Configuring Cipher Suites for Inbound Connections

By default, Solace PubSub+ event broker support several prioritized lists of cipher suites for incoming TLS/SSL connections. When a client or management application connects to the event broker, the client’s list of preferred suites is compared against the list the event broker maintains, and the first suite in the client's list that matches the event broker's list is used to continue the connection.

Solace PubSub+ event brokers support a different prioritized list for each of the following connection types:

  • Network management applications using SEMP to manage the event broker (management connections)
  • Client applications connecting to the event broker to publish or receive messages (message backbone connections)
  • SSH connections

You can modify each of the lists by removing, reordering, or clearing all cipher suites the event broker currently supports.

If you modify any of the lists of eligible cipher suites there is no effect on existing clients; however, clients that are no longer using any of the eligible cipher suites are prevented from reconnecting.

For the full list of cipher suites event brokers support, see Supported Cipher Suites.

  • Upon upgrade, any cipher suites that the event broker no longer supports are removed from all cipher suite lists (including lists that you have previously modified). In addition, any new cipher suites that the event broker supports are added to all unmodified cipher suite lists.
  • Cipher suite configuration is not synchronized across replication links. Therefore, if the event broker is used in a replicated site you must manually configure these properties on each replicated Message VPN.

Configuring Cipher Suites for Management Connections

The event broker uses the same cipher suite list for both inbound connections from network management applications and outbound connections to LDAP servers. Be aware that any change to this list affects both connection types.

To configure eligible cipher suites for management connections:

solace# configure
solace(configure)# ssl
solace(configure/ssl)# cipher-suite management name <suite-name>

Where:

<suite-name> is the name of a supported cipher suite you want to add to the list of eligible suites for management and LDAP connections.

The no version of this command, no cipher-suite management name <suite-name>, removes the cipher suite from the list.

Removing all cipher suites from this list for longer than 20 seconds can cause Kubernetes-based event brokers (primary and backup) to repeatedly reboot until you add a valid suite to the list.

Configuring Cipher Suites for Message Backbone Connections

You can configure eligible cipher suites for client applications that publish and receive messages. These connections, regardless of protocol, are referred to as message backbone connections.

To configure eligible cipher suites for message backbone connections:

solace# configure
solace(configure)# ssl
solace(configure/ssl)# cipher-suite msg-backbone name <suite-name>

Where:

<suite-name> is the name of a supported cipher suite you want to add to the list of eligible suites for message backbone connections.

The no version of this command, no cipher-suite msg-backbone name <suite-name>, removes the cipher suite from the list.

Configuring Ciphers for SSH Connections

The list of supported ciphers for SSH connections is different than the list of cipher suites for management or message backbone connections. You cannot add or remove supported cipher suites from the cipher list and vice-versa. For the full list of ciphers event brokers support for SSH connections, see Supported Ciphers.

To configure eligible ciphers for SSH connections:

solace# configure
solace(configure)# ssl
solace(configure/ssl)# cipher-suite ssh name <cipher-name>

Where:

<cipher-name> is the name of a supported cipher that you want to add to the list of eligible ciphers for SSH connections.

The no version of this command, no cipher-suite ssh name <cipher-name>, removes the cipher from the list.

Reordering Cipher and Cipher Suite Lists

All cipher suite lists event brokers maintain are prioritized from top (highest) to bottom (lowest). Although client and management applications determine the priority of cipher suites used for inbound TLS/SSL and SSH connections, you can reorder each list to modify the priority the event broker associates with each cipher suite. In addition, any change to the priority in the management cipher suite list applies to outbound LDAP connections.

To reorder a cipher suite list:

solace# configure
solace(configure)# ssl
solace(configure/ssl)# cipher-suite {management | msg-backbone | ssh} name <suite-name> [{before | after} <suite-name>]

Where:

management specifies the cipher suite list the event broker uses for inbound management and outbound LDAP connections.

msg-backbone specifies the cipher suite list the event broker uses for message backbone connections.

ssh specifies the cipher suite list the event broker uses for SSH connections.

name <suite-name> is the name of a supported cipher suite you want to insert before or after an existing suite in the list.

before <suite-name> specifies that the suite specified by the name parameter be inserted into the list immediately before the suite specified by the before parameter.

after <suite-name> specifies that the suite specified by the name parameter be inserted into the list immediately after the suite specified by the after parameter.

If you do not specify a position, the cipher suite is added to the end of the list (and given the lowest priority).

Clearing Cipher and Cipher Suite Lists

To clear a cipher or cipher suite list:

solace# configure
solace(configure)# ssl
solace(configure/ssl)# cipher-suite {management | msg-backbone | ssh} empty

Where:

management specifies the cipher suite list the event broker uses for inbound management and outbound LDAP connections.

msg-backbone specifies the cipher suite list the event broker uses for message backbone connections.

ssh specifies the cipher list the event broker uses for SSH connections.

An empty cipher or cipher suite list prevents clients or management applications from initiating a connection.

Resetting Cipher and Cipher Suite Lists

To return a cipher or cipher suite list to the default:

solace# configure
solace(configure)# ssl
solace(configure/ssl)# cipher-suite {management | msg-backbone | ssh} default

Where:

management specifies the cipher suite list the event broker uses for inbound management and outbound LDAP connections.

msg-backbone specifies the cipher suite list the event broker uses for message backbone connections.

ssh specifies the cipher list the event broker uses for SSH connections.