Managing Message VPNs

Message VPNs group clients connecting to a network of Solace routers, such that messages published within a particular group are only visible to clients that belong to that group.

Default Router Configuration

The initial configuration and functioning of the Solace router with respect to the Message VPN feature is as follows:

  • There is a single Message VPN named default. It cannot be deleted from the router.
    • For Solace appliances, the Message VPN named default is disabled by default (that is, not running).
    • For Solace VMRs, the Message VPN named default is enabled.
  • There is a single client username named default that exists in each Message VPN. It has default attributes assigned to it, and it is assigned to all clients. It cannot be deleted from the router, but an administrator can modify its configuration.
    • For Solace appliances, the client username named default is disabled by default (that is, not running).
    • For Solace VMRs, the client username named default is enabled by default (that is, running).
  • No Message VPN bridges exist.

Tip:  Consequentially, for appliances, no client is allowed to connect to the default router configuration until both the Message VPN named default and client username named default are enabled. A 503 response code is received if they attempt to connect to the Message VPN named default while it is still disabled.

Configuring Message VPNs

  • To create a Message VPN, enter the following CONFIG command:

    solace(configure)# create message-vpn <vpn-name>

  • To edit the properties of an existing Message VPN, enter the following CONFIG command:

    solace(configure)# message-vpn <vpn-name>

Where:

<vpn-name> is the name of the Message VPN to be created or edited. The Message VPN name must be unique among all created Message VPNs on the router. Message VPN names can contain up to 32 alphanumeric characters, except the asterisk (*) or question mark (?).

Entering the message-vpn Global CONFIG command moves the CLI to the VPN CONFIG level:

solace(configure/message-vpn)#

Note:   

  • The no version of this command (no message-vpn <vpn-name>) deletes the specified Message VPN from the router (the Message VPN named default, however, cannot be deleted). Before deleting a Message VPN:
    • It must be disabled through the shutdown VPN CONFIG command.
    • No other configured objects can refer to it.
  • When a Message VPN is created, it is not automatically enabled. To enable a Message VPN, refer to Stopping/Starting Message VPNs.

Entering the message-vpn Global CONFIG level allows you to perform the following tasks for the given Message VPN:

Configuring Accepted Client Authentication Schemes

Refer to Managing Client Authentication for details on how to configure client authentication schemes for the given Message VPN.

Configuring Bridging Server Certification Validation

Refer toConfiguring Server Certificate Validation Settings for details on configuring the actions to take on validating server certificates for Message VPN bridges when using Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) authentication.

Designating Management Message VPNs

System-level SolOS syslog events (as opposed to Message VPN scope events) are always published in a Message VPN that has been designated as the Management Message VPN for the router. A Solace router can only have one of its enabled Message VPNs configured as the Management Message VPN. (If no Management Message VPN is configured, then system-level SolOS syslog events are not published on the router.)

To designate a Message VPN as the Management Message VPN to use for publishing message bus system-level SolOS syslog requests and events, enter the following VPN CONFIG command:

solace(configure/message-vpn)# management-message-vpn

Note:   

  • The no version of this command (no management-message-vpn) deletes the management configuration from the Message VPN.
  • Message VPN-level events (including client and subscription events) are always published to the message bus in the Message VPN on which the events occurred.

Enabling Logging Events on Management Message VPNs

To turn system-level publishing of SolOS syslog events to the message bus on or off on the Management Message VPN, enter the following Global CONFIG level command:

solace(configure)# logging event

The CLI moves to a Logging Event CONFIG level, from which you can do the following:

  • To enable system-level publishing of SolOS syslog events to the message bus on the Management Message VPN, enter the following CONFIG command:

    solace(configure/logging/event)# publish-system

  • To disable system-level publishing of SolOS syslog events to the message bus on the Management Message VPN, enter the following CONFIG command:

    solace(configure/logging/event)# no publish-system

  • To configure a custom identification tag as a prefix for system-level SolOS syslog events, enter the system-tag Logging Event CONFIG command:

    solace(configure/logging/event)# system-tag <tag-string>

    Where:

    <tag-string> is the custom identification tag with no spaces, asterisks (*), question marks (?), or single (‘) or double (“) quotes. It can contain up to 32 alphanumeric characters, and must be unique among all system-level identification tags. The default is empty, that is, no custom identification tag.

    Note:  The no version of this command (no system-tag) deletes the custom identification tag from system-level SolOS syslog events, and sets the tag string back to default.

Showing Management Message VPN Logging Events

To view the current configuration of system-level publishing of SolOS syslog events to the message bus on the Management Message VPN, enter the following User EXEC command.

solace> show logging event

Configuring Maximum Connections

To configure the maximum number of clients that are permitted to simultaneously connect to a given Message VPN through all supported services, enter the following CONFIG command:

solace(configure/message-vpn)# max-connections <value>

Where:

<value> is the integer value specifying the maximum total number of client connections permitted for the Message VPN. This maximum value includes client connections for all supported services. The valid range is from 0 to the maximum total number of clients that can be supported by the type of Solace router used.

Note:   

  • The no version of this command (no max-connections) resets the maximum number of client connections that are permitted to simultaneously connect with the given Message VPN back to the default value which is the maximum total number of client connections for all services that the router can support.
  • To view the maximum total number of client connections that the Solace router can support, enter the show service User EXEC command.
  • The maximum number of client connections can also be limited on a client profile-basis (refer to Configuring the Max Connections Per Client Username).
  • If you are using the Replication facility, and the type of Solace routers used at each Replication site do not match, you must ensure that the combined maximum number of client connections for all Message VPNs at one Replication site does not exceed the combined maximum number of client connections for all Message VPNs at its mate Replication site. Consider, for example, a scenario where a 3260 appliance is used at Replication Site A and a 3230 appliance that supports a maximum of 6,000 clients is used as its mate Replication at Site B. If the 3260 appliance at Site A uses more than 6,000 client connections, it is possible that the 3230 appliance at Site B will be sent more configuration updates than it can handle. Therefore, when Config‑Sync is enabled for Replication sites that used mismatched routers, the configured max-connections value for Replicated Message VPNs and the max-connections-per-client-username values for the client profiles used by each router at the Replication sites must not exceed the maximum value for the router with the lowest range.

Configuring Maximum Subscriptions

You can configure a limit for the maximum number of unique local subscriptions (across both primary and backup VRIDs) that clients can add to a Message VPN.

Note:  This limit only applies to unique subscriptions. For example, two clients subscribing to the topic "a/b" will only count as one against this limit. Also note that this limit is not affected by remote subscriptions. Therefore, the total number of unique subscriptions could exceed the maximum permitted number of subscriptions if some of them are remote subscriptions, as shown in the following example:

solace1> show message-vpn default

Message VPN:                         default
Configuration Status:                Enabled
Local Status:                        Up
Distributed Cache Management:        Enabled
Total Local Unique Subscriptions:    6
Total Remote Unique Subscriptions:   5
Total Unique Subscriptions:          11
Maximum Subscriptions:               10

To configure the maximum number of local client subscriptions (across both primary and backup VRIDs) that can be added to the specified Message VPN, enter the following VPN CONFIG command:

solace(configure/message-vpn)# max-subscriptions <value>

Where:

<value> is the integer value specifying the maximum number of local client subscriptions. The valid range is 0 to 4294967295. The default value is 5000000.

Note:  The no version of this command (no max-subscriptions) resets the maximum number of local client subscriptions that can be added to the specified Message VPN back to the default value.

Configuring Message VPN Event Generation

To configure the conditions that cause Message VPN-related events be generated, and control whether some types of events get published onto the message bus, enter the following VPN CONFIG commands:

ssolace(configure/message-vpn)# event

solace(configure/message-vpn/event)#

The CLI is now at the Message VPN Event CONFIG level.

At this level, you can use the CLI to configure the high and low thresholds at which events are generated for the given Message VPN, and enable the publishing of events to the message bus for Message VPNs. For more information, refer to Configuring Event Outputs and Thresholds.

Configuring Replication

By default, the use of the Replication feature is not enabled for a Message VPN. To use the Replication feature, a Replication mate and interface must first be set at the system level, and then Replication settings can be configured at the Message VPN level through the Message VPN Replication CONFIG commands.

For information on how to configure the Solace message Platform for Replication, refer to Configuring Data Center Replication. For information on the Message VPN-specific Replication parameters, refer to Configuring Message VPN-Level Replication Settings.

Configuring SEMP Over Message Bus

The Solace Element Management Protocol (SEMP) Request Over Message Bus feature can be enabled for a Message VPN so that clients have access to a limited subset of the router management commands for that Message VPN.

For information on using the router SEMP Request Over Message Bus service, refer to Configuring SEMP Over Message Bus Services.

Configuring Services

To configure a Message VPN’s service settings, enter the following CONFIG commands:

solace(configure)# message-vpn <vpn-name>

solace(configure/message-vpn)# service

The CLI is now at a level at which you can configure the following the following services:

Configuring MQTT Service

To configure the Message Queuing Telemetry Transport (MQTT) service settings for the given Message VPN, enter the following CONFIG command:

solace(configure/message-vpn/service)# mqtt

The CLI is now at a configuration mode for MQTT service for the given Message VPN.

solace(configure/message-vpn/service/mqtt)#

In this configuration mode, you can configure MQTT service parameters. For information, refer to Managing MQTT Service.

Configuring REST Service

To configure the REST service settings for the given Message VPN, enter the following CONFIG command:

solace(configure/message-vpn/service)# rest

The CLI is now at a configuration mode for REST service for the given Message VPN, from which you can configure REST service parameters. For information, refer to Managing REST Service.

Configuring SMF Service

To configure the Solace Message Format (SMF) service settings for the given Message VPN, enter the following CONFIG command:

solace(configure/message-vpn/service)# smf

The CLI is now at a configuration mode for SMF service from which you can configure the following SMF service parameters for the given Message VPN:

Configuring Max SMF Connections

To configure the maximum number of SMF clients that can be simultaneously connected to the given Message VPN on this router, enter the following CONFIG command:

solace(configure/message-vpn/service/smf)# max-connections <value>

Where:

<value> is the maximum number of simultaneous SMF client connections permitted. The valid range depends on the type of Solace router (for example, Solace 3530 or 3560) used.

Note:   

  • The no version of the command (no max-connections) resets the value to the highest value supported by the router.
  • To view the maximum total number of Web client connections that the given router can support, enter the show service User EXEC command.

Enabling Plain Text Over SMF Service

  • To enable plain-text over SMF service for the Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn/service/smf)# plain-text no shutdown

    By default, plain-text over SMF service is enabled for a Message VPN.

  • To disable plain-text over SMF service for the Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn/service/smf)# plain-text shutdown

Enabling Over SMF Service

  • To enable TLS/SSL over SMF service for the Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn/service/smf)# ssl no shutdown

    By default, TLS/SSL over SMF service is enabled for a Message VPN.

  • To disable TLS/SSL over SMF service for the Message VPN, enter the following command:

    solace(configure/message-vpn/service/smf)# ssl shutdown

Configuring Web Transport Service

You can configure the following Web transport service parameters for a given Message VPN:

Configuring Max Web Client Connections

To configure the maximum number of Web clients that can be simultaneously connected to the given Message VPN, enter the following CONFIG commands:

solace(configure/message-vpn/service)# web-transport

solace(configure/message-vpn/service/web-transport)# max-connections <value>

Where:

<value> is the maximum number of simultaneous Web client connections permitted. The valid range depends on the type of Solace router used.

Note:   

  • The no version of the command (no max-connections) resets the value to the highest value supported by the router.
  • To view the maximum total number of Web client connections that the given router can support, enter the show service User EXEC command.

Enabling Plain Text Over Web Transport Service

  • To enable plain-text over Web transport service for the Message VPN, enter the following CONFIG commands:

    solace(configure/message-vpn/service)# web-transport

    solace(...ure/message-vpn/service/web-transport)# plain-text no shutdown

By default, plain-text over Web transport service is enabled for a Message VPN.

  • To disable plain-text over SMF service for the Message VPN, enter the following commands:

    solace(configure/message-vpn/service)# web-transport

    solace(...ure/message-vpn/service/web-transport# plain-text shutdown

Enabling SSL Over Web Transport Service

  • To enable TLS/SSL over Web service for the Message VPN, enter the following CONFIG commands:

    solace(configure/message-vpn/service)# web-transport

    solace(...ure/message-vpn/service/web-transport)# ssl no shutdown

    By default, TLS/SSL over SMF service is enabled for a Message VPN.

  • To disable TLS/SSL over SMF service for the Message VPN, enter the following commands:

    solace(configure/message-vpn/service)# web-transport

    solace(...ure/message-vpn/service/web-transport)# ssl shutdown

Enabling Distributed Cache Management

If you are using SolCache service for a Message VPN, the distributed cache management facility (also known as Cache Manager) must be enabled for that Message VPN. The distributed cache management facility allows for the management of Distributed Caches and their associated Cache Clusters and SolCache Instances. It also enables configuration information to be provided to SolCache Instances when they start up and keeps that information current and synchronized.

For a given Message VPN, only one router in the network should have the distributed cache management facility enabled. By default, a Cache Manager is enabled when a Message VPN is created.

NOTICE: There is no support for automatic Cache Manager redundancy. Therefore, if a Message VPN spans multiple neighbor routers, it is essential that only one Cache Manager is active for a Message VPN at any time to ensure normal cache operations.

To enable the distributed cache management facility for the given Message VPN, enter the following CONFIG command:

solace(configure/message-vpn)# distributed‑cache‑management

Note:  The no version of this command (no distributed‑cache‑management) disables the distributed cache management facility used on a Message VPN.

Enabling Subscription Exporting

For messages to be received from other Solace routers, the subscription export policy in Message VPNs must be set to export subscriptions. This causes subscriptions added locally to the Message VPN to be exported to other physical routers in the network.

To enable the export of subscriptions in a Message VPN to other routers in the network, on a per-Message VPN basis, enter the following CONFIG command:

solace(configure/message-vpn)# export-policy export-subscriptions

Note:   

  • By default, the export policy in a Message VPN is set to not export subscriptions to other routers in the network.
  • Set the subscription export policy for a given Message VPN the same for all routers in the network.
  • The no version of this command disables export of subscriptions in the Message VPN to other routers in the network:

    solace(configure/message-vpn)# export-policy export-subscriptions

    solace(configure/message-vpn/export-policy)# no export-subscriptions

Stopping/Starting Message VPNs

Alert ! The shutdown VPN CONFIG command will disconnect all clients connected to the specified Message VPN, and any new connection requests to that Message VPN are rejected until it is enabled again through the no shutdown VPN CONFIG command.

To stop a given Message VPN, enter the following CONFIG command:

solace(configure/message-vpn)# shutdown

Note:  The no version of this command (no shutdown) starts the given Message VPN. Message VPNs are disabled by default (that is, not running) on Solace routers.

Associating Client Usernames to Message VPNs

A client is only authorized to connect to a Message VPN that is associated with a client username that that client has been assigned. When a client username is created, it is associated with a particular Message VPN. For more information, refer to Configuring Client Username Accounts for details.