Installing and Synchronizing Client Certificates for High-Availability Event Broker Service in Bridges

You can install client certificates on high-availability event broker services in Message VPN and DMR bridges for added security. Event broker services with a client certificate in a bridge require other event broker services to authenticate. This can cause problems in a high availability event broker service because both nodes must have the same synchronized client certificate. If a node becomes active and it does not have a client certificate, or the certificate is out of synch, it may not authenticate with other event broker services in the bridge. You can use the Broker Manager to install client certificates on both nodes of an event broker service in a bridge. You can also use the Broker Manager to synchronize client certificates installed on the nodes of an event broker service in a bridge and if necessary, to replicate a client certificate from one node of an event broker service to the other node.

For more information see:

Considerations for Installing or Synchronizing Client Certificates on Event Broker Service Nodes

Consider the following when installing or synchronizing client certificates on the nodes of event broker services:

  • The event broker service must be version 10.5.1 or later.

  • To enable this feature on an event broker service during an upgrade to 10.5.1, contact Solace. A small downtime similar to a upscaling an event broker service may be required during the upgrade process.

  • The event broker service must be in a Static (Message VPN) or DMR bridge.

  • When in stalling a client certificate on event broker services in a bridge, you must have a client certificate already created. If you do not have a client certificate, see Create an Internal Certificate Authority for information on how to create one.

Installing a Client Certificate on Both Nodes in a High Availability Event Broker Service in a Bridge

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
  2. Select Cluster Manager on the navigation bar.
  3. Select the event broker service.
  4. Click PubSub+ Broker Manager.

  5. In Broker Manager, click Bridges in the navigation bar and select the bridge with the event broker service you want to install client certificates on.
  6. Click Synchronize Certificates.

    The Synchronize Client Certificates page opens. When no client certificate is installed on any node of the event broker service only the Enter New Certificate button is available.

  7. Click Enter New Certificate.

    The Configure Certificate window opens.

  8. Enter the your client certificate into the Content field and enter a password if required, then click Apply.

Synchronizing Client Certificates on Nodes in an Event Broker Service in a Bridge

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.
  2. Select Cluster Manager on the navigation bar.
  3. Select the event broker service.
  4. Click PubSub+ Broker Manager.

  5. In Broker Manager, click Bridges in the navigation bar and select the bridge with the event broker service whose client certificate synchronization you want to check.
  6. Click Synchronize Certificates.

  7. The Synchronize Client Certificates page shows if the client certificates are installed and if they are synchronized. If a node does not have a certificate installed, either the Synchronize Primary to Backup or Synchronize Backup to Primary option will be available, depending which node is missing the certificate.

  8. Click the available button to copy the certificate to the broker that is not synchronized.

    A Configure Certificate window opens, confirming that you want to update the certificate.

  9. Click Configure Certificate.

    The certificate copies and the Synchronize Client Certificates page refreshes, showing the same client certificate on each node. When synchronized, both Synchronize Primary to Backup or Synchronize Backup to Primary are disabled.
    You can confirm the client certificates are identical by comparing the Thumbprint of both nodes.