Client Username Configuration

A client is only authorized to connect to a Message VPN that is associated with a client username that that client has been assigned. When a client username is created in a Message VPN, itʼs associated with that particular Message VPN.

Client access to the resources and messaging capabilities on an event broker is facilitated through the client username accounts that are provisioned on the event broker. When clients are authenticated, they are provided with the predefined configurations that are associated with those client usernames.

To create a client username account, enter the following command:

solace(configure)# create client-username <username> message-vpn <vpn-name>

To edit an existing client username account, enter the following command:

solace(configure)# client-username <username> message-vpn <vpn-name>

To delete an existing client username account, enter the following command:

solace(configure)# no client-username <username> message-vpn <vpn-name>

Where:

<username> is the username of the client username account. If the client username account does not already exist, it is created.

The username must be unique among all created client usernames within its local Message VPN. A username can contain up to 189 printable ASCII characters (that is, characters in the range 0x20 – 0x7e) are permitted. Usernames are case-sensitive. Note that the characters “?” and “*” are not permitted, because they are used in some Solace CLI commands (for example, show commands).

<vpn-name> is the name of an existing Message VPN that the client username is in.

You can perform the following configuration tasks for a given client username:

Assigning ACL Profiles

To assign an existing Access Control List (ACL) profile to a client username account, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# acl-profile <name>

Where:

<name> is the name of an existing ACL profile within the given Message VPN

The no version of this command, no acl-profile, resets the assigned ACL profile back to the default ACL profile named default.

For information on ACL profiles, refer to ACL Configuration.

Assigning Client Profiles

To assign an existing client profile to a client username account, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# client-profile <name>

Where:

<name> is the name of an existing client profile within the given Message VPN

The no version of this command, no client-profile, resets the assigned client profile back to the default client profile named default.

For information on creating and configuring client profiles, refer to Configuring Client Profiles.

Configuring Subscription Managers

Clients that are configured as Subscription Managers can add or remove subscriptions for direct messaging on behalf of other clients within the Message VPN.

To configure clients using the given client username the ability to act as Subscription Managers within the given Message VPN, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# subscription-manager

The no version of this command, no subscription-manager, disables Subscription Manager capability for the given client username.

Clients configured as Subscription Managers are subject to the rules in the ACL profile associated with their client username. This may limit the subscriptions they can add on behalf of other clients.

Enabling Endpoint Permission Overrides

This command enables endpoint permission override for a client username account. When enabled, all endpoints may be accessed, modified, or deleted with the same permission as the owner. (The only exception to this permission override is that endpoints provisioned by a CLI user can still only be deleted by that CLI user (that is, the owner)).

Endpoint permission override is disabled by default.

To enable endpoint permission override for the given client username account, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# guaranteed-endpoint-permission-override

The no version of this command, no guaranteed-endpoint-permission-override, disables endpoint permission override for a client username account.

Enabling/Disabling Client Username Accounts

To enable a client username account, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# no shutdown

To disable a client username account, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# shutdown

By default, when you create a new client username account, it is automatically enabled. Likewise, the client username account named default is not enabled.

Setting Client Username Passwords

By default, no password is set for a client username. To set a password for the given client username account, which is then used to authenticate the client username account when internal authentication is the provisioned method of user authentication on the event broker, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# password <password>

Where:

<password> is the password for the specified client username account. Passwords can contain from 1 to 128 non-null characters. Passwords cannot contain the following characters: :()";'<>,`\&|

The no version of this command, no password, removes any password set for the client username account.

  • The password is encrypted by one-way encryption before being stored in the event broker database. If internal authentication is enabled, but no password is assigned to a given client username, then authentication fails for that client.
  • Changing the password for a client username has no effect on connections which have already been authenticated with the event broker using the old password.
  • The password is displayed on the screen as it is being typed (so that the operator can verify the password is correct), but it is not displayed in any show User EXEC command display outputs.

Setting Client Username Attributes

A client username attribute is a key-value pair that can be used to locate a client username, for example when using client certificate to Message VPN matching. For more information, see Configuring Client Certificate to Message VPN Matching.

There are fewer client username attribute objects on the broker than there are client username objects. Therefore you must be judicious about the number of attributes you create. For more information, see the System Limits and Alerts spreadsheet (available from the Solace Products site for Appliance and PubSub+ Enterprise customers).

To create a client username attribute, enter the following commands:

solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# create attribute <name> <value>

Where:

<name> is the name of the attribute (of up to 64 characters).

<value> is the value of the attribute (of up to 256 characters).

The no version of this command, no attribute <name> <value>, removes the attribute.

The following example sets a client username attribute named ou with a value of Unit1 for client username App1. If an appropriate client certificate matching rule is configured on the event broker, the event broker will compare the organizational unit in the client certificate to make sure it matches Unit1 before the client is permitted to connect to the Message VPN.

solace(configure)# client-username App1 message-vpn vpn1
solace(configure/client-username)# create attribute ou Unit1

If you are using LDAP authorization, username attributes must be configured on the external LDAP server.

Example: Configuring Client Username Accounts

This example shows how to:

  • Create client username accounts (pascal) in separate Message VPNs (blue and red)
  • Create client profiles (Sales_Access) in both Message VPNs
  • Assign those client profiles to the client username accounts
  • Activate the client username accounts for service
  1. Create the Message VPN blue:
    solace> enable
    solace# configure
    solace(configure)# create message-vpn blue
    solace(configure/message-vpn)# exit
  2. Create the Message VPN red:
    solace(configure)# create message-vpn red
    solace(configure/message-vpn)# exit
  3. Create the client username account pascal in Message VPN blue:
    solace(configure)# create client-username pascal message-vpn blue
    solace(configure/client-username)# exit
  4. Create the client username account pascal in Message VPN red:
    solace(configure)# create client-username pascal message-vpn red
    solace(configure/client-username)# exit
  5. Enter the following show command on the client username accounts pascal to confirm their creation:
    solace(configure)# show client-username pascal message-vpn *
  6. Create the client profile Sales_Access in Message VPN blue:
    solace(configure)# create client-profile Sales_Access message-vpn blue
    solace(configure/client-profile)# exit
  7. Create the client profile Sales_Access in Message VPN red:
    solace(configure)# create client-profile Sales_Access message-vpn red
    solace(configure/client-profile)# exit
  8. Enter the following show command on the client profile Sales_Access to confirm its creation and configuration.
    solace(configure)# show client-profile Sales_Access detail
  9. Enter the client-profile Client Username CONFIG command to assign client profile Sales_Access to the client username account pascal in Message VPN blue:
    solace(configure)# client-username pascal message-vpn blue
    solace(configure/client-username)# client-profile Sales_Access
    solace(configure/client-username)# exit
  10. Assign client profile Sales_Access to the client username account pascal in Message VPN red:
    solace(configure)# client-username pascal message-vpn red
    solace(configure/client-username)# client-profile Sales_Access
    solace(configure/client-username)# exit
  11. Enter the following show command to confirm the client username accounts have been assigned to client profile Sales_Access:
    solace(configure)# show client-username pascal detail
  12. Activate the client username account pascal in Message VPN blue for service:
    solace(configure)# client-username pascal message-vpn blue
    solace(configure/client-username)# no shutdown
    solace(configure/client-username)# exit
  13. Activate the client username account pascal in Message VPN red for service:
    solace(configure)# client-username pascal message-vpn red
    solace(configure/client-username)# no shutdown
    solace(configure/client-username)# exit
  14. Enter the following show command to confirm the client username accounts’ activation:
    solace(configure)# show client-username pascal message-vpn *
    Username                        Message VPN                 Enabled # Clients
    ------------------------------- --------------------------- -------  --------
    pascal                          blue                            Yes         0
    pascal                          red                             Yes         0
  15. To activate the Message VPNs blue, red, and default for service, go to CLI Steps to Set Up VPNs With Client Profiles.