Configuring Internal CLI User Accounts

To create a new CLI user account that will be authenticated through the Solace PubSub+ event broker internal database, enter the following command:

solace(configure)# create username <name> password <password> cli

To edit the properties for an existing, internal CLI user account, enter the following command:

solace(configure)# username <name>

Where:

<name> is the name assigned to the user account. An account user name can contain up to 32 alphanumeric characters and must be unique among all created CLI and File Transfer user accounts.

<password> is the password assigned to the user account. An account password can contain up to 128 alphanumeric characters and symbols ( excluding the following: :()";'<>,`\*&| ), and can be used with all created CLI and File Transfer user accounts. However, as a best practice, Solace recommends assigning unique passwords for each created user account.

The no version of this command, no username, deletes the specified user account from the event broker.

When the Config-Sync facility is used for event brokers that are in redundant pairs and/or event brokers that are being replicated, by default any configuration you make through a username CONFIG command is also made to its redundant mate and/or replication mate. If you do not want these changes to be synchronized, you can disable the synchronization of username CONFIG commands. Refer to Enabling Config-Sync for Management User Commands.

Changing CLI User Account Passwords

To change the password for an existing internally-authenticated CLI user account, enter the following commands:

solace(configure)# username <name>
solace(configure/username)# change-password <password>

Where:

<name> is the name assigned to the user account.

<password> is the new password assigned to the CLI user account. An account password can contain up to 128 alphanumeric characters and symbols ( excluding the following: :()";'<>,`\*&| ), and it can be used with all created CLI and File Transfer user accounts.

Configuring Global Access Levels

To configure a global access level for an internally-authenticated CLI user account, enter the following commands:

solace(configure)# username <name>
solace(configure/username)# global-access-level [none | read-only | mesh-manager | read‑write | admin]

Where:

<name> is the name assigned to the user account.

none specifies a global access level of none.

read‑only specifies a global access level of read-only. The default value is read‑only.

mesh-manager specifies a global access level of mesh-manager.

read-write specifies a global access level of read-write.

admin specifies a global access level of admin.

If you change the access level for a CLI user that is currently logged in, the new access level will not take effect until after that CLI user logs off and then logs in again.

Configuring VPN Default Access Levels

To configure a default Message VPN access level for an internally-authenticated CLI user account, enter the following commands:

solace(configure)# username <name>
solace(configure/username)# message-vpn default-access-level <access-level>

Where:

<name> is the name assigned to the user account.

none specifies a Message VPN access level of none. The default value is none.

read‑only specifies a Message VPN access level of read-only.

read-write specifies a Message VPN access level of read-write.

Configuring VPN Access Level Exceptions

To configure an exception to the default Message VPN access level that is applied to internally-authenticated CLI user accounts, enter the following commands:

solace(configure)# username <name>
solace(...lass/access-level/default/message-vpn)# create access-level-exception <vpn-name> access-level [none|read-only|read-write]

To modify an existing exception to the default Message VPN access level that can be applied to an internally-authenticated CLI user account, enter the following commands:

solace(configure)# username <name>
solace(...lass/access-level/default/message-vpn)# access-level-exception <vpn-name> access-level [none|read-only|read-write]

Where:

<name> is the name assigned to the user account.

<vpn-name> is the name of an existing Message VPN that the exception to the default Message VPN access level will apply to.

none specifies a Message VPN access level of none. The default value is none.

read‑only specifies a Message VPN access level of read-only.

read-write specifies a Message VPN access level of read-write.

The no version of this command, no access-level-exception, removes an exception from the given Message VPN; the default Message VPN access level will be used.

The number of permitted Message VPN access level exceptions is only limited in that it cannot exceed the number of existing Message VPNs on the event broker.

Renaming CLI User Accounts

To change an existing internally-authenticated CLI user account name, enter the following commands:

solace(configure)# username <name>
solace(configure/username)# rename <name>

Where:

<name> is the name of the user account. A new user account name can contain up to 32 alphanumeric characters and must be unique among all created user accounts, whether CLI or File Transfer.

Recovering Lost Passwords

Contact Solace for help recovering lost passwords from event brokers.