Configuring Server Certificate Validation Settings
You can configure server certificate validation settings to make certificate validation more secure or less secure. These settings are used for validating the server certificate that is passed from a remote event broker to the local event broker during a TLS/SSL handshake.
Certificate validation settings can be specified for Message VPN bridges and replication Config-Sync bridges.
You can make the following certificate validation configurations:
- Enabling Server Name Validation
- Configuring Maximum Certificate Chain Depths
- Enabling Certificate Date Validation
When you make a change to the server certificate validation settings for Message VPN bridges, the PubSub+ broker automatically disconnects and then reconnects all TLS-enabled bridges in the Message VPN to enable the change.
For information on setting a client certificate for Message VPN bridges, refer to Configuring Client Certificate Authentication.
Enabling Server Name Validation
You can enable or disable the TLS authentication mechanism to verify the name used to connect to the remote broker. If enabled, the Server Name Indication (SNI) extension is sent on outgoing TLS connections and the server name used for that connection is verified against the server names in the Subject Alternative Name (SAN) extension in the certificate returned from the remote broker.
This parameter is enabled by default.
-
Message VPN Bridges
To enable the validation of server names for Message VPN bridges, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# bridging ssl server-certificate-validation
solace(...ing/ssl/server-certificate-validation)# validate-server-name -
Replication Config-Sync Bridges
To enable the validation of server names for replication Config-Sync bridges, enter the following commands:
solace(configure)# replication
solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
solace(...dge/ssl-server-certificate-validation)# validate-server-name
The no version of these commands, no validate-server-name
, disables the validation of server names.
Configuring Maximum Certificate Chain Depths
The depth of a certificate chain is the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate. Setting a maximum certificate chain depth means that bridge connections will reject any certificates whose depth is higher than the maximum limit.
-
Message VPN Bridges
To configure the maximum certificate chain depth for Message VPN bridges, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# bridging ssl server-certificate-validation
solace(...ing/ssl/server-certificate-validation)# max-certificate-chain-depth <max-depth>Where:
<max-depth>
is a number from 0 to 8 specifying the maximum number of signing CA certificates that may be present in the certificate chain. The default value is 3. -
Replication Config-Sync Bridges
To configure the maximum certificate chain depth for replication Config-Sync bridges, enter the following commands:
solace(configure)# replication
solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
solace(...dge/ssl-server-certificate-validation)# max-certificate-chain-depth <max-depth>Where:
<max-depth>
is a number from 0 to 8 specifying the maximum number of signing CA certificates that may be present in the certificate chain. The default value is 3.
The no version of these commands, no max-certificate-chain-depth
, resets this parameter to its default value.
Enabling Certificate Date Validation
Certificates may specify "not before" and "not after" dates to provide a time range for which they will be valid. This setting will enable or disable the validation of these dates. If this check is disabled, the bridge will accept a certificate even if the valid date range provided in the certificate is not fulfilled.
By default, validation of certificate dates is enabled.
-
Message VPN Bridges
To enable validation of certificate dates for Message VPN bridges, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# bridging ssl server-certificate-validation
solace(...ing/ssl/server-certificate-validation)# validate-certificate-date -
Replication Config-Sync Bridges
To enable validation of certificate dates for replication Config-Sync bridges, enter the following commands:
solace(configure)# replication
solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
solace(...dge/ssl-server-certificate-validation)# validate-certificate-date
The no version of these commands, no validate-certificate-date
, disables validation of the certificate dates.