Configuring Authentication to Event Broker Services

PubSub+ Cloud enables you to configure authentication to event broker services for both messaging access and management access.

For messaging access you can allow applications and microservices to authenticate with event broker services using these methods:

For management access you can allow users to authenticate with event broker services using these methods:

Management access to event broker services using single sign-on (SSO) is configured separately. For more information, see Configuring Single Sign-On for Event Broker Services.

Configuring Authentication for Messaging Clients

The following tasks help you configure authentication for applications and microservices to connect with event broker services. In some cases, the steps to configure client authentication for messaging differ between event broker service versions earlier than 10.10 and versions later than 10.10. These tasks include steps for both versions.

We recommend keeping basic authentication enabled if you enable additional authentication types. If you disable basic authentication, your event broker service could become accessible to anyone.

Configuring Basic Authentication

Basic authentication is the default client authentication scheme for PubSub+ Cloud event broker services. You can use basic authentication with an internal database or LDAP server. To use LDAP authentication, an LDAP profile must be configured in Cluster Manager.

To view or manage basic authentication settings, perform these steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the PubSub+ Cloud Console.
  2. On the navigation bar, select Cluster Manager.
  3. Select the event broker service that you want to configure. If the event broker service is not listed, make sure you have the right environment selected. For more information, see Selecting Environments.
  4. On the Service Details page, click the Manage tab.
  5. Click the Authentication tile and perform one of the following steps:
  6. If the event broker service is version 10.10 or later:
    1. In the Client Authentication section, click Open Broker Manager.
    2. In Broker Manager, click Edit .
    3. Verify that Basic Authentication is enabled.
    4. In the Type list, set the authentication type to Internal Database or LDAP. RADIUS in not supported in PubSub+ Cloud. If you select LDAP, you must create an LDAP profile in Cluster Manager instead of entering a name for the LDAP profile.
    5. Click Apply.
    6. To return to Cluster Manager, select the Service details | PubSub+ Cloud tab in your web browser.
  7. If the event broker service is earlier than version 10.10:
    1. Verify that Basic Authentication is enabled.
    2. In the Type list, set the authentication type to Internal Database or LDAP. If you select LDAP, you must also configure an LDAP profile.
    3. Click Save.

Configuring an LDAP Profile for Basic Authentication

You can configure basic authentication using an LDAP server. Any event broker service can be linked to an existing LDAP server to authenticate clients. To use LDAP, you must configure an LDAP profile in the Cloud Console and point the event broker service to an existing LDAP server.

To configure the LDAP profile for your event broker service, perform these steps:

  1. In Cluster Manager, select the event broker service that you want to configure.
  2. On the Service Details page, click the Manage tab.
  3. Click the Authentication tile and verify that you have configured basic authentication according the steps in Configuring Basic Authentication.
  4. Expand the LDAP Profile section.
  5. Enter the appropriate details for the following settings:
    SettingDescription

    Enabled

    Enables the LDAP profile for basic authentication.

    Allow Unauthenticated Authentication

    LDAP supports unauthenticated authentication, which allows all users to pass LDAP server authentication and connect to the event broker service without a password.

    Enabling this option can introduce a significant security risk, so this option is disabled by default.

    When this option is disabled, users who attempt to connect without passwords are rejected immediately by the event broker service without consulting the LDAP server.

    Admin Distinguished Name

    Specifies the LDAP distinguished name for the event broker service to use to authenticate itself to the LDAP server.

    Admin Distinguished Name Password

    Specifies the password to use with the admin distinguished name to bind to the LDAP server.

    Start TLS

    Specifies whether to use StartTLS to secure your LDAP connections. When you use StartTLS, the LDAP host is used for both TLS and non-TLS connections to the LDAP server. If this option is not selected, secure connections to the LDAP server use LDAPS.

    LDAP Servers

    Specify the uniform resource indicator (URI) for up to three LDAP servers. You can specify a domain name or an IP address and port number. If no port number is specified, port 389 is used by default. For example, ldap://192.167.123.4:389 or ldap://ldap.solace.com.

    If Start TLS is enabled, the unencrypted port should be specified for the server hostname.

    You must specify at least one LDAP server.

    Base Distinguished Name

    Specifies the base distinguished name of the node of the directory tree to start searches from. For example: ou=software,dc=solacesystems,dc=com.

    Dereferencing Behaviour

    Specifies the dereferencing behavior of directory searches:

    • Always—always dereference aliases (default)
    • Never—never dereference aliases
    • Search—dereference aliases only when searching
    • Base—dereference aliases only when locating the base node

    Filter

    Sets the templated filter to use to locate individual users in the directory service. The default is (cn=$CLIENT_USERNAME) and you can use following substitution variables in the filter:

    • $CLIENT_USERNAME
    • $VPN_NAME

    Substitution variables are recognized by the event broker and are substituted with the client’s relevant information. Examples of filters using substitution variables include:

    • “(&(cn=$CLIENT_USERNAME)(ou=$VPN_NAME))”
    • “(cn=$CLIENT_USERNAME)”

    When using LDAP to authenticate, the username is substituted into the variable $CLIENT_USERNAME in the filter string

    Scope

    Specifies the scope of directory searches.

    • Subtree—search the entire subtree directory (default)
    • Base—search only the base node
    • One Level—search only one level deep

    Follow Continuation References

    Enables the following of continuation references returned by the contacted LDAP server. When this option is enabled, if an LDAP search does not fully end on the contacted server, the search for relevant entries may continue on up to ten other servers it references.

    Timeout (Seconds)

    Specifies the amount of time to wait before retrying an authentication or authorization request to an LDAP server.

    Group Membership Secondary Search Enabled

    Enables retrieving an attribute from the user records and then performing a secondary LDAP search using that attribute’s value to retrieve the group list.

    This option is not required when group membership information is stored in the user records, which allows the group list to be retrieved without a secondary search. You can also provide parameters for the secondary search

    Filter Attribute From Primary Search Base Distinguished Name

    Specifies the attribute retrieved from the primary search when Group Membership Secondary Search Enabled is selected.

    Filter

    Sets the filter to use to locate individual users in the directory service.

    When Group Membership Secondary Search Enabled is selected, the default filter is (member=$ATTRIBUTE_VALUE_FROM_PRIMARY_SEARCH) and you can use following substitution variables in the filter:

    • $ATTRIBUTE_VALUE_FROM_PRIMARY_SEARCH
    • $CLIENT_USERNAME
    • $VPN_NAME
  6. Click Save.

Configuring Client Certificate Authentication

You can enable client certificate authentication (or mutual TLS) on an event broker service. Before clients can authenticate with an event broker service using certificates, you must also upload the necessary certificate authority (CA) certificates to the event broker service. For more information about uploading certificates, see Managing Domain and Client Certificate Authorities.

To configure client certificate authentication, perform the following steps:

  1. In Cluster Manager, select the event broker service that you want to configure.
  2. On the Service Details page, click the Manage tab.
  3. Click the Authentication tile and perform one of the following steps:
  4. If the event broker serviceis version 10.10 or later:
    1. In the Client Authentication section, click Open Broker Manager.
    2. In Broker Manager, click Edit .
    3. Click the Client Certificate Authentication toggle to enable it.
    4. Click the Validate Certificate Dates toggle to require event broker services to check the expiry dates of certificates.
    5. If necessary for your implementation, update any of the client certificate settings:
      6. SettingDescription

      Maximum Chain Depth

      The maximum number of signing CA certificates that can exist in the chain back to a trusted self-signed root CA certificate.

      Allow API Provided Username

      Allows an incoming client connection to use a client username provided by an API instead of the username specified in the Username Source list. Solace recommends against using this option because it can allow an authenticated user to assume any client username rather than restricting that user to a particular client username.

      Username Source

      The field in the client certificate to use as the client username. You can select these options:

      • Certificate Thumbprint—the username is computed as the SHA-1 hash over the entire DER-encoded contents of the client certificate.
      • Common Name—the username is extracted from the certificate's first instance of the CN attribute in the subject distinguished name (DN).
      • Common Name Last—the username is extracted from the certificate's last instance of the CN attribute in the subject DN.
      • Subject Alternate Name—the username is extracted from the certificate's other name type of the subject alternative name and must have the Microsoft user principal name (UPN) signature.
      • User Identifier—the username is extracted from the certificate's first instance of the user identifier attribute in the subject DN.
      • User Identifier Last—the username is extracted from the certificate's last instance of the user identifier attribute in the subject DN.

      Enable Certificate Matching Rules

      Enables certificate matching rules. When disabled, the event broker service accepts any valid certificate.

      Revocation Check Mode

      Specifies the client certificate revocation checking behavior. You can select these options:

      • Allow All—the result of client certificate revocation check is ignored. This option allows clients to connect with revoked certificates.
      • Allow Unknown—allows the client to authenticate when the revocation status of his certificate can't be determined.
      • Allow Valid—allows the client to authenticate only when the revocation check returns an explicit positive response.
    6. Click Apply.
    7. To return to Cluster Manager, select the Service details | PubSub+ Cloud tab in your web browser.
  5. If the event broker service is earlier than version 10.10:
    1. Click the Client Certificate Authentication toggle to turn on certificate-based authentication.
    2. Click the Validate Certificate Dates toggle to require event broker services to check the expiry dates of certificates.
      client certificate authentication.
    3. In the Username Source list, select the type of username for authentication:
      • Select Common Name to use the Common Name (CN) in the Subject field of your client certificate.
      • Select Subject Alternative Name to use the Microsoft universal principal name (msUPN) inside the Subject Alternative Name (SAN) section of your client certificate. The msUPN is typically found in the otherName field of the SAN. The event broker service does not support other SAN identities, such as email addresses, IP addresses, or DNS names.
    4. (Optional) Click Allow API Provided Username to allow authentication using API provided usernames. This option overrides the username provided in Username Source with the one provided by an API. Solace recommends against using client-provided user names because they are less secure than those in the Username Sourceand can allow an authenticated user to assume any client username rather than restricting that user to a particular client username.
    5. Click Save.

Client applications can now authenticate with your event broker service using a valid client certificate. For a tutorial, see Configuring an Event Broker Service to use Client Certificate Authentication.

Controlling When an Event Broker Service Requests a Certificate

When you configure an event broker service to use client certificate authentication, you can configure when it requests the client certificate during the TLS handshake process to secure the communication session. You can also choose settings based on the protocol (REST, MQTT, or web transport) that clients use to connect to the event broker service. For example, you could configure the event broker service to never request a certificate for client applications connecting using web transport, but always request a certificate for clients connecting using MQTT.

To configure when an event broker service requests a certificate from the client application, perform these steps:

  1. In Cluster Manager, select the event broker service that you want to configure.
  2. On the Service Details page, click the Open Broker Manager.
  3. On the navigation bar, select Message VPN .
  4. Select the Services tab.
  5. Click Edit .
  6. To control when the event broker service requests a client certificate, set one or more of the following options.
    • In the Web Transport and MQTT sections, set the Authentication Request Client Cert setting.
    • In the REST section, set the Producer Authentication Request Client Cert setting.

    For each setting, select one of these options:

    • Always—always ask for a client certificate.
    • Never—never ask for a client certificate.
    • When Enabled in Message VPN—ask for a client-certificate only when client certificate authentication is enabled for clients authenticating to the event broker service. This is the default setting.

    7. When an event broker service has client authentication enabled, it requests client certificates from applications during the TLS handshake. Browser-based clients expecting to use basic authentication (username and password) may experience connectivity issues due to some browsers prompting for a client certificate even though it is not required. If you experience this problem, you can set the Authentication Request Client Cert to Never or When Enabled in Message VPN to resolve the issue.

Configuring OAuth Provider Authentication

You can configure an event broker service to use an OAuth identity provider to authenticate client applications and IoT devices using the security features provided by OAuth.

For more information, see Configuring an Event Broker Service to Use OAuth Identity Provider Authorization.

Configuring Authentication for Management Access

The following tasks help you configure authentication for users to manage event broker services. The steps to configure client authentication for messaging differ for event broker services version 10.10 and later from versions earlier than 10.10.1. These tasks include steps for both versions.

Configuring LDAP for Management Access

PubSub+ Cloud administrators can configure LDAP for management access so other users can be authenticated and authorized to log in to an event broker service using their LDAP credentials.

You can also configure LDAP for management access using the REST API. For more information, see Managing Authentication with the PubSub+ Cloud REST API.

To configure LDAP for management access, perform the following steps:

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging In to the PubSub+ Cloud Console.
  2. On the navigation bar, select Cluster Manager .
  3. Select the event broker service that you want to configure. If the event broker service is not listed, make sure you have the right environment selected. For more information, see Selecting Environments.
  4. On the Service Details page, click the Manage tab.
  5. Click Advanced Options.
    Screenshot highlighting the Advanced Options button
  6. Navigate to the LDAP for Management Access section.
  7. Click Configure Settings to create an LDAP profile.
  8. Enter the appropriate details for the following LDAP profile settings:
    ConfigurationDescription

    Allow Unauthenticated Authentication

    LDAP supports unauthenticated authentication, which allows all clients to pass LDAP server authentication and connect to the event broker service without a password.

    Enabling this option can introduce a significant security risk, so this option is disabled by default.

    When this option is disabled, users who attempt to connect without passwords are rejected immediately by the event broker service without consulting the LDAP server.

    Admin Distinguished Name

    Specifies the LDAP distinguished name for the event broker service to use to authenticate itself to the LDAP server.

    Admin Distinguished Name Password

    Specifies the password to use with the admin distinguished name to bind to the LDAP server.

    Start TLS

    Specifies whether to use StartTLS to secure your LDAP connections. When you use StartTLS, the LDAP host is used for both TLS and non-TLS connections to the LDAP server. If this option is not selected, secure connections to the LDAP server use LDAPS.

    LDAP Servers

    Specify the uniform resource indicator (URI) for up to three LDAP servers. You can specify a domain name or an IP address and port number. If no port number is specified, port 389 is used by default. For example, ldap://192.167.123.4:389 or ldap://ldap.solace.com.

    If Start TLS is enabled, the unencrypted port should be specified for the server hostname.

    You must specify at least one LDAP server.

    Group Membership Secondary Search Enabled

    Enables retrieving an attribute from the user records and then performing a secondary LDAP search using that attribute’s value to retrieve the group list.

    This option is not required when group membership information is stored in the user records, which allows the group list to be retrieved without a secondary search.

    Base Distinguished Name

    Specifies the base distinguished name of the node of the directory tree to start searches from. For example: ou=software,dc=solacesystems,dc=com.

    You must enter a value in this field.

    Filter Attribute From Primary Search Base Distinguished Name

    Specifies the attribute retrieved from the primary search when Group Membership Secondary Search Enabled is selected.

    Dereferencing Behaviour

    Specifies the dereferencing behavior of directory searches.

    • Always—always dereference aliases (default).
    • Never—never dereference aliases.
    • Search—dereference aliases only when searching.
    • Base—dereference aliases only when locating the base node.

    Filter

    Sets the filter to use to locate individual users in the directory service.

    If Group Membership Secondary Search Enabled is not selected, the default is (cn=$CLIENT_USERNAME) and you can use following substitution variables in the filter:

    • $CLIENT_USERNAME
    • $VPN_NAME

    Substitution variables are recognized by the event broker and are substituted with the client’s relevant information. Examples of filters using substitution variables include:

    • “(&(cn=$CLIENT_USERNAME)(ou=$VPN_NAME))”
    • “(cn=$CLIENT_USERNAME)”

    If Group Membership Secondary Search Enabled is selected, the default is (member=$ATTRIBUTE_VALUE_FROM_PRIMARY_SEARCH) and you can use following substitution variables in the filter:

    • $ATTRIBUTE_VALUE_FROM_PRIMARY_SEARCH
    • $CLIENT_USERNAME
    • $VPN_NAME

    Scope

    Specifies the scope of directory searches.

    • Subtree—search the entire subtree directory (default).
    • Base—search only the base node.
    • One Level—search only one level deep.

    Follow Continuation References

    Enables the following of continuation references returned by the contacted LDAP server. When this option is enabled, if an LDAP search does not fully end on the contacted server, the search for relevant entries may continue on up to ten other servers it references.

    Timeout (Seconds)

    The amount of time to wait before retrying an authentication or authorization request to an LDAP server.

  9. Click Save.
  10. Expand the Configure LDAP Management Access section to view the configuration options. To set the configuration options, the LDAP profile must include at least one LDAP Server and the Base Distinguished Name.
  11. Enter the LDAP Group Membership Attribute Name value to use to look for matching groups.
  12. You can provide Mission Control Manager, Mission Control Editor, or Mission Control Viewer access to the members of an LDAP group. Mission Control Manager access is available only for event broker service versions 10.10 and later. For more information about role access, see Mission Control Roles and Permissions. To provide management access to an LDAP group, perform these steps:
    1. Beside Mission Control Manager, Mission Control Editor, or Mission Control Viewer, click Add Group.
    2. In the field that appears, enter the LDAP group information.
    3. Click Add.
  13. Select the Enable LDAP for Management Access checkbox.

  14. Click Save.

    Users can now log in to the event broker service using their LDAP credentials.

Configuring OAuth Profiles on Event Broker Services for Direct User and Machine Authentication

You can configure OAuth profiles directly on event broker services to authenticate users and machines connecting directly to your event broker services by mapping custom roles in your OAuth provider account to PubSub+ Cloud roles.

For more information, see Configuring OAuth Profiles for Management Access to Event Broker Services.

Configuring User Access to Event Broker Services with Role-Based Access Control

You can configure user access to event broker services on a per-service basis using role-based access control (RBAC). RBAC is implemented using the Mission Control User role. The Mission Control User role provides limited access to event broker services. The access can be increased by assigning additional permissions to the Mission Control User.

For more information, see Configuring User Access to Event Broker Services.