfile | Private key file for mutual TLS connections between Amazon MQ and the LDAP server. Amazon MQ requires using AWS Secrets Manager to store the private key. |
| aws.arns.auth\$1ldap.dn\$1lookup\$1bind.password | Password for LDAP DN lookup bind. Amazon MQ requires using AWS Secrets Manager to store the password as a plaintext value. |
| aws.arns.auth\$1ldap.other\$1bind.password | Password for LDAP other bind. Amazon MQ requires using AWS Secrets Manager to store the password as a plaintext value. |
## IAM policy samples
For IAM policy examples including assume role policy documents and role policy documents, see the [CDK sample implementation](https://github.com/aws-samples/amazon-mq-samples/blob/main/rabbitmq-samples/rabbitmq-ldap-activedirectory-sample/lib/rabbitmq-activedirectory-stack.ts#L232).
See [Using LDAP authentication and authorization](rabbitmq-ldap-tutorial.md) for steps on how to set up AWS Secrets Manager and Amazon S3 resources.
## Access validation
To troubleshoot scenarios where ARN values cannot be fetched, the aws plugin supports a [RabbitMQ management API endpoint](https://github.com/amazon-mq/rabbitmq-aws/blob/main/API.md) that can be called to check if Amazon MQ is able to successfully assume the role and resolve AWS ARNs. This avoids the need to update broker configuration, update broker with the new configuration revision and reboot broker to test configuration changes.
**Note**
Use of this API requires an existing RabbitMQ administrator user. Amazon MQ recommends creating test brokers with an internal user in addition to other access methods. See [enabling both OAuth 2.0 and simple (internal) authentication](oauth-tutorial.md#oauth-tutorial-config-both-auth-methods-using-cli). This user can then be used to access the validation API.
**Note**
Though aws plugin supports passing a new role as an input to the validation API, this parameter is not supported by Amazon MQ. The IAM role used for validation should match the value of `aws.arns.assume_role_arn` in broker configuration.
## Related broker quarantine states
For information about broker quarantine states related to ARN support issues, see:
+ [RABBITMQ\$1INVALID\$1ASSUMEROLE](troubleshooting-action-required-codes-invalid-assumerole.md)
+ [RABBITMQ\$1INVALID\$1ARN\$1LDAP](troubleshooting-action-required-codes-invalid-arn-ldap.md)
+ [RABBITMQ\$1INVALID\$1ARN](troubleshooting-action-required-codes-invalid-arn.md)
## Example scenario
+ Broker `b-f0fc695e-2f9c-486b-845a-988023a3e55b` has been configured to use IAM role `` to access AWS Secrets Manager secret ``
+ If the role provided to Amazon MQ does not have read permission on the AWS Secrets Manager secret, the following error will be shown in RabbitMQ logs:
```
[error] <0.254.0> aws_arn_config: {handle_assume_role,{error,{assume_role_failed,"AWS service is unavailable"}}}
```
Additionally, the broker will enter the `INVALID_ASSUMEROLE` quarantine state. For more information, see [INVALID\$1ASSUMEROLE](troubleshooting-action-required-codes-invalid-assumerole.md).
+ LDAP authentication attempts will fail with the following error:
```
[error] <0.254.0> LDAP bind failed: invalid_credentials
```
+ Fix the IAM role with the proper permissions
+ Call the validation endpoint to verify if RabbitMQ is now able to access the secret:
```
curl -4su 'guest:guest' -XPUT -H 'content-type: application/json' /api/aws/arn/validate -d '{"assume_role_arn":"arn:aws:iam:::role/","arns":["arn:aws:secretsmanager:::secret:"]}' | jq '.'
```
# AMQP client SSL configuration
Federation and shovel use AMQP for communication between upstream and downstream brokers. By default, *TLS peer verification* is enabled for AMQP clients in Amazon MQ for RabbitMQ 4. With this setting, federation and shovel AMQP clients running on Amazon MQ brokers will perform peer verification when establishing connections with upstream broker.
AMQP clients running on Amazon MQ brokers support the same certificate authorities as Mozilla. If you don't use [ACM](https://www.amazontrust.com/repository), use a certificate issued by a CA on the [Mozilla Included CA Certificate List](https://wiki.mozilla.org/CA/Included_Certificates). If your on-premises broker uses certificates from other certificate authorities, SSL verification will fail. You can disable *TLS peer verification* for these use cases.
**Important**
Amazon MQ does not currently support configuring client certificates for AMQP client connections. As a result, federation and shovel cannot connect to mTLS-enabled brokers that require client certificate authentication.
**Important**
On Amazon MQ for RabbitMQ 3 SSL properties of AMQP clients is configured with RabbitMQ defaults*(verify\$1none)*. Amazon MQ for RabbitMQ 3 does not support overriding these defaults.
**Note**
With the default `verify_peer` setting, you can establish federation and shovel connections between any 2 Amazon MQ brokers but this does not support establishing the connection between Amazon MQ broker and private brokers or on-premises brokers that are running with non-Amazon MQ CA certificates. To connect with private or on-premises brokers, you need to disable peer verification on the downstream Amazon MQ broker.
## AMQP client SSL configuration key
| Configuration | Configuration Key | Supported Values |
| --- | --- | --- |
| AMQP client SSL peer verification | amqp\$1client.ssl\$1options.verify | verify\$1none, verify\$1peer |
## How to override AMQP client SSL peer verification
You can override AMQP client SSL peer verification using the Amazon MQ API and Amazon MQ console on RabbitMQ 4 brokers.
The following example shows how to override the AMQP client SSL peer verification using the AWS CLI:
```
aws mq update-configuration --configuration-id --data "$(echo "amqp_client.ssl_options.verify=verify_none" | base64 --wrap=0)"
```
A successful invocation creates a configuration revision. You must associate the configuration to your RabbitMQ broker and reboot the broker to apply the override. For more details see [Creating and applying broker configurations](rabbitmq-creating-applying-configurations.md)
**Important**
When using `verify_none`, SSL encryption is still active, but the identity of the peer is not verified. Use this setting only when necessary and ensure that you trust the network path to the destination broker.