Client Authentication

When an application or device connects to a particular Message VPN, the resulting client connection must be authenticated before any client requests can be processed. A connecting client is authenticated on a per-Message VPN‑basis through one of the following client authentication schemes:

Note:  More than one type of authentication scheme can be configured and enabled for a Message VPN, but a client can only be configured to use one type of authentication scheme.

Basic Authentication

A basic authentication scheme allows a connecting client to authenticate with a router by providing a valid client username and password as its credentials.

Basic authentication is the default client authentication scheme for a Message VPN. It is available for client applications using any Solace messaging API. It is also available for client applications using the OpenMAMA API, REST, or MQTT.

Clients can use Basic authentication for either a plain-text or a Transport Layer Security (TLS) / Secure Sockets Layer (SSL)-encrypted client connection to the router.

This authentication scheme uses one of the following authentication types:

  • Internal—The client username and password provided by the client are verified against an internal Solace router database.
  • RADIUS—The client username and password are sent to an external RADIUS server for authentication.
  • LDAP—The client username and password are sent to an external LDAP server for authentication.
  • None—No client authentication is performed for the client. Solace strongly recommends against using no client authentication.

Related Provisioning and Configuration Information

To use basic authentication to authenticate connecting clients, the following configuration is required for the following areas:

  • client configuration
    • For clients using Solace messaging APIs, their client username and password are provided as configurable session properties. See the following sections for information on how to set session properties and create sessions: Creating Client Sessions for Solace enterprise APIs, Creating JMS Connections for Solace JMS API; Creating Client Sessions for Solace Web messaging APIs.
    • For OpenMAMA clients, basic authentication parameters are configured for the Solace Middleware Bridge that is used to establish a connection to the Solace router. See Configuring Solace OpenMAMA Bridges.
    • For REST clients, the client username and password are provided as a string in an HTTP standard header. See Client Authentication.
    • For MQTT clients, the connect packet contains username and password fields. The CONNECT Packet contains Username and Password fields. These are mapped to a Solace client username and password. For more information, see 3.1.3.4 User Name in the Solace MQTT 3.1.1 Messaging Protocol Conformance section.
  • Solace router configuration
    • A client username and password combination must be configured and enabled.
    • For information on the system and Message VPN-level configurations that are required on a Solace router to implement a basic authentication scheme, refer Managing Client Authentication.

      Note:  For REST and MQTT clients, there are some additional Message VPN configurations, such as enabling the appropriate listen ports, are required. For more information, see REST Overview and Using MQTT.

Client Certificate Authentication

A client certificate authentication scheme allows a client to prove its identity to the Solace router by providing a valid X509v3 client certificate from a recognized Certificate Authority (CA).

For this authentication scheme, the common name (CN) of the certificate provided to the router is mapped to the client’s assigned client username, which can be used for subsequent client authorization.

Client certificate authentication is available for clients using Solace enterprise messaging APIs. It is also available for client applications using the OpenMAMA API, REST, or MQTT.

Note:  Solace VMRs do not support client certificate authentication for REST clients.

Related Provisioning and Configuration Information

To use client certificates to authenticate connecting clients, the following configuration is required for the following areas:

  • client configuration
    • For clients using Solace messaging APIs, secure sessions must be used to establish TLS/SSL-encrypted client connections to the Solace router. To create a secure Session, a client certificate authentication scheme and a client certificate and a private key (depending on the API used, these could be separate files or be contained in a single keystore file) must be specified.
    • For information on creating a secure client sessions and setting session properties using Solace APIs, see Creating Client Sessions for Solace enterprise APIs or Establishing Connections for the Solace JMS API.

    • For OpenMAMA clients, client certificate authentication parameters are configured for the Solace Middleware Bridge that is used to establish a connection to the Solace router. For more information, see Configuring Solace OpenMAMA Bridges.
    • TLS/SSL authentication is supported for REST clients. For information, see Client Authentication.
    • TLS/SSL authentication is supported for MQTT clients. For information, see Contact Us ׀ Support ׀ Blog ׀ solace.com.
  • Solace router configuration
    • SolOS 6.1 or greater must be used.
    • Trusted root certificates must be loaded onto the Solace router. Client certificate authentication must be configured and enabled for any Message VPNs that the clients will connect to.
    • To enable the required secure client connections, TLS/SSL service must be configured and enabled.
  • Note:   

    • For REST and MQTT clients, some additional Message VPN configurations, such as enabling the appropriate listen ports, are required. For more information, see REST Overview and Using MQTT.
    • Client certificate authentication can also be used on Message VPN bridges, Message VPN replication bridges, and Replication Config-Sync bridges. For more information, see Managing TLS/SSL Service.

Kerberos Authentication

A Kerberos authentication scheme allows clients that have been granted a valid Kerberos ticket to connect to a Solace router.

Kerberos authentication is only available for clients using Solace enterprise messaging APIs or the OpenMAMA API.

When a Kerberos authentication scheme is used for client authentication, a client must first authenticate with a Kerberos Authentication Server (AS) which grants the client a Ticket Granting Ticket (TGT) for a specified Kerberos User Principal. The TGT is typically obtained as part of a Single Sign-on procedure, such as logging into a Windows domain. With a valid TGT, a client can attempt to log onto a router using a service ticket that is in the client’s local ticket cache or has been obtained from the Ticket Granting Service (TGS). The AS and TGS (components of a Key Distribution Center (KDC)) are hosted on an external server or servers—not on a Solace router.

The client then provides this time-stamped "Kerberos" ticket to the Solace router. If the ticket is successfully validated, the client’s connection to the Message VPN is granted.

For this authentication scheme, the client’s assigned client username, which is used for subsequent client authorization, is the user principal name in the ticket provided to the router.

Related Provisioning and Configuration Information

To use Kerberos to authenticate clients connecting to a Solace router, the following configurations are required:

  • client-side configuration
    • For clients using Solace messaging APIs, the appropriate Java distribution must be used or the appropriate Kerberos libraries must be installed for the Solace messaging API used, and the client session must use a Kerberos authentication scheme.
    • For information on setting a Kerberos authentication scheme using Solace APIs, see Creating Client Sessions for Solace enterprise APIs or Establishing Connections for the Solace JMS API. For information on development requirements for developing Kerberos-compatible applications, see Quick Start for Solace enterprise APIs or Establishing Connections for the Solace JMS API

    • For OpenMAMA clients, Kerberos authentication parameters are configured for the Solace Middleware Bridge used to establish a connection to the Solace router. For more information, see Configuring Solace OpenMAMA Bridges.
  • Solace router configuration
    • SolOS 7.0 or greater must be used.
    • A Kerberos Keytab must be loaded on the router.
    • Kerberos authentication must be configured and enabled for any Message VPNs that Kerberos-authenticated clients will connect to.
    • Optionally, a Kerberos Service Principal Name (SPN) can be assigned to the IP address for the message backbone VRF that will be used for Kerberos‑authenticated clients. For information, see Configuring Kerberos Authentication.