Viewing and Managing the Message VPN

A Message VPN is a managed object on an event broker that allows for the segregation of topic space and clients. Unlike software event brokers and appliances, PubSub+ event broker services have only one customer configurable Message VPN. Because PubSub+ Cloud allows you to create multiple event broker services, you can use separate services to segregate topics and clients for messaging.

An event broker service can have up to four Message VPNs including:

  • The configurable Message VPN— by-default, its name is derived from the event broker service name, using all lowercase letters and replacing spaces with hyphens. For example, an event broker service named "My Service" would have a Message VPN named "my-service". Client applications always connect to the Message VPN that shares the name with the event broker service, even if you change the name.

  • default—this Message VPN is disabled and is not useable.

  • #cluster—this Message VPN is only for internal PubSub+ Cloud functionality. Although it is visible in PubSub+ Broker Manager, you cannot configure it.

  • #config-sync—this Message VPN is for internal PubSub+ Cloud functionality. It does not exist on Developer class event broker services. Although it is visible in PubSub+ Broker Manager, you cannot configure it.

Viewing Message VPN Details

When you open PubSub+ Broker Manager from Cluster Manager, the default page displays a summary of the current message VPN status for the event broker service.

Screenshot of the features described in the surrounding text.

You can change the view to see status information for the non-configurable message VPNs, but you should never need to do so.

To change the displayed Message VPN, perform these steps:

  1. Open Broker Manager. For instructions, see Using PubSub+ Broker Manager.
  2. Select Change VPN in the left navigation bar.
  3. In the list, click the name of the Message VPN you want to view.

The Message VPN page has the following tabs:

  • Summary tab—Displays details about the Message VPN status, enabled features, connections, and queues.
  • Settings tab—Lets you set options for the configurable Message VPN. For more information see Configuring Message VPN Settings.
  • Services tab—Lets you configure the messaging protocol services that clients use to connect to the Message VPN. For more information see Configuring Messaging Protocol Services.
  • Replication tab—Lets you set replication options for disaster recovery for event broker services version 10.10 and later. For more information see Using Replication for Disaster Recovery of Event Broker Services.

    Using replication for disaster recovery is available as a Controlled Availability (CA) feature in PubSub+ Cloud. Contact Solace to evaluate if this option meets your use case and to get more information.

  • Proxies tab—Lets you add forward proxies for the configurable Message VPN. For more information, see Configuring a Forward Proxy.
  • Stats tab— Displays detailed statistics for the Message VPN.

Configuring Message VPN Settings

You can configure several settings for the Message VPN, including alert thresholds and log message settings.

To configure the settings, perform these steps:

  1. Open Broker Manager. For instructions, see Using PubSub+ Broker Manager.
  2. On the Message VPN page for the configurable Message VPN you want to view, select the Settings tab.
  3. Click Show Advanced Settings to display all of the available settings.
  4. Configure the following settings as you require and click Apply.
    SettingDescription

    Enabled

    Specifies whether the Message VPN is enabled.

    Disabling the Message VPN disconnects all messaging clients from the event broker service and rejects any new connection requests until you enable it again.

    Alert Thresholds

    Specifies the connection threshold values that control when an alert is generated.

    You can set the alert thresholds for several predefined maximums on the event broker service. For more information about changing any of the maximum values, see Configuring Message Spool Sizes or contact Solace.

    Dynamic Message Routing

    Specifies whether the Message VPN can participate in Dynamic Message Routing (DMR). For more information see Understanding Event Meshes and Mesh Manager.

    This option cannot be enabled from Broker Manager in event broker services earlier than 10.10.

    Export Subscriptions

    Specifies whether the Message VPN exports subscriptions to other event brokers when the Message VPN is part of a DMR network. When this option is selected, subscriptions added locally to the Message VPN can be exported to other event brokers in the network.This option must be enabled to receive messages from other event brokers. Solace recommends setting all Message VPNs in the DMR network to the same value.

    This option cannot be enabled from Broker Manager in event broker services earlier than 10.10.

    Large Message Size Threshold

    Specifies the message size threshold in KB. The message VPN generates a one-shot event if a message exceeds the specified size.

    Events Log Tag

    Specifies a custom log identification tag as a prefix for event log messages generated by the Message VPN when alert thresholds are reached. The tag can contain up to 32 alphanumeric characters.

    Publish Client Event Messages

    Specifies whether client-level event log message publishing is enabled.

    Publish Message VPN Event Messages

    Specifies whether Message VPN-level event log message publishing is enabled.

    Publish Subscription Event Messages

    Specifies the subscription level event log message publishing mode:

    • no publishing—Disable client level event log message publishing.
    • publishing in format v1—Enable client level event log message publishing with format v1, which sets the SMF topic structure of subscription events to #LOG/INFO/SUB_ADD|SUB_DEL/<subscribedTopic>.
    • publishing in format v1, no unsubscribe events on disconnect—Enable client level event log message publishing with format v1, but unsubscribe event log messages are not generated when a client disconnects. Unsubscribe events are still raised when a client explicitly unsubscribes from its subscriptions.
    • publishing in format v2—Enable client level event log message publishing with format v2, which sets the SMF topic structure of subscription events to #LOG/INFO/SUB/<routerName>/ADD|DEL/<vpnName>/<clientName>/<subscribedTopic>.
    • publishing in format v2, no unsubscribe events on disconnect—Enable client level event log message publishing with format v2, but unsubscribe event log messages are not generated when a client disconnects. Unsubscribe events are still raised when a client explicitly unsubscribes from its subscriptions.

    Publish in MQTT Format

    Specifies whether event log messages are published in MQTT format.

    Publish in SMF Format

    Specifies whether event log messages are published in SMF format.

    SEMP Over Message Bus

    Specifies whether SEMP is enabled over the message bus. Enabling this option allows clients to run Show User EXEC commands on the Message VPN for your event broker service. By default, this option is disabled for enhanced security and to keep your SEMP commands hidden. For more information, see Configuring SEMP v1 Over Message Bus Services.

    For event broker services earlier than 10.10, you can enable SEMP over the message bus only in Cluster Manager. For more information, see Enabling SEMP Over the Message Bus.

    Admin Commands

    Specifies whether SEMP admin commands are enabled over the message bus.

    Client Commands

    Specifies whether SEMP client admin commands are enabled over the message bus.

    Distributed Cache Commands

    Specifies whether SEMP distributed cache admin commands are enabled over the message bus.

    Show Commands

    Specifies whether SEMP show commands are enabled over the message bus.

Configuring Messaging Protocol Services

You can configure the following the following messaging protocol services for the Message VPN:

To configure the services, perform these steps:

  1. Open Broker Manager. For instructions, see Using PubSub+ Broker Manager.
  2. On the Message VPN page for the configurable Message VPN you want to view, select the Services tab.
  3. Slick Show Advanced Settings to display all of the available settings.
  4. Configure the following settings as you require and click Apply.
    SettingDescription

    SMF

    Plain Text Enabled

    Specifies whether plaintext messages can be sent using SMF. This option is disabled by default for event broker services.

    TLS Enabled

    Specifies whether TLS-encrypted messages can be sent using SMF. Disabling this option disconnects any clients currently connected using TLS.

    Allow Downgrade TLS to Plain Text

    Specifies whether SMF clients can request to downgrade their TLS/SSL connections to plaintext after the client is authenticated and authorized. The client's authentication data is still encrypted, but after the client login handshake is finished, the connection is downgraded. This means that client authentication data is still encrypted, but the subsequent application data that is transmitted is sent as non-encrypted plaintext.

    This option is useful if you want client connections to use TLS/SSL encryption to protect the client credentials, but for performance reasons you do not want to encrypt the data that is transmitted after clients are authenticated and authorized. This option is disabled by default.

    Alert Thresholds

    Specifies the connection thresholds that control when an alert is generated.

    Web Transport

    Authentication Request Client Cert

    Specifies when event broker services request client certificates from web clients connecting via a TLS port if client certificate authentication is enabled in a given Message VPN. For more information, see Controlling When an Event Broker Service Requests a Certificate.

    • When Enabled in Message VPN—Ask for a client-certificate only when client certificate authentication is enabled for clients authenticating to the event broker service.
    • Always—Always ask for a client certificate.
    • Never—Never ask for a client certificate.

    Plain Text Enabled

    Specifies whether plaintext messages can be sent using Web Transport. This option is disabled by default for event broker services.

    TLS Enabled

    Specifies whether TLS-encrypted messages can be sent using Web Transport. Disabling this option disconnects any clients currently connected using TLS.

    Alert Thresholds

    Specifies the connection thresholds that control when an alert is generated.

    MQTT

    Authentication Request Client Cert

    Specifies when event broker services request client certificates from web clients connecting via a TLS port if client certificate authentication is enabled in a given Message VPN. For more information, see Controlling When an Event Broker Service Requests a Certificate.

    • When Enabled in Message VPN—Ask for a client-certificate only when client certificate authentication is enabled for clients authenticating to the event broker service.
    • Always—Always ask for a client certificate.
    • Never—Never ask for a client certificate.

    Plain Text Enabled

    Specifies whether plain text messages can be sent using MQTT. This option is disabled by default for event broker services.

    TLS Enabled

    Specifies whether TLS-encrypted messages can be sent using MQTT. Disabling this option disconnects any clients currently connected using TLS.

    WebSocket Enabled

    Specifies whether the Message VPN uses WebSocket for messages sent using MQTT. Disabling this option disconnects any clients currently connected using WebSocket.

    WebSocket TLS Enabled

    Specifies whether the Message VPN uses WebSocket over TLS for messages sent using MQTT. Disabling this option disconnects any clients currently connected using encrypted WebSocket.

    Alert Thresholds

    Specifies the connection thresholds that control when an alert is generated.

    REST

    Service Mode

    Specifies the service mode for incoming connections from REST clients:

    • Messaging—Act as an event broker where REST messages are queued. This is the default.
    • Gateway—Act as a Microgateway, which.allows the event broker service to act as an HTTP load balancer, or simple API gateway between a RESTful API Client and remote microservices. For more information, see Microgateways.

    Producer Authentication Request Client Cert

    Specifies when event broker services request client certificates from web clients connecting via a TLS port if client certificate authentication is enabled in a given Message VPN. For more information, see Controlling When an Event Broker Service Requests a Certificate.

    • When Enabled in Message VPN—Ask for a client-certificate only when client certificate authentication is enabled for clients authenticating to the event broker service.
    • Always—Always ask for a client certificate.
    • Never—Never ask for a client certificate.

    Authorization Header Handling

    Specifies how the Message VPN handles authorization headers for incoming REST connections when the Service Mode is set to Gateway.

    • Drop—Do not attach the authorization header to the message as a user property. This configuration is most secure.
    • Forward—Forward the authorization header by attaching it to the message as a user property in the same way as other headers.
    • Legacy—If the Authorization header was used for authentication to the event broker service, do not attach it to the message. If the Authorization header was not used for authentication to the event broker service, attach it to the message as a user property in the same way as other headers.

    Plain Text Enabled

    Specifies whether plain text messages can be sent using REST. This option is disabled by default for event broker services.

    TLS Enabled

    Specifies whether TLS-encrypted messages can be sent using REST. Disabling this option disconnects any clients currently connected using TLS.

    Alert Thresholds

    Specifies the connection thresholds that control when an alert is generated.

    Validate Server Name

    Specifies whether the standard TLS authentication server name verification is used to connect to the remote REST consumer. If enabled, the server name used to connect to the remote REST Consumer is checked against the names specified in the certificate returned by the remote event broker. Common name validation is not performed if this option is selected.

    Enforce Trusted Common Name

    Specifies whether to validate the common name (CN) in the server certificate from the remote REST consumer. If seleted, the CN is checked against the list of Trusted Common Names configured for the REST Consumer. Common Name validation is not performed if Validate Server Name is selected.

    Maximum Chain Depth

    Specifies the maximum depth for a REST consumer server certificate chain. The depth of a chain is defined as the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate.

    Validate Certificate Dates

    Specifies whether to validate the Not Before and Not After validity dates in the REST consumer server certificate.

    AMQP

    Plain Text Enabled

    Specifies whether plain text messages can be sent using AMQP. This option is disabled by default for event broker services.

    TLS Enabled

    Specifies whether TLS-encrypted messages can be sent using AMQP. Disabling this option disconnects any clients currently connected using TLS.

    Alert Thresholds

    Specifies the connection thresholds that control when an alert is generated.

For information about configuring these services using the Solace CLI, see Configuring Services.

Configuring a Forward Proxy

Depending on your deployment, communication between an event broker service and endpoint servers (such as external websites) may go through a forward proxy. For example, if the event broker service sits behind a firewall, REST delivery point (RDP) egress traffic may need to connect to a proxy server to go outside the firewall. In this situation, you can create a forward proxy configuration object to direct traffic to the proxy server before it is forwarded to the endpoint server.

Forward proxies are synchronized in high-availability (HA) deployments, but not disaster recover (DR) deployments, because different sites may need different proxy configurations. References to the proxy are both HA and replication synchronized, so that once the appropriate proxies are set up on each site, referencing objects don't need any special handling on replicated sites.

To configure a forward proxy for the Message VPN, perform these steps:

  1. Open Broker Manager. For instructions, see Using PubSub+ Broker Manager.
  2. On the Message VPN page for the configurable Message VPN you want to view, select the Proxies tab.
  3. Click + Proxies.
  4. Enter a name for the proxy and click Create. Use this name to refer to the forward proxy in other event broker service objects such as RDPs.
  5. Select the Proxy Type:
    • DIRECT—Specifies a direct connection to the endpoint server, which means that the proxy is not used. This option is useful when one replication site needs a proxy and another does not.
    • HTTP—Specifies that the connection from the event broker to the proxy server is HTTP. You can enable TLS/SSL for event broker objects using the forward proxy to enable clients to exchange data with the event broker using TLS/SSL over single TCP connections instead of HTTP over TCP. For more information, see TLS / SSL Service Configuration.
  6. If you selected HTTP as the Proxy Type, specify the Host and Port of the proxy server. You can specify the host using the IP address or DNS name.
  7. Select an Authentication Scheme:
    • None—The event broker service does not use an authentication scheme when connecting to the proxy server. This option may be useful for anonymous connections or when a proxy server does not require authentication.
    • Basic—The event broker service authenticates to the proxy server with a username and password combination.
  8. If you selected Basic authentication, specify the Username and Password.
  9. Click Apply.