Event Management Agent Security

An Event Management Agent is required to configure event brokers and discover runtime data using Event Portal. Event Management Agents have the following deployment options:

• Cloud-Based Event Management Agent in Public Clusters

• Cloud-Based Event Management Agent in Dedicated and Customer-Controlled Clusters

• Event Management Agents in Offline Mode

• Event Management Agents in Connected Mode

Event Management Agents support connections to Solace Event Broker Services, Solace Software Event Brokers and Solace Appliance Event Brokers, and Kafka clusters and Confluent schema registries.

Cloud-Based Event Management Agent in Public Clusters

Solace does not support cloud-based Event Management Agent connections for Public Cluster event broker services with a custom TLS certificate installed.

The Solace-managed, cloud-based Event Management Agent connects all of your event broker services in a Public Cluster to Event Portal. For event broker services in a Public Cluster in the same Solace Cloud account, the connection is set up automatically in your account when you add an event broker service to a modeled event mesh. You don't need to take extra steps to enable it.

You must keep basic authentication for management access enabled on your event broker service to connect an event broker service with Event Portal using the cloud-based Event Management Agent.

In the following architecture diagram, the red box highlights the Event Management Agent:

The security measures applied in this scenario include:

• The Event Management Agent connects only to the event broker services specified in a modeled event mesh in Event Portal.

• Event Portal authenticates all operation requests, which prevents unauthorized users and any other organization sharing the datacenter from performing operations on your event broker service.

• Connections with the Event Management Agent use TLS.

• The Event Management Agent never stores configuration details or credentials.

Cloud-Based Event Management Agent in Dedicated and Customer-Controlled Clusters

If you want to use a cloud-based Event Management Agent for an event broker service with a custom TLS certificate installed in a Dedicated Cluster or Customer-Controlled Cluster, contact Solace.

The Solace-managed, cloud-based Event Management Agent connects all event broker services in a single datacenter to Event Portal. For event broker services in Dedicated Clusters or Customer-Controlled Clusters in the same Solace Cloud account, you enable one cloud-based Event Management Agent for all event broker services in a datacenter. For more information, see Connecting Event Broker Services to Event Portal Through Solace Cloud.

You must keep basic authentication for management access enabled on your event broker service to connect an event broker service with Event Portal using the cloud-based Event Management Agent.

We recommend using the cloud-based Event Management Agent to connect your event broker services to Event Portal in all situations where it is supported, unless:

• Your organization's security policies don't allow you to connect your operational event broker services to Event Portal.

• You want to redact sensitive data from scan files before manually uploading the data to Event Portal.

In the following architecture diagram, the red box highlights the Event Management Agent:

The security measures applied in this scenario include:

• The Event Management Agent connects only to the event broker services in your datacenter.

• The Event Management Agent never stores configuration details or credentials.

Cloud-Based Event Management Agent Communication with Solace Cloud

Customer-Controlled Cluster customers must ensure their networks meet connectivity requirements, including allowing communication over port 55443 to specific hosts and IP addresses as listed in the Connectivity Model for Kubernetes Deployments.

Event Management Agents in Connected Mode

In connected mode, you install Event Management Agents within your own network. For more information, see Setting Up a Connected Event Management Agent.

We recommend connected mode in these use-cases:

• Your event broker services are managed in a different Solace Cloud account.

• You want to connect a Solace Appliance Event Broker or Solace Software Event Broker to Event Portal.

• You want to audit Kafka clusters and Confluent schema registries.

In the following architecture diagram, the red box highlights the Event Management Agent:

The security measures applied in this scenario include:

• The Event Management Agent must authenticate with the event brokers it connects to so it can securely exchange information.

• Authentication credentials are retrieved on a per-connection basis, and are not stored in the Event Management Agent.

• Communication between the Event Management Agent, Event Portal, and your event brokers occurs over secured connections.

Event Management Agents in Offline Mode

In offline mode, you install Event Management Agents within your own network. For more information, see Setting Up an Offline Event Management Agent.

We recommend offline mode in these use-cases:

• Your organization's security policies don't allow you to connect your operational event brokers to Event Portal. For example, your event brokers are not connected to the internet.

• You want to redact sensitive data from scan files before manually uploading the data to Event Portal.

Offline mode requires two Event Management Agents:

• An Event Management Agent to communicate with Event Portal.

• An Event Management Agent to communicate with your event brokers.

In the following architecture diagram, the red box highlights the Event Management Agents.

The security measures applied in this scenario include:

• There is no direct connection between Solace Cloud and your event brokers.

• Offline mode does not allow you to send event broker configuration from Event Portal to operational event brokers.

Information Exchanged Between the Home Cloud and the Event Management Agent

The Event Management Agent authenticates with the Solace Home Cloud with basic authentication, allowing it to connect securely to the Home Cloud, where Event Portal is located, to exchange information. The Event Management Agent always initiates the connection with the Home Cloud. The Home Cloud never initiates the call.

The Event Management Agent never transmits messaging data or any personal account information and never exchanges any access keys or credential information of any user. It sends only control plane (management) information to the Home Cloud.

The Event Management Agent receives management data, consisting of configuration information for event brokers that the Event Management Agent has a connection to, and shares only metadata related to pushing application configurations to an event broker, running discovery scans on event brokers, and updating cloud-managed Event Management Agents.

The information exchanged between the Home Cloud and the Event Management Agent includes:

Event brokers

The metadata required to push application configurations to an event broker, run discovery scans on event brokers, and update cloud-managed Event Management Agents. This includes responses codes and status information for Home Cloud initiated actions (configuration push, discovery scans, etc.), and confirmation that the actions completed as intended.

If the Event Management Agent runs a discovery scan, it returns event broker resource metadata to the Home Cloud, including:

• For Solace event brokers—queue names, queue configurations, topic subscriptions, ACL profiles, client profiles, client usernames, and authentication configurations
• For Kafka event brokers—topic names and configurations, consumer group IDs and states, Kafka cluster and event broker configurations, ACL rules (principals, resources, permissions), producer state, and schema registry schemas

Heartbeats

Heartbeat messages to indicate that the Event Management Agent is running and connected to the Home Cloud.

Response codes and status

For Home Cloud initiated actions (configuration push, discovery scans, etc.), confirmations that the actions completed as intended are collected.

Commands

Commands to push application configuration to an event broker, run discovery scans on event brokers and update cloud-managed Event Management Agent from the Home Cloud.

Diagnostic information

The Event Management Agent collects and shares diagnostic information to assist with troubleshooting. No personal information is collected as part of the diagnostic information.

For more detailed information about the data exchanged between the Event Management Agent and the Home Cloud, contact Solace.