mathworks-ref-arch
diff --git a/‎.gitignore‎
Lines changed: 6 additions & 0 deletions b/‎.gitignore‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎Documentation/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎Documentation/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Documentation/MATLABInterface.md‎
Lines changed: 89 additions & 24 deletions b/‎Documentation/MATLABInterface.md‎
Lines changed: 89 additions & 24 deletions
diff --git a/‎Documentation/MessageBroker.md‎
Lines changed: 45 additions & 30 deletions b/‎Documentation/MessageBroker.md‎
Lines changed: 45 additions & 30 deletions
diff --git a/‎Documentation/SSLTLS.md‎
Lines changed: 43 additions & 0 deletions b/‎Documentation/SSLTLS.md‎
Lines changed: 43 additions & 0 deletions
@@ -0,0 +1,6 @@
+.project
+/Release
+.vscode
+results.xml
+.buildtool/
+javaclasspath.txt
@@ -0,0 +1 @@
+_build
@@ -45,8 +45,10 @@ of the `rabbitmq.ConnectorProperties` class or using YAML configuration files.
   *Default:* Default `rabbitmq.Credentials`
 :routingkey: Routing key to subscribe to or poll on - only used for Consumer, when working with Producer the routing key is specified on a per message basis when publishing a message.\
   *Default:* ``"test-topic"``
+:sslcontext: SSL/TLS Configuration. Leave empty if the AMQP connection does not use SSL.\
+  *Default:* Empty (0x0) `rabbitmq.SSLContextProperties`
 
-Where, as can be seen, properties `exchange`, `queue` and `credentials` are 
+Where, as can be seen, properties `exchange`, `queue`, `credentials` and `sslcontext` are 
 in turn other MATLAB classes:
 
 **rabbitmq.ExchangeProperties**
@@ -88,6 +90,38 @@ in turn other MATLAB classes:
 :password: Password\
   *Default:* `"guest"`
 
+**rabbitmq.SSLContextProperties**
+
+:server: Server SSL Configuration. Required to be configured if the AMQP connection requires SSL.\
+  *Default:* Empty (0x0) `rabbitmq.TrustManagerProperties`
+
+:client: Client SSL Configuration. Required to be configured if the RabbitMQ server requires client certificates. Leave unset if the connection is SSL secured but without client certificates.\
+  *Default:* Empty (0x0) `rabbitmq.KeyManagerProperties`
+
+:protocol: SSL/TLS Protocol (version)\
+  *Default:* `"TLSv1.2"`
+
+**rabbitmq.TrustManagerProperties**
+
+:truststore: Location of the trust store containing the server certificate (chain) and/or trusted root CA(s).
+
+:passphrase: Passphrase/password of the trust store.
+
+:type: Type of trust store\
+  *Default:* `"JKS"`
+
+:hostnameVerification: Whether or not hostname verification is enabled. Generally should be left at its default `true`. Only temporarily disable this when debugging SSL/TLS connection issues.\
+  *Default:* `true`
+
+**rabbitmq.KeyManagerProperties**
+
+:keystore: Location of the keystore containing the client certificate and corresponding private key.
+
+:passphrase: Passphrase/password of the keystore.
+
+:type: Type of keystore.\
+  *Default:* `"PKCS12"`
+
 Setting properties values can be done through traditional MATLAB class syntax:
 
 ```matlab
@@ -142,34 +176,53 @@ configuration file for the MATLAB Production Server interface:
 # Messaging connection and routing properties
 messageQueue:
   queue:
-    name: RabbitMQ          # Name of the Queue on RabbitMQ Server
-    create: true            # Creates/verifies whether queue exists
-    durable: false          # Work with a durable queue or not
-    exclusive: false        # Work with an exclusive queue or not
-    autoDelete: false       # Work with an auto delete queue or not
-    arguments:              # Set additional arguments, can be omitted entirely
-      x-max-length: 42      # For example, set the maximum queue length
-  host: localhost           # Hostname or IP of the RabbitMQ Server
-  port: 5672                # Port the RabbitMQ Server runs on
-  virtualhost: /            # RabbitMQ Virtual Host
-  credentials: 
-    username: guest         # RabbitMQ username
-    password: guest         # RabbitMQ password
-  exchange:
-    name: amq.topic         # Exchange to work with on RabbitMQ
-    create: true            # Creates/verifies whether exchange exists
-    durable: true           # Work with a durable exchange or not
-    autoDelete: false       # Work with an auto delete exchange or not
-    internal: false         # Work with an internal exchange or not
-    arguments:              # Set additional arguments, can be omitted entirely
-      alternate-exchange: my-ea # For example alternate-exchange
-  routingkey: test-topic    # Routing key to subscribe to
+    name: RabbitMQ               # Name of the Queue on RabbitMQ Server
+    create: true                 # Creates/verifies whether queue exists
+    durable: false               # Work with a durable queue or not
+    exclusive: false             # Work with an exclusive queue or not
+    autoDelete: false            # Work with an auto delete queue or not
+    arguments:                   # Set additional arguments, can be omitted entirely
+      x-max-length: 42           # For example, set the maximum queue length
+  host: localhost                # Hostname or IP of the RabbitMQ Server
+  port: 5672                     # Port the RabbitMQ Server runs on
+  virtualhost: /                 # RabbitMQ Virtual Host
+  credentials:     
+    username: guest              # RabbitMQ username
+    password: guest              # RabbitMQ password
+  exchange:    
+    name: amq.topic              # Exchange to work with on RabbitMQ
+    create: true                 # Creates/verifies whether exchange exists
+    durable: true                # Work with a durable exchange or not
+    autoDelete: false            # Work with an auto delete exchange or not
+    internal: false              # Work with an internal exchange or not
+    arguments:                   # Set additional arguments, can be omitted entirely
+      alternate-exchange: my-ea  # For example alternate-exchange
+  routingkey: test-topic         # Routing key to subscribe to
+  sslcontext:                    # SSL/TLS Configuration, omit this section entirely when not working with SSL
+    protocol: TLSv1.2            # Exact SSL/TLS protocol (version)
+    server:                      # Server trust store configuration
+      truststore: /some/location # Location of the trust store containing the server certificate chain
+      passphrase: rabbitstore    # Passphrase/password of the trust store
+      type: JKS                  # Type of trust store
+      hostnameVerification: true # Enable hostname verification
+    client:                      # Client Certificate Configuration. Omit this section entirely if your server does not require client certificates
+      keystore: /some/location   # Location of the keystore containing client certificate and private key
+      passphrase: supersecret    # Passphrase/password of the keystore
+      type: PKCS12               # Type of keystore
 ```
 
 ```{note}
 The `arguments` option can be omitted entirely for both `queue` and `exchange` if it is not necessary to set additional arguments. There is no fixed set of arguments which can be added and the entered argument names are not checked by the interface; they are passed on the server as-is. Check the RabbitMQ documentation to learn more about which exact arguments can be configured.
 ```
 
+```{note}
+The `sslcontext` section is omitted entirely if not working with an SSL secured endpoint. If working with an SSL secured endpoint, the `sslcontext` section must be added and the `server` section must be configured. The `client` section is optional; it is needed if your server requires client certificates but is omitted when client certificates are not required/used.
+```
+
+#### SSL/TLS Configuration
+
+More details about working with SSL/TLS secured channels can be found in [](./SSLTLS.md).
+
 ### RabbitMQ Producer for publishing messages `rabbitmq.Producer`
 To work with `rabbitmq.Producer` in MATLAB, first create an instance with
 `rabbitmq.ConnectorProperties` or configuration YAML-file as input:
@@ -189,6 +242,18 @@ message as input:
 producer.publish('my-routing-key','Hello World');
 ```
 
+And to send a message with headers use `publishWithHeaders` where headers are
+specified as a cell-array with pairs of values where the first value is the header
+name and the second value is the header value; repeat to set multiple headers. 
+For example:
+
+```matlab
+producer.publishWithHeaders('my-routing-key',...
+  {'FirstHeaderName',HeaderValue1,'SecondHeaderName',HeaderValue2},...
+  'Hello World');
+```
+
+
 ### RabbitMQ Consumer for receiving messages `rabbitmq.Consumer`
 `rabbitmq.Consumer` offers two approaches for receiving messages from RabbitMQ
 in MATLAB. An event-based approach and a polling approach. These two different
@@ -273,4 +338,4 @@ added to the *static* class path but there may be circumstances in which this is
 not possible and then it is loaded on the *dynamic* class path; this may make
 the event based consumer approach unavailable.
 
-[//]: #  (Copyright 2022-2023 The MathWorks, Inc.)
+[//]: #  (Copyright 2022-2025 The MathWorks, Inc.)
@@ -122,45 +122,60 @@ the options to match your configuration.
     The `arguments` for `queue` and `exchange` will likely have to be removed, they are not often used and shown here mainly for illustrative purposes to show *where* these can be added *if* they are needed. There is no fixed set of arguments which can be added and argument names are not verified by `MessageBroker`; they are send to the server as-is. Check the RabbitMQ documentation to learn more about the argument its supports.
     ```
 
+    ```{note}
+    The `sslcontext` section should be omitted entirely if the amqp channel is not SSL/TLS secured at all. If the channel is SSL/TLS secured, the section must be present and the `server` section must be configured. The `client` section is optional; it must be configured if the server requires client certificates but is omitted if it does not. Also see [](./SSLTLS.md) to learn more about the SSL/TLS configuration.
+    ```
+
     ```yaml
     # MATLAB Production Server connection properties
     mps:
-      protocol: http            # Protocol used by the MPS Instance
-      host: localhost           # Hostname or IP of the MPS Instance
-      port: 9910                # Port the MPS Instance runs on
-      archive: demo             # Name of the CTF containing the function which
-                                # is to be called on MPS when a message received
-      function: MPSreceive      # Function inside the archive which is to be called
-      timeoutms: 120000         # Timeout on the request to MATLAB Production Server
-                                # MessageBroker will log an error if the request
-                                # to MATLAB Production Server did not complete within
-                                # this time
+      protocol: http                 # Protocol used by the MPS Instance
+      host: localhost                # Hostname or IP of the MPS Instance
+      port: 9910                     # Port the MPS Instance runs on
+      archive: demo                  # Name of the CTF containing the function which
+                                     # is to be called on MPS when a message received
+      function: MPSreceive           # Function inside the archive which is to be called
+      timeoutms: 120000              # Timeout on the request to MATLAB Production Server
+                                     # MessageBroker will log an error if the request
+                                     # to MATLAB Production Server did not complete within
+                                     # this time
 
     # Messaging connection and routing properties
     messageQueue:
       queue:
-        name: RabbitMQ          # Name of the Queue on RabbitMQ Server
-        create: true            # Creates/verifies whether queue exists
-        durable: false          # Work with a durable queue or not
-        exclusive: false        # Work with an exclusive queue or not
-        autoDelete: false       # Work with an auto delete queue or not
-        arguments:              # Set additional arguments, can be omitted entirely
-          x-max-length: 42      # For example, set the maximum queue length
-      host: localhost           # Hostname or IP of the RabbitMQ Server
-      port: 5672                # Port the RabbitMQ Server runs on
-      virtualhost: /            # RabbitMQ Virtual Host
+        name: RabbitMQ               # Name of the Queue on RabbitMQ Server
+        create: true                 # Creates/verifies whether queue exists
+        durable: false               # Work with a durable queue or not
+        exclusive: false             # Work with an exclusive queue or not
+        autoDelete: false            # Work with an auto delete queue or not
+        arguments:                   # Set additional arguments, can be omitted entirely
+          x-max-length: 42           # For example, set the maximum queue length
+      host: localhost                # Hostname or IP of the RabbitMQ Server
+      port: 5672                     # Port the RabbitMQ Server runs on
+      virtualhost: /                 # RabbitMQ Virtual Host
       credentials: 
-        username: guest         # RabbitMQ username
-        password: guest         # RabbitMQ password
+        username: guest              # RabbitMQ username
+        password: guest              # RabbitMQ password
       exchange:
-        name: amq.topic         # Exchange to work with on RabbitMQ
-        create: true            # Creates/verifies whether exchange exists
-        durable: true           # Work with a durable exchange or not
-        autoDelete: false       # Work with an auto delete exchange or not
-        internal: false         # Work with an internal exchange or not
-        arguments:              # Set additional arguments, can be omitted entirely
-          alternate-exchange: my-ea # For example alternate-exchange
-      routingkey: test-topic    # Routing key to subscribe to
+        name: amq.topic              # Exchange to work with on RabbitMQ
+        create: true                 # Creates/verifies whether exchange exists
+        durable: true                # Work with a durable exchange or not
+        autoDelete: false            # Work with an auto delete exchange or not
+        internal: false              # Work with an internal exchange or not
+        arguments:                   # Set additional arguments, can be omitted entirely
+          alternate-exchange: my-ea  # For example alternate-exchange
+      routingkey: test-topic         # Routing key to subscribe to
+      sslcontext:                    # SSL/TLS Configuration, omit this section entirely when not working with SSL
+        protocol: TLSv1.2            # Exact SSL/TLS protocol (version)
+        server:                      # Server trust store configuration
+          truststore: /some/location # Location of the trust store containing the server certificate chain
+          passphrase: rabbitstore    # Passphrase/password of the trust store
+          type: JKS                  # Type of trust store
+          hostnameVerification: true # Enable hostname verification
+        client:                      # Client Certificate Configuration. Omit this section entirely if your server does not require client certificates
+          keystore: /some/location   # Location of the keystore containing client certificate and private key
+          passphrase: supersecret    # Passphrase/password of the keystore
+          type: PKCS12               # Type of keystore      
     ```
 
     ```{note}
 
@@ -0,0 +1,43 @@
+# SSL/TLS Configuration
+
+RabbitMQ supports [securing its (AMQP) channels using TLS](https://www.rabbitmq.com/docs/ssl). If working with such a TLS secured endpoint, the MATLAB RabbitMQ interface or MATLAB Production Server MessageBroker must explicitly be configured for this, in such cases you must:
+
+1.  Provide a trust store containing the server certificate chain and/or trusted root CAs, and
+2.  Optionally provide a keystore containing the client certificate and private key if your server requires client certificates.
+
+Since the MATLAB RabbitMQ interfaces build on top of the RabbitMQ Java libraries, the trust store and key store need to be provided in Java compatible formats. Typically the trust store is in `JKS` format (with no predefined extension) and the keystore can be provided as `PKCS12` file (typically with the `.pfx` or `.p12` extension).
+
+```{hint}
+The server administrators who secured the RabbitMQ server with TLS in the first place, can likely help you with obtaining the correct certificates and keys, and in the right formats. 
+
+If you are not an expert in this area, it is typically recommended to reach out to the experts within your company rather than try to obtain and/or convert the certificates on your own.
+
+Nevertheless some further hints and tips are provided below.
+```
+
+## Trust Store
+
+The Trust Store needs to contain the actual server certificate and/or chain and/or root CA(s) of the server which you want to connect to. The Trust Store is typically provided in `JKS` format. If you have a certificate (chain) in PEM-format instead, you can use Java's `keytool` to import it into a `JKS` Trust Store, for example:
+
+```console
+$ keytool -importcert -file certificate.pem -keystore ./mytruststore -storetype JKS
+```
+
+This will import the certificate(s) from `certificate.pem` into a new store in the current directory named `mytruststore`. `keytool` will ask for a new passphrase/password with which to secure this trust store.
+
+## Key Store
+
+If your server requires client certificates as well, you need to provide the client certificate and corresponding private key in the form of a `PKCS12` file; typically a file with `.p12` or `.pfx` extension. If you have the client certificate and corresponding key in two separate PEM-format files you will need to convert this to `PKCS12` format first, for example using the `openssl` commandline tool:
+
+```console
+$ openssl pkcs12 -export -out client.p12 -inkey client_key.pem -in client_certificate.crt -CAfile CA.crt -chain
+```
+
+This this the private key from the `client_key.pem` and certificate from `client_certificate.crt` and together with the CA certificate from `CA.crt` writes it out to `client.p12` in `PKCS12` format.
+
+```{hint}
+Depending on the version(s) of tooling used, the (relatively old) Java Runtime as included with MATLAB by default, may not be able to read the client private key from the PKCS12 file. In such cases you may need to configure MATLAB to work with a newer (OpenJDK) Java Runtime, see:
+
+* <https://www.mathworks.com/support/requirements/openjdk.html>
+* <https://www.mathworks.com/help/matlab/matlab_external/configure-your-system-to-use-java.html>
+```