Client Application Connectivity and Security

Two types of client applications connect to PubSub+ Cloud:

Client Applications for Messaging use the messaging infrastructure of the event broker services.
Protocol and Port Client Applications for Management perform management of event broker services (creation and configuration).

Client Applications for Messaging

Client applications connect to event broker services to publish and subscribe to messaging and events. To connect, client applications must authenticate and be authorized for each event broker service.

Client applications connect to event broker services using a hostname with a protocol and port, and Solace client APIs or Open APIs. Depending on the connectivity model, you may need to consider which APIs and protocols to use with your event broker services. The APIs do not provide a mechanism for client applications to access the host or instances; only the messaging functionality of the event broker service is available. There is no direct access to the compute instances on deployments for client applications.

To access event broker services, client applications must be authenticated. The default authentication scheme uses basic authentication. An event broker service can be configured to use multiple authentication schemes. The authentication mechanism for an event broker service can be as basic as an internal database configured with generated usernames and passwords (basic authentication), or a more robust mechanism using LDAP, Kerberos, Client Certificates, or a Certificate Authority.

Connectivity Models for Messaging Client Applications

Messaging Connectivity refers to the way messaging clients access the event broker services. A messaging client can connect in three ways: via the public internet, via private IP addresses, or via a hybrid of both.

Public Internet: Messaging clients connect to the event broker service endpoints over the public internet.
Private IP Addresses: Messaging clients connect to the event broker service endpoints via private routes inside the customer's network.
Hybrid: Messaging clients in internal networks and in the customer's cloud networks connect via network peering.

For more information, see the PubSub+ Cloud Connectivity Requirements.

Protocol and Port Access for Client Application Connections to Event Broker Services

Client applications connect to event broker services via a hostname and port. The hostname for an event broker service is a unique, generated hostname. Alternatively, you can configure a custom hostname. For more information, see Configuring Custom Hostnames for an Event Broker Service.

For clients to access event broker services, the ports must be open on the network where the deployment is and enabled on the event broker service. For more information, see Changing the Port Configuration for Event Broker Services.

After client applications connect to an event broker service using the available protocol and port, they must authenticate and be authorized to use the event broker service for Messaging Connectivity and Management Connectivity. For more information, see Client Applications for Messaging.

Default Port and Protocol Configuration for Messaging Connectivity

The following table lists the protocol ports, indicates whether the port is enabled by default when a event broker service is created, the protocol used for Messaging Connectivity (Data traffic).

Port for Each Protocol	Enabled by Default for an Event Broker Service	Protocol and Description
443	Yes	Secured Web Transport TLS/SSL
5671	Yes	Secured AMQP
8443	Yes	WebSocket Secured MQTT
8883	Yes	Secured MQTT TLS/SSL
9443	Yes	Secured REST TLS / SSL
55443	Yes	Secured SMF TLS/ SSL (without compression)
80	No	Web Transport
1883	No	MQTT (plain-text)
5672	No	AMQP (plain-text)
8000	No	MQTT / WebSockets (plain-text)
9000	No	REST (plain-text)
55003	No	SMF-compressed
55555	No	Solace Message Format (SMF) - plaintext

For more information about the default event broker service port configurations, see Load Balancer Rules Per Service (Default Protocols and Port Configuration).

Using Messaging APIs with Client Applications

Client applications use PubSub+ Messaging APIs and open API protocols to publish and subscribe to event broker services. All APIs use a protocol connect to event broker services. The protocols permitted and the access details are configurable for each event broker service. The ability to configure each event broker service gives you fine-grained control to manage what protocols, ports, and APIs can be used to connect to your event broker services.

The supported protocols are as follows:

Solace Messaging — Solace client libraries communicate over proprietary Solace Message Format (SMF) protocol over TCP. The client libraries available are:
- PubSub+ Messaging API for C
- PubSub+ Messaging API for .NET
- PubSub+ Messaging API for Java
- PubSub+ Messaging API for JCSMP
- PubSub+ Messaging API for Java RTO
- Spring Boot JMS API
- Spring Boot Java API
- Spring Cloud Stream
Solace Web Messaging — Solace client libraries communicate over proprietary Solace Message Format (SMF) protocol over Web sockets or HTTP. The client libraries available are:

PubSub+ Messaging API for Go
PubSub+ Messaging API for Javascript
PubSub+ Messaging API for Node.js
PubSub+ Messaging API for Python

AMQP — Open APIs that use the AMQP protocol.
MQTT — Use open APIs that use the MQTT protocol.
REST — Use the REST protocol to exchange messages with event broker services.

For more information, see Developing Applications with PubSub+ Cloud.

Authentication and Authorization for Messaging Clients

For production usage, Solace recommends that client applications connect to the event broker services to access message data using the available authentication and authorization models that pertain to your organization's security requirements.

The following are considerations for the authentication and authorization for messaging clients that you may want to implement as well.

For authentication:

When an event broker service is created, by default, the username of solace-cloud-client and a unique password is generated for the supported protocols that were enabled at creation time. These usernames and passwords are stored on an internal database on the event broker service for ease of use and integration for basic authentication for development.

The usernames and passwords used for each protocol are available on the Status tab in Mission Control for each event broker service for basic authentication. In production environments, we recommend that you use a more robust authentication scheme rather than the basic authentication with an internal database. Specifically, we recommend that client applications connect to the event broker services to access message data using the same security requirements for authentication as your environment.

Client applications connect to event broker services using secure, encrypted communication. Like users, applications are authenticated and can use basic authentication, LDAP-based authentication, client certificate authentication, OAuth Provider authentication, and authentication using a certificate from a certificate authority.

The authentication mechanism is configurable on a per event broker service level, which means that it is possible to have multiple event broker services running on the same deployment (data center) with non-homogenous authentication schemes. For example, you could use LDAP authentication for one service and OAuth for another service. For more information about configuring authentication for an event broker service, see Configuring Authentication to Event Broker Services.

For authorization:

After (or in conjunction with) authentication, the client application must be authorized to access the system's data and resources. We recommend that in production that you configure your event broker services to handle different authorization levels that include:
- ability or authorization connections
- to consume resources
- to send and receive data

Each event broker service that is created is configured with a client profile called default. The default client profile has common settings that lets you bring up a service quickly and to start using your event broker services quickly. We recommend for production that you minimize the authorizations allowed for default and create and configure client profiles to align with your security requirements.

Authorization for various features and of subscribed data are performed using client profiles. Different client profiles can be used on the same event broker service to define a set of client behaviors or capabilities to be used by different client applications. For more information, see Using Client Profiles and Client Usernames.

Protocol and Port Client Applications for Management

Client applications can be created that issue high-level commands to create, manage, update, and edit event broker services in your deployment using the PubSub+ Cloud REST APIs. Alternatively, you can also create applications that use SEMPv2 calls to connect directly to your event brokers or CLI commands.

Default Protocol and Port Configuration for Management Connectivity

The following table lists the protocol ports, indicates whether the port is enabled by default when a event broker service is created, the protocol used for Management Connectivity (management traffic).

Port for Each Protocol	Enabled by Default for an Event Broker Service	Protocol and Description
8080	Yes/No (See note)	SEMP (plain-text) This port is disabled by default on event broker services created after December 2020.
22	Yes	Secured Shell
943	Yes	SEMP over TLS

Port for Each Protocol

Enabled by Default for an Event Broker Service

Protocol and Description

8080

Yes/No (See note)

SEMP (plain-text)

This port is disabled by default on event broker services created after December 2020.

Yes

Secured Shell

943

Yes

SEMP over TLS

Using PubSub+ Cloud REST APIs for Integration and Management

Applications can manage event broker services, users, and perform various configuration and management tasks using REST APIs. Applications that connect to PubSub+ Cloud are authenticated and authorized using an API token. API tokens are issued per account. For more information, see Understanding Authentication When Using the REST API.

Client applications that issue management commands do not connect directly to event broker services, but instead communicate with PubSub+ Home Cloud through a set of secure PubSub+ Cloud REST APIs. Operations performed by these REST APIs are high-level operations. These client applications connect from the public Internet to the Home Cloud. For more information about the PubSub+ Cloud REST APIs, see Using the PubSub+ Cloud REST APIs.

Solace reserves the right to adjust the rate limits at any time to ensure a high quality service for all users of our platform. If you are subjected to rate limiting, reduce your request rate. For more information, see API Rate Limiting.

Using SEMP APIs for Management

You can also use also use the Solace Element Management Protocol (SEMP) APIs to configure, monitor, and manage event broker services. Applications that use SEMP authenticate and are authorized in the same manner as client applications for messaging. For more information, see Authentication and Authorization for Messaging Clients.

For deployments to Dedicated Regions (that use only private IP addresses for connectivity) or Customer-Controlled Regions, the client applications must connect directly to the event broker service and therefore must be co-located in the same private region (or private network) to ensure they are secure. For more information, see SEMP.

Considerations for Client Applications for Management

These are the considerations for client applications to authenticate and be authorized to manage event broker services for an account.

For client applications that use PubSub+ Cloud REST APIs:

Solace recommends that the minimum permissions be assigned to an API token for accounts that are in production.
Solace recommends that API tokens be regenerated and reassigned according to the security policies for your organization.
The API tokens utilize keys cannot be regenerated. Any storage of that key should be protected using the same security policies followed by your organization.

For client applications that use SEMP APIs:

Solace recommends that you configure the client with minimum required permissions to perform the required operations.
For event broker services in a private network, use VPC/VNet peering when the client applications reside in a separate region.
Consider using more robust authentication and authorization schemes than the default basic authentication.
Consider a custom client profile for use with management applications that use SEMP with a minimal set of capabilities.

Provide feedback