Configuring Message VPNs

To create a Message VPN, enter the following CONFIG command:

solace(configure)# create message-vpn <vpn-name>

To edit the properties of an existing Message VPN, enter the following CONFIG command:

solace(configure)# message-vpn <vpn-name>

Where:

<vpn-name> is the name of the Message VPN to be created or edited. The Message VPN name must be unique among all created Message VPNs on the message broker. Message VPN names can contain any characters, except the asterisk (*) or question mark (?).

The no version of this command, no message-vpn <vpn-name>, deletes the specified Message VPN from the message broker (the Message VPN named default, however, cannot be deleted). Before deleting a Message VPN:

  • It must be disabled through the shutdown VPN CONFIG command.
  • No other configured objects can refer to it.
Note  
  • When a Message VPN is created, it is not automatically enabled. For information, see Stopping/Starting Message VPNs.
  • The maximum number of Message VPNs that can be configured depends on the type of Solace PubSub+ message broker used. For example, the number of Message VPNs you can provision on a software message broker differs from the number that you can provision on an appliance. Additionally, a Solace PubSub+ 3560 with high-performance NABs and ADBs may support even more Message VPNs.

You can perform the following tasks for a configured Message VPN:

Configuring Accepted Client Authentication Schemes

See Client Authentication Configuration for details on how to configure client authentication schemes for the given Message VPN.

Configuring Bridging Server Certification Validation

See Configuring Server Certificate Validation Settings for details on configuring the actions to take on validating server certificates for Message VPN bridges when using Transport Layer Security (TLS)/ Secure Sockets Layer (SSL) authentication.

Designating Management Message VPNs

System-level syslog events (as opposed to Message VPN scope events) are always published in a Message VPN that has been designated as the Management Message VPN for the message broker. A Solace PubSub+ message broker can only have one of its enabled Message VPNs configured as the Management Message VPN. (If no Management Message VPN is configured, then system-level syslog events are not published on the message broker.)

To designate a Message VPN as the Management Message VPN to use for publishing message bus system-level syslog requests and events, enter the following CONFIG command:

solace(configure)# management-message-vpn <vpn-name>

Where:

<vpn-name> is the name of the Message VPN to be designated as the Management Message VPN.

The no version of this command, no management-message-vpn, deletes the management configuration for the Message VPN.

Note  
  • Message VPN-level events (including client and subscription events) are always published to the message bus in the Message VPN on which the events occurred.
  • The Config-Sync facility does not automatically propagate this setting across replication bridges. Therefore, if you are using the message broker in a replicated site, you must manually designate the Management Message VPN on each mate message broker.

Enabling Logging Events on Management Message VPNs

To turn system-level publishing of syslog events to the message bus on or off on the Management Message VPN, enter the following Global CONFIG level command:

solace(configure)# logging event

The CLI moves to a Logging Event CONFIG level, from which you can do the following:

  • To enable system-level publishing of syslog events to the message bus on the Management Message VPN, enter the following CONFIG command:

    solace(configure/logging/event)# publish-system

  • To disable system-level publishing of syslog events to the message bus on the Management Message VPN, enter the following CONFIG command:

    solace(configure/logging/event)# no publish-system

  • To configure a custom identification tag as a prefix for system-level syslog events, enter the system-tag Logging Event CONFIG command:

    solace(configure/logging/event)# system-tag <tag-string>

    Where:

    <tag-string> is the custom identification tag with no spaces, asterisks (*), question marks (?), or single (') or double (") quotes. It can contain up to 32 alphanumeric characters, and must be unique among all system-level identification tags. The default is empty, that is, no custom identification tag.

    The no version of this command, no system-tag, deletes the custom identification tag from system-level syslog events, and sets the tag string back to default.

Showing Management Message VPN Logging Events

To view the current configuration of system-level publishing of syslog events to the message bus on the Management Message VPN, enter the following User EXEC command.

solace> show logging event

Configuring Maximum Connections

To configure the maximum number of clients that are permitted to simultaneously connect to a given Message VPN through all supported services, enter the following CONFIG command:

solace(configure/message-vpn)# max-connections <value>

Where:

<value> is the integer value specifying the maximum total number of client connections permitted for the Message VPN. This maximum value includes client connections for all supported services. The valid range is from 0 to the maximum total number of clients that can be supported by the type of Solace PubSub+ message broker used.

The no version of this command, no max-connections, resets the maximum number of client connections that are permitted to simultaneously connect with the given Message VPN back to the default value which is the maximum total number of client connections for all services that the message broker can support.

Note  
  • To view the maximum total number of client connections that the Solace PubSub+ message broker can support, enter the show service User EXEC command.
  • The maximum number of client connections can also be limited on a client profile-basis, see Configuring Max Connections Per Username.
  • If you are using the replication facility, and the type of Solace PubSub+ message brokers used at each replication site do not match, you must ensure that the combined maximum number of client connections for all Message VPNs at one replication site does not exceed the combined maximum number of client connections for all Message VPNs at its mate replication site. Consider, for example, a scenario where a Solace PubSub+ 3260 is used at replication Site A and a Solace PubSub+3230 that supports a maximum of 6,000 clients is used as its mate at replication Site B. If the Solace PubSub+ 3260 at Site A uses more than 6,000 client connections, it is possible that the Solace PubSub+ 3230 at Site B will be sent more configuration updates than it can handle. Therefore, when Config‑Sync is enabled for replication sites that used mismatched message brokers, the configured max-connections value for Replicated Message VPNs and the max-connections-per-client-username values for the client profiles used by each message broker at the replication sites must not exceed the maximum value for the message broker with the lowest range.

Configuring Maximum Subscriptions

You can configure a limit for the maximum number of unique local subscriptions (across both primary and backup VRIDs) that clients can add to a Message VPN.

This limit only applies to unique subscriptions. For example, two clients subscribing to the topic "a/b" will only count as one against this limit. Also note that this limit is not affected by remote subscriptions. Therefore, the total number of unique subscriptions could exceed the maximum permitted number of subscriptions if some of them are remote subscriptions, as shown in the following example:

solace1> show message-vpn default
Message VPN: default
Configuration Status: Enabled
Local Status: Up
Distributed Cache Management: Enabled
Total Local Unique Subscriptions: 6
Total Remote Unique Subscriptions: 5
Total Unique Subscriptions: 11
Maximum Subscriptions: 10

To configure the maximum number of local client subscriptions (across both primary and backup VRIDs) that can be added to the specified Message VPN, enter the following VPN CONFIG command:

solace(configure/message-vpn)# max-subscriptions <value>

Where:

<value> is the integer value specifying the maximum number of local client subscriptions. The valid range is 0 to 4294967295. The default value is 5000000.

The no version of this command, no max-subscriptions, resets the maximum number of local client subscriptions that can be added to the specified Message VPN back to the default value.

Configuring Message VPN Event Generation

To configure the conditions that cause Message VPN-related events be generated, and control whether some types of events get published onto the message bus, enter the following CONFIG command:

solace(configure/message-vpn)# event

The CLI is now at the Message VPN Event CONFIG level, from which you can use the CLI to configure the high and low thresholds at which events are generated for the given Message VPN, and enable the publishing of events to the message bus for Message VPNs. For more information, see Configuring Event Outputs and Thresholds.

Configuring Replication

By default, the use of the replication feature is not enabled for a Message VPN. To use the replication feature, a replication mate and interface must first be set at the system level, and then replication settings can be configured at the Message VPN level.

For information on how to configure Solace PubSub+ for replication, see Data Center Replication Implementation. For information on the Message VPN-specific replication parameters, see Configuring VPN-Level Replication Settings.

Configuring SEMP Over Message Bus

The legacy Solace Element Management Protocol (SEMP) Request Over Message Bus feature can be enabled for a Message VPN so that clients have access to a limited subset of the message broker management commands for that Message VPN.

For information on using the message broker SEMP Request Over Message Bus service, see Configuring SEMP Over Message Bus Services.

Configuring Services

You can configure the following the following types of service for a Message VPN:

Configuring SMF Service

To configure the Solace Message Format (SMF) service settings for the given Message VPN, enter the following CONFIG command:

solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service
solace(configure/message-vpn/service)# smf

The CLI is now at a configuration mode for SMF service from which you can configure the following SMF service parameters for the given Message VPN:

Configuring Max SMF Connections

To configure the maximum number of SMF clients that can be simultaneously connected to the given Message VPN on this message broker, enter the following CONFIG command:

solace(configure/message-vpn/service/smf)# max-connections <value>

Where:

<value> is the maximum number of simultaneous SMF client connections permitted. The valid range depends on the type of Solace PubSub+ message broker (for example, Solace PubSub+ 3530 or 3560) used.

The no version of the command, no max-connections, resets the value to the highest value supported by the message broker.

Note:  To view the maximum total number of Web client connections that the given message broker can support, enter the show service User EXEC command.

Enabling Plain Text Over SMF Service

  • To enable plain-text over SMF service for the Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn/service/smf)# plain-text
    solace(...re/message-vpn/service/smf/plaint-text)# no shutdown

    By default, plain-text over SMF service is enabled for a Message VPN.

  • To disable plain-text over SMF service for the Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn/service/smf)# plain-text
    solace(...re/message-vpn/service/smf/plain-text)# shutdown

Enabling TLS/SSL Over SMF Service

  • To enable TLS/SSL over SMF service for the Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn/service/smf)# ssl
    solace(configure/message-vpn/service/smf/ssl)# no shutdown

    By default, TLS/SSL over SMF service is enabled for a Message VPN.

  • To disable TLS/SSL over SMF service for the Message VPN, enter the following command:

    solace(configure/message-vpn/service/smf)# ssl
    solace(configure/message-vpn/service/smf/ssl)# shutdown

Configuring MQTT Service

To configure the Message Queuing Telemetry Transport (MQTT) service settings for the given Message VPN, enter the following CONFIG commands:

solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service
solace(configure/message-vpn/service)# mqtt

The CLI is now at a configuration mode at which you can configure MQTT service parameters. For information, see Managing the MQTT Service.

Configuring REST Service

To configure the REST service settings for the given Message VPN, enter the following CONFIG command:

solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service
solace(configure/message-vpn/service)# rest

The CLI is now at a configuration mode for REST service for the given Message VPN, from which you can configure REST service parameters. For information, see Managing REST Service.

Configuring Web Transport Service

You can configure the following Web transport service parameters for a given Message VPN:

Configuring Max Web Client Connections

To configure the maximum number of Web clients that can be simultaneously connected to the given Message VPN, enter the following CONFIG commands:

solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service
solace(configure/message-vpn/service)# web-transport
solace(configure/message-vpn/service/web-transport)# max-connections <value>

Where:

<value> is the maximum number of simultaneous Web client connections permitted. The valid range depends on the type of Solace PubSub+ message broker used.

The no version of the command, no max-connections, resets the value to the highest value supported by the message broker.

Note:  To view the maximum total number of Web client connections that the given message broker can support, enter the show service User EXEC command.

Enabling Plain Text Over Web Transport Service

  • To enable plain-text over Web transport service for the Message VPN, enter the following CONFIG commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# service
    solace(configure/message-vpn/service)# web-transport
    solace(...ure/message-vpn/service/web-transport)# plain-text
    solace(...-vpn/service/web-transport/plain-text)# no shutdown

    By default, plain-text over Web transport service is enabled for a Message VPN.

  • To disable plain-text over SMF service for the Message VPN, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# service
    solace(configure/message-vpn/service)# web-transport
    solace(...ure/message-vpn/service/web-transport# plain-text
    solace(...-vpn/service/web-transport/plain-text)# shutdown

Enabling SSL Over Web Transport Service

  • To enable TLS/SSL over Web service for the Message VPN, enter the following CONFIG commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# service
    solace(configure/message-vpn/service)# web-transport
    solace(...ure/message-vpn/service/web-transport)# ssl
    solace(...message-vpn/service/web-transport/ssl)# no shutdown

    By default, TLS/SSL over SMF service is enabled for a Message VPN.

  • To disable TLS/SSL over SMF service for the Message VPN, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# service
    solace(configure/message-vpn/service)# web-transport
    solace(...ure/message-vpn/service/web-transport)# ssl
    solace(...message-vpn/service/web-transport/ssl)# shutdown

Configuring Message VPN Overrides

If you are using certificate revocation checking to authenticate clients attempting to connect to a Solace PubSub+ appliance, then you can set overrides for specific Message VPNs. To configure certificate revocation checking, see Certificate Authorities.

To configure the Message VPN overrides, enter the following commands:

solace(configure)# message-vpn <name>
solace(configure/message-vpn)# authentication user-class client
solace(...message-vpn/authentication/user-class)# client-certificate
solace(...ication/user-class/client-certificate)# revocation-check-mode [allow-all | allow-unknown | allow-valid]

Where:

allow-all (default)—Ignore client certificate revocation check results. The revocation checks are still done—all clients attempting to authenticate using certificates are revocation checked—and the results are ignored.

allow-unknown—Authenticate clients even if the revocation status of their certificates cannot be determined. Note that there are a number of possible conditions that may lead to the revocation status of a certificate to be unknown, see Certificate Revocation Checking.

allow-valid—Authenticate clients if the revocation checks return an explicit positive response. Only clients that present certificates that return a valid response to the revocation check will be authenticated.

Revocation checks are ignored if the default allow-all is not changed; even if all revocation check parameters are correctly configured. The default allow-all mode must be changed to successfully enable revocation checks.

Enabling Distributed Cache Management

If you are using PubSub+ Cache service for a Message VPN, the distributed cache management facility (also known as Cache Manager) must be enabled for that Message VPN. The distributed cache management facility allows for the management of Distributed Caches and their associated Cache Clusters and PubSub+ Cache Instances. It also enables configuration information to be provided to PubSub+ Cache Instances when they start up and keeps that information current and synchronized.

Notice  

Config-Sync will not automatically synchronize this object/property. Therefore, if the Solace PubSub+ message broker is being used in a high-availability (HA) redundant configuration or in a replicated site, you must manually configure this object/property on each mate message broker or replicated Message VPN.

To determine whether an object/property is Config-Syncʼed, look up the command used to configure the object/property in the Command Line Interface Reference, or, in the Solace CLI, end the command with “?”. The Help will list whether the object/property is Config-Syncʼed.

For a given Message VPN, only one message broker in the network should have the distributed cache management facility enabled. By default, a Cache Manager is enabled when a Message VPN is created.

Notice  

There is no support for automatic Cache Manager redundancy. If a Message VPN spans multiple neighbor message brokers, it's essential that only one Cache Manager is active for a Message VPN at any time to ensure normal cache operations.

To enable the distributed cache management facility for the given Message VPN, enter the following CONFIG command:

solace(configure/message-vpn)# distributed-cache‑management

The no version of this command, no distributed‑cache‑management, disables the distributed cache management facility used on a Message VPN.

Enabling Subscription Exporting

By default, the export policy in a Message VPN is set to not export subscriptions to other Solace PubSub+ message brokers in the network. For messages to be received from other message brokers, the subscription export policy in Message VPNs must be set to export subscriptions. This causes subscriptions added locally to the Message VPN to be exported to other physical message brokers in the network.

To enable the export of subscriptions in a Message VPN to other message brokers in the network, on a per-Message VPN basis, enter the following CONFIG command:

solace(configure/message-vpn)# export-policy export-subscriptions

The no version of this command, no export-subscriptions, disables export of subscriptions in the Message VPN to other message brokers in the network.

Note:  Set the subscription export policy for a given Message VPN the same for all message brokers in the network.

Configuring the Preferred IP Address Version for DNS Lookups

By default, when performing a DNS lookup for interfaces that support IPv6, PubSub+ appliances preferentially choose IPv6 addresses if both IPv4 and IPv6 addresses are presented in the DNS response. As an alternative, you can configure the appliance to prefer IPv4 addresses.

To configure the preferred IP address version to use when performing a DNS lookup, enter the following commands:

solace(configure)# message-vpn <name>
solace(configure/message-vpn)# dns
solace(configure/message-vpn/dns)#prefer-ip-version {ipv4 | ipv6}

Where:

ipv4 specifies to use IPv4 addresses when both options are available.

ipv6 specifies to use IPv6 addresses when both options are available.

Stopping/Starting Message VPNs

Message VPNs are disabled by default (that is, not running) on Solace PubSub+ message brokers.

The shutdown VPN CONFIG command will disconnect all clients connected to the specified Message VPN, and any new connection requests to that Message VPN are rejected until it's enabled again through the no shutdown VPN CONFIG command.

  • To stop a given Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn)# shutdown

  • To start a given Message VPN, enter the following CONFIG command:

    solace(configure/message-vpn)# no shutdown