Starlight for RabbitMQ security

Starlight for RabbitMQ supports connections using TLS/mTLS to ensure privacy and security of the communication. It also supports the PLAIN and EXTERNAL authentication mechanisms used by RabbitMQ:

  • PLAIN: Maps to the AuthenticationProviderToken mode of authentication. The username is ignored, and the password is used as the JSON Web Token (JWT).

  • EXTERNAL: Maps to the AuthenticationProviderTls mode of authentication. This is the equivalent of the rabbitmq-auth-mechanism-ssl plugin with ssl_cert_login_from parameter set to common_name.

Internally, it uses the same AuthenticationService as Pulsar, and it maps these mechanisms to existing Pulsar authentication modes.

Starlight for RabbitMQ doesn’t support authorization. This means an authenticated user has full access to all Virtual hosts.

Starlight for RabbitMQ can connect to brokers that have TLS, authentication, and/or authorization enabled.

To perform its operations, Starlight for RabbitMQ proxy must use an admin role.

Was this helpful?

Edit this page

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM