Understanding Solace PubSub+ Credentials

About Credentials
Example VCAP_SERVICES Environment Variable
Example Service Key Credentials
Credentials Contents
Credentials Fields

This topic describes the credentials of a Solace PubSub+ service instance.

About Credentials

Credentials are required so an app can gain access to a Solace PubSub+ service instance.

Credentials created by a binding are accessible in the VCAP_SERVICES environment variable of VMware Tanzu deployed app.
Credentials created by a service key are the responsibility of a developer to pass to an app.

For examples of different ways that developers can configure their apps to consume the credentials from VCAP_SERVICES or service keys, see the sample app GitHub repository.

Example VCAP_SERVICES Environment Variable

The VCAP_SERVICES environment variable is a JSON document, and follows the format of the example below:

{
 "VCAP_SERVICES": {
  "solace-pubsub": [
   {
    "credentials": {
     "clientPassword": "6747475d-8bbf-4caf-94f5-c77abb871824",
     "clientUsername": "v001.cu000193",

     "activeManagementHostname": "enterprise-large-ha-6173282c.sys.YOUR-DOMAIN.com",
     "amqpTlsUris": [
      "amqps://192.168.101.18:7058",
      "amqps://192.168.101.17:7058"
     ],
     "amqpUris": [
      "amqp://192.168.101.18:7057",
      "amqp://192.168.101.17:7057"
     ],
     "jmsJndiTlsUris": [
      "smfs://192.168.101.18:7004",
      "smfs://192.168.101.17:7004"
     ],
     "jmsJndiUris": [
      "smf://192.168.101.18:7001",
      "smf://192.168.101.17:7001"
     ],
     "managementHostnames": [
      "enterprise-large-ha-1.sys.YOUR-DOMAIN.com",
      "enterprise-large-ha-0.sys.YOUR-DOMAIN.com"
     ],
     "managementPassword": "5c21f2857c504d3ca70de97d1aec47d7",
     "managementUsername": "v001-mgmt",
     "mqttTlsUris": [
      "ssl://192.168.101.18:7054",
      "ssl://192.168.101.17:7054"
     ],
     "mqttUris": [
      "tcp://192.168.101.18:7053",
      "tcp://192.168.101.17:7053"
     ],
     "mqttWsUris": [
      "ws://192.168.101.18:7055",
      "ws://192.168.101.17:7055"
     ],
     "mqttWssUris": [
      "wss://192.168.101.18:7056",
      "wss://192.168.101.17:7056"
     ],
     "msgVpnName": "v001",
     "publicAmqpTlsUris": [
      "amqps://tcp.YOUR-DOMAIN.com:21309",
      "amqps://tcp.YOUR-DOMAIN.com:64229"
     ],
     "publicAmqpUris": [
      "amqp://tcp.YOUR-DOMAIN.com:21707",
      "amqp://tcp.YOUR-DOMAIN.com:38473"
     ],
     "publicHealthCheckUris": [
      "http://tcp.YOUR-DOMAIN.com:12884",
      "http://tcp.YOUR-DOMAIN.com:55321"
     ],
     "publicJmsJndiTlsUris": [
      "smfs://tcp.YOUR-DOMAIN.com:14671",
      "smfs://tcp.YOUR-DOMAIN.com:38876"
     ],
     "publicJmsJndiUris": [
      "smf://tcp.YOUR-DOMAIN.com:8583",
      "smf://tcp.YOUR-DOMAIN.com:27009"
     ],
     "publicMqttTlsUris": [
      "ssl://tcp.YOUR-DOMAIN.com:44741",
      "ssl://tcp.YOUR-DOMAIN.com:15848"
     ],
     "publicMqttUris": [
      "tcp://tcp.YOUR-DOMAIN.com:57457",
      "tcp://tcp.YOUR-DOMAIN.com:63347"
     ],
     "publicMqttWsUris": [
      "ws://tcp.YOUR-DOMAIN.com:13383",
      "ws://tcp.YOUR-DOMAIN.com:46330"
     ],
     "publicMqttWssUris": [
      "wss://tcp.YOUR-DOMAIN.com:58867",
      "wss://tcp.YOUR-DOMAIN.com:36417"
     ],
     "publicRestTlsUris": [
      "https://tcp.YOUR-DOMAIN.com:42924",
      "https://tcp.YOUR-DOMAIN.com:5837"
     ],
     "publicRestUris": [
      "http://tcp.YOUR-DOMAIN.com:48664",
      "http://tcp.YOUR-DOMAIN.com:51028"
     ],
     "publicSmfHosts": [
      "tcp://tcp.YOUR-DOMAIN.com:8583",
      "tcp://tcp.YOUR-DOMAIN.com:27009"
     ],
     "publicSmfTlsHosts": [
      "tcps://tcp.YOUR-DOMAIN.com:14671",
      "tcps://tcp.YOUR-DOMAIN.com:38876"
     ],
     "publicSmfZipHosts": [
      "tcp://tcp.YOUR-DOMAIN.com:10423",
      "tcp://tcp.YOUR-DOMAIN.com:51586"
     ],
     "publicWebMessagingTlsUris": [
      "https://tcp.YOUR-DOMAIN.com:29971",
      "https://tcp.YOUR-DOMAIN.com:30320"
     ],
     "publicWebMessagingUris": [
      "http://tcp.YOUR-DOMAIN.com:29557",
      "http://tcp.YOUR-DOMAIN.com:7645"
     ],
     "restTlsUris": [
      "https://192.168.101.18:7052",
      "https://192.168.101.17:7052"
     ],
     "restUris": [
      "http://192.168.101.18:7051",
      "http://192.168.101.17:7051"
     ],
     "smfHosts": [
      "tcp://192.168.101.18:7001",
      "tcp://192.168.101.17:7001"
     ],
     "smfTlsHosts": [
      "tcps://192.168.101.18:7004",
      "tcps://192.168.101.17:7004"
     ],
     "smfZipHosts": [
      "tcp://192.168.101.18:7002",
      "tcp://192.168.101.17:7002"
     ],
     "webMessagingTlsUris": [
      "https://192.168.101.18:7006",
      "https://192.168.101.17:7006"
     ],
     "webMessagingUris": [
      "http://192.168.101.18:7005",
      "http://192.168.101.17:7005"
     ],
     "externalRestUris": [
      "http://enterprise-medium-ha-1-rest-v001.sys.YOUR_DOMAIN.com:80",
      "http://enterprise-medium-ha-0-rest-v001.sys.YOUR_DOMAIN.com:80"
     ],
     "externalRestTlsUris": [
      "https://enterprise-medium-ha-1-rest-v001.sys.YOUR_DOMAIN.com:443",
      "https://enterprise-medium-ha-0-rest-v001.sys.YOUR_DOMAIN.com:443"
     ]
    },
    "label": "solace-pubsub",
    "name": "web-backend",
    "plan": "enterprise-large-ha",
    "provider": null,
    "syslog_drain_url": null,
    "tags": [
     "solace",
     "solace-pubsub",
     "rest",
     "mqtt",
     "mq",
     "queue",
     "event-streaming",
     "amqp",
     "jms",
     "messaging",
     "publish-subscribe",
     "message-queuing",
     "request-reply"
    ],
    "volume_mounts": []
   }
  ]
 }
}

If the environment variable VCAP_SERVICES contains more than one service binding, you must search for the Solace PubSub+ service instance. You can search for the service instance statically by looking up a pre-defined name attribute or dynamically through the tags or label properties. See the Solace sample app for more information about achieving this.

Example Service Key Credentials

The credentials of a service key are a JSON document and are the same format as the “credentials” portion seen in the VCAP_SERVICES.

The following credentials are those of a service key created for the same service instance as the one used for the VCAP_SERVICES example.

{
     "clientPassword": "89876776-124h-2caf-24x4-ef86g4577584",
     "clientUsername": "v001.cu000188",
     "activeManagementHostname": "enterprise-large-ha-6173282c.sys.YOUR-DOMAIN.com",
     "amqpTlsUris": [
      "amqps://192.168.101.18:7058",
      "amqps://192.168.101.17:7058"
     ],
     "amqpUris": [
      "amqp://192.168.101.18:7057",
      "amqp://192.168.101.17:7057"
     ],
     "jmsJndiTlsUris": [
      "smfs://192.168.101.18:7004",
      "smfs://192.168.101.17:7004"
     ],
     "jmsJndiUris": [
      "smf://192.168.101.18:7001",
      "smf://192.168.101.17:7001"
     ],
     "managementHostnames": [
      "enterprise-large-ha-1.sys.YOUR-DOMAIN.com",
      "enterprise-large-ha-0.sys.YOUR-DOMAIN.com"
     ],
     "managementPassword": "5c21f2857c504d3ca70de97d1aec47d7",
     "managementUsername": "v001-mgmt",
     "mqttTlsUris": [
      "ssl://192.168.101.18:7054",
      "ssl://192.168.101.17:7054"
     ],
     "mqttUris": [
      "tcp://192.168.101.18:7053",
      "tcp://192.168.101.17:7053"
     ],
     "mqttWsUris": [
      "ws://192.168.101.18:7055",
      "ws://192.168.101.17:7055"
     ],
     "mqttWssUris": [
      "wss://192.168.101.18:7056",
      "wss://192.168.101.17:7056"
     ],
     "msgVpnName": "v001",
     "publicAmqpTlsUris": [
      "amqps://tcp.YOUR-DOMAIN.com:21309",
      "amqps://tcp.YOUR-DOMAIN.com:64229"
     ],
     "publicAmqpUris": [
      "amqp://tcp.YOUR-DOMAIN.com:21707",
      "amqp://tcp.YOUR-DOMAIN.com:38473"
     ],
     "publicHealthCheckUris": [
      "http://tcp.YOUR-DOMAIN.com:12884",
      "http://tcp.YOUR-DOMAIN.com:55321"
     ],
     "publicJmsJndiTlsUris": [
      "smfs://tcp.YOUR-DOMAIN.com:14671",
      "smfs://tcp.YOUR-DOMAIN.com:38876"
     ],
     "publicJmsJndiUris": [
      "smf://tcp.YOUR-DOMAIN.com:8583",
      "smf://tcp.YOUR-DOMAIN.com:27009"
     ],
     "publicMqttTlsUris": [
      "ssl://tcp.YOUR-DOMAIN.com:44741",
      "ssl://tcp.YOUR-DOMAIN.com:15848"
     ],
     "publicMqttUris": [
      "tcp://tcp.YOUR-DOMAIN.com:57457",
      "tcp://tcp.YOUR-DOMAIN.com:63347"
     ],
     "publicMqttWsUris": [
      "ws://tcp.YOUR-DOMAIN.com:13383",
      "ws://tcp.YOUR-DOMAIN.com:46330"
     ],
     "publicMqttWssUris": [
      "wss://tcp.YOUR-DOMAIN.com:58867",
      "wss://tcp.YOUR-DOMAIN.com:36417"
     ],
     "publicRestTlsUris": [
      "https://tcp.YOUR-DOMAIN.com:42924",
      "https://tcp.YOUR-DOMAIN.com:5837"
     ],
     "publicRestUris": [
      "http://tcp.YOUR-DOMAIN.com:48664",
      "http://tcp.YOUR-DOMAIN.com:51028"
     ],
     "publicSmfHosts": [
      "tcp://tcp.YOUR-DOMAIN.com:8583",
      "tcp://tcp.YOUR-DOMAIN.com:27009"
     ],
     "publicSmfTlsHosts": [
      "tcps://tcp.YOUR-DOMAIN.com:14671",
      "tcps://tcp.YOUR-DOMAIN.com:38876"
     ],
     "publicSmfZipHosts": [
      "tcp://tcp.YOUR-DOMAIN.com:10423",
      "tcp://tcp.YOUR-DOMAIN.com:51586"
     ],
     "publicWebMessagingTlsUris": [
      "https://tcp.YOUR-DOMAIN.com:29971",
      "https://tcp.YOUR-DOMAIN.com:30320"
     ],
     "publicWebMessagingUris": [
      "http://tcp.YOUR-DOMAIN.com:29557",
      "http://tcp.YOUR-DOMAIN.com:7645"
     ],
     "restTlsUris": [
      "https://192.168.101.18:7052",
      "https://192.168.101.17:7052"
     ],
     "restUris": [
      "http://192.168.101.18:7051",
      "http://192.168.101.17:7051"
     ],
     "smfHosts": [
      "tcp://192.168.101.18:7001",
      "tcp://192.168.101.17:7001"
     ],
     "smfTlsHosts": [
      "tcps://192.168.101.18:7004",
      "tcps://192.168.101.17:7004"
     ],
     "smfZipHosts": [
      "tcp://192.168.101.18:7002",
      "tcp://192.168.101.17:7002"
     ],
     "webMessagingTlsUris": [
      "https://192.168.101.18:7006",
      "https://192.168.101.17:7006"
     ],
     "webMessagingUris": [
      "http://192.168.101.18:7005",
      "http://192.168.101.17:7005"
     ],
     "externalRestUris": [
      "http://enterprise-medium-ha-1-rest-v001.sys.YOUR_DOMAIN.com:80",
      "http://enterprise-medium-ha-0-rest-v001.sys.YOUR_DOMAIN.com:80"
     ],
     "externalRestTlsUris": [
      "https://enterprise-medium-ha-1-rest-v001.sys.YOUR_DOMAIN.com:443",
      "https://enterprise-medium-ha-0-rest-v001.sys.YOUR_DOMAIN.com:443"
     ]
}

Note: Notice how all service scoped fields are the same and that only the app scoped fields are changed. The clientUsername and clientPassword changed. For this example, two collaborating apps are accessing the same service instance; one app is in VMware Tanzu using VCAP_SERVICES, and the other is outside Cloud Foundry using a service key.

Credentials Contents

The availability of some of the Credentials fields and their contents will depend on the enabled or disabled features of the Solace tile at installation time as well as the plan type of the service instance.

If a Solace PubSub+ service instance was created using the enterprise-medium-ha or enterprise-large-ha service plan, it will be highly available. In these cases there will be two separate service URIs for each of the available transports as shown in the example above. Connecting apps use both of these URIs by reconnecting to the other if one of them becomes unavailable. This is known as the host list HA failover mechanism. For more information, see the Solace documentation.

If a Solace PubSub+ service instance was created using the enterprise-shared, enterprise-large, standard-medium, or standard-large service plan, it will not be highly available. In these cases, there will only be one URI for each of the supported transports.

When LDAP is enabled, and Application Access is set to LDAP Server, clientUsername and clientPassword is not available. The tile installation has taken care of creating an LDAP profile, and setting it as the auth-type for each Message VPN. However, an administrator with Management Access must create the necessary LDAP Groups on the Solace PubSub+ Event Broker for each Message VPN using SEMP or SolAdmin in order to grant the necessary access to the app. For more information, see Configuring Client LDAP Authorization

When TCP routes are enabled, additional public fields provide the connectivity details for that messaging protocol so it may be used from an external network source, such as the Internet.

Credentials Fields

Field	Applies to messaging protocol	Description
`clientUsername`	All except management (SEMP)	The client username used to access the messaging services. Not available if Application Access is set to `LDAP Server`
`clientPassword`	All except management (SEMP)	The client password used to access the messaging services. Not available if Application Access is set to `LDAP Server`
`msgVpnName`	JMS, SMF, and webMessaging	The name of the VPN allocated to the app
`amqpUris`	AMQP	The AMQP service URIs
`amqpTlsUris`	AMQP	The AMQP service TLS URIs
`jmsJndiUris`	JMS	The JNDI provider URLs: `InitialContext.PROVIDER_URL`
`jmsJndiTlsUris`	JMS	The JNDI provider URLs: `InitialContext.PROVIDER_URL`
`mqttUris`	MQTT	The MQTT service URIs
`mqttTlsUris`	MQTT	The MQTT service TLS URIs
`mqttWsUris`	MQTT	The MQTT WebSocket URIs
`mqttWssUris`	MQTT	The MQTT WebSocket TLS URIs
`restUris`	REST	The REST endpoints base URIs
`restTlsUris`	REST	The REST TLS endpoints base URIs
`smfHosts`	SMF	The SMF HOST Session Property
`smfTlsHosts`	SMF	The SMF TLS HOST Session Property
`smfZipHosts`	SMF	The compressed SMF HOST Session Property
`webMessagingUris`	Web Messaging	The URLs used to connect the session (solclientjs), or the HOST Session Property (CCSMP, .NET API, and JAVA RTO)
`webMessagingTlsUris`	Web Messaging	The HTTPS URLs used to connect the session (solclientjs), or the HOST Session Property (CCSMP, .NET API, and JAVA RTO)
`externalRestUris`	REST	The HTTP routes on the Tanzu Application Services (TAS) HTTP router used for REST messaging. Available when REST HTTP Routes are enabled.
`externalRestTlsUris`	REST	The HTTPS routes on the Tanzu Application Services (TAS) HTTP router used for REST messaging. Available when REST HTTP Routes are enabled. Note: these routes will use the server certificate of the TAS tile’s system domain, not the server certificate configured under the Solace PubSub+ tile.
`publicAmqpUris`	AMQP	The AMQP service URIs. Available when TCP Routes is enabled
`publicAmqpTlsUris`	AMQP	The AMQP service TLS URIs. Available when TCP Routes is enabled
`publicJmsJndiUris`	JMS	The JNDI provider URLs: `InitialContext.PROVIDER_URL`. Available when TCP Routes is enabled
`publicJmsJndiTlsUris`	JMS	The JNDI provider URLs: `InitialContext.PROVIDER_URL`. Available when TCP Routes is enabled
`publicMqttUris`	MQTT	The MQTT service URIs. Available when TCP Routes is enabled
`publicMqttTlsUris`	MQTT	The MQTT service TLS URIs. Available when TCP Routes is enabled
`publicMqttWsUris`	MQTT	The MQTT WebSocket URIs. Available when TCP Routes is enabled
`publicMqttWssUris`	MQTT	The MQTT WebSocket TLS URIs. Available when TCP Routes is enabled
`publicRestUris`	REST	The REST endpoints base URIs. Available when TCP Routes is enabled
`publicRestTlsUris`	REST	The REST TLS endpoints base URIs. Available when TCP Routes is enabled
`pulicSmfHosts`	SMF	The SMF HOST Session Property. Available when TCP Routes is enabled
`publicSmfTlsHosts`	SMF	The SMF TLS HOST Session Property. Available when TCP Routes is enabled
`pulibcSmfZipHosts`	SMF	The compressed SMF HOST Session Property. Available when TCP Routes is enabled
`pulicWebMessagingUris`	Web Messaging	The URLs used to connect the session (solclientjs), or the HOST Session Property (CCSMP, .NET API, and JAVA RTO). Available when TCP Routes is enabled
`publicWebMessagingTlsUris`	Web Messaging	The HTTPS URLs used to connect the session (solclientjs), or the HOST Session Property (CCSMP, .NET API, and JAVA RTO). Available when TCP Routes is enabled
`publicHealthCheckUris`	Health Check	The Health Check URIs that can be used for load balancing from external services. Available when TCP Routes is enabled.
`managementHostnames`	Management (SEMP)	The DNS hostnames associated with the service instance’s management service. These are FQDNs on standard ports for HTTP (80) and HTTPS (443) that can be used by management apps external to VMware Tanzu, for example SolAdmin, to connect to the Solace PubSub+ Event Broker associated with the service instance.
`activeManagementHostname`	Management (SEMP)	A DNS hostname associated with the active service instance’s management service. This is applicable for `enterprise-medium-ha` or `enterprise-large-ha` service plans. The ‘activeManagementHostname’ will be the same as 'managementHostnames’ for non HA plans. This FQDN on standard ports for HTTP (80) and HTTPS (443) can be used by management apps external to VMware Tanzu, for example SolAdmin, to connect to the Solace PubSub+ Event Broker associated with the service instance
`managementPassword`	Management (SEMP)	The VPN’s administrative username. Not available if Management Access is set to `LDAP Server`
`managementUsername`	Management (SEMP)	The VPN’s administrative password. Not available if Management Access is set to `LDAP Server`

Messaging Protocols

The table above matches each field to the messaging protocol it uses. The Solace PubSub+ service supports the following messaging protocols:

Java Messaging Service (JMS): See the Oracle documentation for more information.
MQTT: See the MQTT documentation for more information.
AMQP: See the AMQP documentation for more information.
Solace Message Format (SMF): See the [SMF])https://docs.solace.com/API/Component-Maps.htm) and Solace PubSub+ API documentation for more information.
Web Messaging: See the Solace Web Messaging Concepts documentation for more information.
REST: See the Solace REST PubSub+ documentation for more information.

Note: The app needs to provide the Message VPN when using the SMF, JMS, or Web Messaging protocols. As a result, the app needs to read the msgVpnName fields when using those protocols.

Each protocol can have multiple possible underlying transports. The field’s prefix specifies the protocol, while the infix specifies the transport underlying the protocol. For example, "mqttUris": ["tcp://192.168.132.14:7026"] specifies the MQTT protocol over TCP.

The app only needs one Host or Uris field to connect to the Message VPN, but which one it needs depends on the required protocol and transport combination.

The following list provides the available infixes:

Tls: TLS-encrypted
Ws: WebSocket
Wss: TLS-encrypted WebSocket
Zip: Compressed SMF (SMF with compression enabled)

For example, an app uses JMS plain text must read the following fields:

clientUsername
clientPassword
msgVpnName
jmsJndiUri

Management Protocol

The Solace PubSub+ service supports the Solace Element Management Protocol (SEMP) as its management protocol. To use SEMP or an management app such as SolAdmin that supports SEMP, the following fields are required:

managementUsername
managementPassword
managementHostnames

Usernames and Passwords

When Application Access is Event Broker Internal, the credentials required by the various messaging protocols are provided by clientUsername and clientPassword.
When Application Access is LDAP Server, the credentials required by the various messaging protocols is to be provided by the LDAP Administrator.
When Management Access is Event Broker Internal, the credentials required to manage the Message VPN are provided by managementUsername and managementPassword. For more information, see Managing the Message VPN.
When Management Access is LDAP Server, the credentials required to manage the Message VPN are to be provided by the LDAP Administrator.

Health Check

publicHealthCheckUris provides an ordered list of health check URIs that can be queried if using an external load balancer. publicHealthCheckUris is available when TCP routes are enabled and Health Check is enabled.

Create a pull request or raise an issue on the source for this page in GitHub