Service Keys for Solace PubSub+ Service Instances

This topic describes how developers can manage service keys for Solace PubSub+ service instances.

About Service Keys

A service key is a way of obtaining credentials for a Solace PubSub+ service instance.

When using service keys, the developer assumes the responsibility of passing the credentials associated with the service key to the app.

Creating a service key for a service instance produces Solace PubSub+ Credentials, these credentials will be associated with the service key.

Deleting a service key of a service instance revokes the associated credentials.

Obtaining credential using service keys can be used for apps that are not hosted in VMware Tanzu. A typical use case is when you have TCP Routes enabled and you have apps running outside VMware Tanzu that need access to Solace PubSub+ Services running inside VMware Tanzu.

The following procedures assume you have created a Solace PubSub+ service called solace-pubsub-instance as discussed in Service Instances and that you have some app running outside of VMware Tanzu.

For more information about managing service keys, see Managing Service Keys.

Create a Service Key for a Service Instance with the cf CLI

To create a service key for an existing Solace PubSub+ service with the cf Command Line Interface (CLI), do the following:

  1. Set your API endpoint to the Cloud Controller of your deployment. 

    $ cf api api.YOUR-SYSTEM-DOMAIN
Setting api endpoint to api.YOUR-SYSTEM-DOMAIN...
OK
API endpoint:  https://api.YOUR-SYSTEM-DOMAIN (API version: 2.59.0)
Not logged in. Use 'cf login' to log in.

  2. Log in to your deployment and select an org and a space. 

    $ cf login
API endpoint: https://api.YOUR-SYSTEM-DOMAIN
Email> user@example.com
Password>

  3. Locate the previously created service. 

    $ cf services
Getting services in org example / space dev as user@example.com...
OK
name                        service            plan                bound apps   last operation
solace-pubsub-instance      solace-pubsub      enterprise-large-ha              create succeeded

  4. Create the service key for the solace-pubsub-instance and name it external-mobile-app. 

    $ cf create-service-key solace-pubsub-instance external-mobile-app
Creating service key external-mobile-app for service instance solace-pubsub-instance as user@example.com...
OK

  5. List the service keys for our service instance. 

    $ cf service-keys solace-pubsub-instance
Getting keys for service instance solace-pubsub-instance as user@example.com...
name
external-mobile-app

Get Service Key Credentials

Assuming you have created a service key external-mobile-app for solace-pubsub-instance.

  1. Get the service key credentials. 
    $ cf service-key solace-pubsub-instance external-mobile-app
Getting key external-mobile-app for service instance solace-pubsub-instance as user@example.com...
{
"clientPassword": "848e5357-2185-4c6c-bd98-8afc2da26492",
"clientUsername": "v002.cu000006",
"publicJmsJndiUris": [
"smf://tcp.YOUR-DOMAIN.com:61072"
],
"publicMqttTlsUris": [
"ssl://tcp.YOUR-DOMAIN.com:61027"
],
"publicMqttUris": [
"tcp://tcp.YOUR-DOMAIN.com:61039"
],
(...)
"managementHostnames": [
"enterprise-shared-0.YOUR-DOMAIN.com"
],
"managementPassword": "39159deafcd44b0ebee9d504807dbdd1",
"managementUsername": "v002-mgmt",
(...)
}

    Note: With TCP routes enabled, the apps hosted outside VMware Tanzu should use all the public ports for messaging.

Save Service Key Credentials

Assuming you have created a service key external-mobile-app for solace-pubsub-instance.

  1. Save the service key credentials to a file. This saves the contents of the service key credentials to a file called external-mobile-app.key. A developer is responsible to pass this file to an app that needs to use solace-pubsub-instance. 
    $ cf service-key solace-pubsub-instance external-mobile-app | grep -v Getting > external-mobile-app.key

Delete a Service Key for a Service Instance with the cf CLI

To revoke an app’s permission to use a Solace PubSub+ Instance, you can delete its service key.

A Default Orphaned Resource Policy or Service Orphaned Resource Policy is checked and applied during service key deletion when service key linked credentials are being removed.

Assuming you have created a service key external-mobile-app for solace-pubsub-instance.

  1. Delete the service key for the service instance. 
    $ cf delete-service-key solace-pubsub-instance external-mobile-app
Really delete the service key external-mobile-app? yes
Deleting key external-mobile-app for service instance solace-pubsub-instance as user@example.com...
OK
Create a pull request or raise an issue on the source for this page in GitHub