Configuring System-Level Replication Settings

You can perform the following system-level replication configuration tasks:

Configuring Replication Mates

The replication facility requires that the message brokers at both replication sites know of their respective replication mates. For the message brokers at each replication site, you must indicate the virtual router name used by their replication mates and the address to use to connect to them. You can also configure whether the message brokers’ connect ports will use compressed or non‑compressed data. (If no connect port configuration is provided, the default setting of non‑compressed is used.)

Replication mate information that is set at the system level is applied to all Message VPNs on that message broker.

To configure replication mates, replication service must be disabled for each Message VPN on the message broker (refer to Monitoring Replication).

Configuring Replication Mates for Appliances

When indicating a replication mate for an appliance, a combination of the virtual router name and a unique address is used. The port number and type of connection (plain text, SSL, or compressed) used is set separately.

Setting Replication Mate Virtual Router Names and Connect Addresses

To set the virtual router name and unique address used for the replication mate, enter the following CONFIG commands:

solace(configure/replication)# mate
solace(configure/replication/mate)# virtual-router-name <virtual-router-name> connect-via <addr>

Where:

<virtual-router-name> is the name of the virtual router where the specified replication mate is located. This name must begin with “v:”, as that indicates a virtual router, and it must match the virtual router name of the replication mate. Message broker names can contain up to 66 characters, composed of alphanumeric characters 0 to 9, a to z, A to Z, underscore '_', dot '.', and hyphen '-'. Note that '_', '.' and '-' cannot be used at the beginning or end of a message broker name. Message broker names must be unique among all configured message brokers.

<addr> is the IP address or hostname of the message broker in the form “IP address[:port]” or “hostname[:port]”, where the IP address is specified in the dotted decimal notation form “nnn.nnn.nnn.nnn" and "[:port]” is the port number on the replication mate virtual router.

The no version of this command, no mate, removes a configured replication mate.

Setting Replication Mate Connect Ports

To set a connect port for a replication mate’s virtual router, enter the following CONFIG command:

solace(configure/replication)# mate
solace(configure/replication/mate)# connect-port <port> [compressed] [ssl]

Where:

<port> is the port number on the replication mate virtual router. This number is specified as a decimal value from 0 to 65535. This command does not need to be executed if the default values are appropriate. Default values are 55555 for non‑compressed data, 55003 for compressed data, and 55443 for TLS/SSL data.

compressed indicates that the port is for compressed data traffic.

ssl indicates that the port is for TLS/SSL data traffic.

Configuring Replication Mates for Software Message Brokers

When indicating a replication mate for a software message broker, the virtual router name of the replication mate is set separately from its connect-via information, which provides a unique combination of an address, a port, and the type of connection (plain text, SSL, or compressed).

Configuring the connect-via information separately allows you to set multiple connect addresses for the virtual router used by the replication mate. This is important, for example, if the replication mate is in a message broker HA pair with host list takeover mode. In this case, you must set a connect-via address for both the primary and standby nodes.

Setting Replication Mate Virtual Router Names

To configure the virtual router name for the replication mate, enter the following CONFIG commands:

solace(configure/replication)# mate
solace(configure/replication/mate)# virtual-router-name <virtual-router-name>

Where:

<virtual-router-name> is the name of the virtual router where the specified replication mate is located. This name must begin with “v:”, as that indicates a virtual router, and it must match the virtual router name of the replication mate. Message broker names can contain up to 66 characters, composed of alphanumeric characters 0 to 9, a to z, A to Z, underscore '_', dot '.', and hyphen '-'. '-'. Note that '_', '.' and '-' cannot be used at the beginning or end of a message broker name. Message broker names must be unique among all configured message brokers.

The no version of this command, no mate, removes a configured replication mate.

Note:  If the replication mate is in a message broker HA pair, use the virtual router name of the primary message broker in the HA pair.

Configuring Replication Mate Connect Addresses and Ports

To configure a unique address and connect port for a replication mate’s virtual router, enter the following CONFIG command:

solace(configure/replication)# mate
solace(configure/replication/mate)# connect-via <addr-port> [compressed] [ssl]

Where:

<addr-port> is the IP address or hostname of the message broker in the form “IP address:port” or “hostname:port”, where the IP address is specified in the dotted decimal notation form “nnn.nnn.nnn.nnn ” and “port” is the port number on the replication mate virtual router (specified as a decimal value from 0 to 65535).

compressed indicates that the port is for compressed data traffic.

ssl indicates that the port is for TLS/SSL data traffic.

Configuring Replication Config-Sync Bridges

When replication is enabled on a message broker, a replication Config-Sync bridge is automatically created to link from the one replication site to its mate. You can modify the default Config-Sync parameters for this replication Config-Sync bridge. The configuration tasks that you can perform are:

Setting Authentication Schemes

Replication Config-Sync bridges can be configured to use authenticated connections. Basic and client certificate authentication modes are available.

To configure the authentication scheme to be used for replication Config-Sync bridge connections, enter the following CONFIG commands:

solace(configure)# replication
solace(configure/replication)# config-sync bridge
solace(configure/replication/config-sync/bridge)# authentication auth-scheme {basic | client-certificate}

Where:

basic specifies that basic username and password authentication should be used for Config-Sync bridge connections.

client-certificate specifies that client certificate authentication should be used for Config-Sync bridge connections.

When client certificate authentication is used, remote message brokers will treat the server certificate of the message broker as a client certificate. Therefore, the server certificate of a message broker should adhere to the Config-Sync client certificate authentication settings that are set on the remote message broker.

Enabling Data Compression

By default, no compression is applied to data transferred over the replication Config-Sync bridge.

To enable data compression, enter the following CONFIG command:

solace(configure)# replication
solace(configure/replication)# config-sync bridge
solace(configure/replication/config-sync/bridge)# compressed-data

Tip:  When data compression is enabled for the bridge, compressed ports must be configured in the replication mate (see Configuring Replication Mates).

Tip:  If compression is enabled along with SSL for the bridge, the SSL port must be configured in the replication mate.

The no version, no compressed-data, disables data compression.

Configuring Message Spool Window Sizes

The default value for a replication Config-Sync bridge’s message spool window size is expected to work well in most typical deployments. Configuring an excessively large message spool window size can negatively impact network performance. Before changing this parameter, contact Solace for assistance in choosing the appropriate value for your network conditions.

The message spool window size dictates how many outstanding Config-Sync messages may be sent over a replication Config-Sync bridge before the active replication site must receive an acknowledgment.

To configure the message spool window size, enter the following CONFIG command:

solace(configure)# replication
solace(configure/replication)# config-sync bridge
solace(configure/replication/config-sync/bridge)# message-spool
solace(...tion/config-sync/bridge/message-spool)# window-size <number>

Where:

<number> is an integer from 1 to 65535 that sets how many messages can be in the window. The default value is 65535.

The no version of this command (no message-spool window-size) resets the message spool window size value back to the default value.

Configuring Retry Delay Times

To configure the amount of time that must pass before retrying a connection to the replication mate over the replication Config-Sync bridge, enter the following CONFIG command:

solace(configure)# replication
solace(configure/replication)# config-sync bridge
solace(configure/replication/config-sync/bridge)# retry-delay <seconds>

Where:

<seconds> is an integer from 1 to 255 that specifies the number of seconds to wait before retrying a connection to the replication mate. The default is 3.

Note:  The no version of this command (no retry-delay) resets the number of seconds to wait back to the default value.

Enabling SSL

TLS/SSL encryption can be enabled on replication Config-Sync bridges to enable secure connections between message brokers that use Config-Sync.

To enable TLS/SSL for replication Config-Sync bridge connections, enter the following CONFIG command:

solace(configure)# replication
solace(configure/replication)# config-sync bridge
solace(configure/replication/config-sync/bridge)# ssl

Tip  
  • After TLS/SSL is enabled on the replication Config-Sync bridges, for authentication using SSL to succeed, the following must be also be configured:
    • an SSL server certificate on the remote message broker
    • a matching trusted CA on the local message broker
    • the connect port used for the replication mate must be set as SSL
  • When SSL is enabled for the bridge, the replication mates that you set must use SSL connect ports (see Configuring Replication Mates).

The no version of this command, no ssl, disables SSL encryption on replication Config-Sync bridges.

Configuring SSL Server Certificate Validation

You can configure server certificate validation settings for replication Config-Sync bridges to make certificate validation more secure or less secure.

To configure SSL server certificate validation settings, enter the following CONFIG command:

solace(configure)# replication
solace(configure/replication)# config-sync bridge
solace(configure/replication/config-sync/bridge)# ssl-server-certificate-validation

The CLI is now at the configuration mode to configure SSL server certificate validation settings for replication Config-Sync bridges. From here, you can configure the following parameters:

  • enforce-trusted-common-name
  • max-certificate-chain-depth
  • validate-certificate-date

For descriptions of these parameters, refer to Configuring Server Certificate Validation Settings.

Enabling Replication Config-Sync Bridges

  • To enable the replication Config-Sync bridge, enter the following CONFIG command:

    solace(configure/replication/config-sync/bridge)# no shutdown

  • To disable the replication Config-Sync bridge, enter the following CONFIG command:

    solace(configure/replication/config-sync/bridge)# shutdown

Configuring Replication Interfaces

The physical network interface that connections to the replication mate will originate from can be specifically configured. If no physical network interface is specified, an appropriate interface is automatically assigned.

To configure a specific replication interface for the message broker, enter the following CONFIG command:

solace(configure/replication)# interface <phys-intf>

Where:

<phys-intf> is an ASCII string specifying the physical Ethernet interface port or LAG of the local message broker. Valid values are <cartridge>/<slot>/<port> (for example, 1/1/8); <cartridge>/<slot>/lag<N> (for example, 1/1/lag1). Only a single LAG numbered 1 is supported.

The no version of this command, no interface <phys-intf>, removes a configured replication interface.

Note:  If you are using an HA redundant message broker pair, do not specify a replication interface if the configured interfaces for the HA pair do not match. If a replication interface is specified that does not exist on the mate message broker, when Config-Sync is enabled it will enter a blocked state on the mate because the non-existent interface cannot be configured.

Configuring TLS/SSL for Replication

If you are using TLS/SSL encryption with replication, you can configure the cipher suites that the replication facility will use for authentication as well as the list of security certificates that replication links will accept.

Configuring Cipher Suites for Replication Connections

Any number of cipher suites can be used for encryption . These cipher suites are ordered from most secure to least secure. (For a full list of cipher suites supported by the message broker, refer to Supported Cipher Suites.)

By default, the entire list of cipher suites is used, for the strongest possible encryption. You may configure the feature to only use certain cipher suites.

To configure which cipher suites should be use on replication connections, enter the following CONFIG CLI commands:

solace(configure/replication)# ssl
solace(configure/replication/ssl)# cipher-suite {default | empty | name <suite-name> [{before | after} <existing-suite-name>]}

Where:

default specifies that the default list of cipher suites (that is, all of the cipher suites) should be used.

empty removes all cipher suites from the list.

name <suite-name> adds the specified cipher suite to the list of suites to be used.

before <existing-suite-name> specifies that the suite specified by the name parameter should be inserted into the list immediately before (that is, with a higher priority than) the suite specified by the before parameter.

after <existing-suite-name> specifies that the suite specified by the name parameter should be inserted into the list immediately after (that is, with a lower priority than) the suite specified by the after parameter.

The no version of this command, no cipher suite name <suite-name>, removes the specified cipher suite from the list of eligible cipher suites.

Configuring Trusted Common Names for Replication

The replication facility uses a list of trusted common names to determine which security certificates it accepts for authentication. By default, the list of trusted common names is empty, meaning that the bridge will not accept any certificates.

To configure a list of trusted common names for replication, enter the following CONFIG commands:

solace(configure/replication)# ssl
solace(configure/replication/ssl)# trusted-common-name {empty | name <common-name>}

Where:

empty removes all previously specified common names from the list.

name <common-name> specifies the name of a certificate to add to the list of trusted common names.

The no version of this command, no trusted-common-name name <common-name>, removes the specified common name from the list of trusted common names.

Configuring Replication Compatibility Mode for Transactions

In previous releases, there was limited support for the replication of local and XA transactions—Guaranteed messages published in transactions were propagated to the replication standby site, but not within transactions. The legacy behavior is maintained for backwards compatibility and is the default setting, but it has several undesirable consequences. It is strongly recommended that you use the transacted mode that replicates Guaranteed messages published in transactions.

Changing the compatibility mode may be service impacting to Guaranteed messages within transactions. Make sure you follow the procedure below if the message brokers are currently providing replication service.

To set the compatible mode to transacted, replication, enter the following CONFIG commands:

solace(configure/hardware/message-spool)# transaction replication-compatibility-mode <mode>

Where:

<mode> is either legacy or transacted

legacy—all transactions originated by clients are replicated to the standby site without using transactions
transacted—all transactions originated by clients are replicated to the standby site using transactions

Note:   Replication mates must use the same compatibility mode and the no version of this command sets the mode to legacy.

Changing Replication Compatibility Mode While In Service

If message brokers are currently providing replication service, then the order in which the mode is changed at the sites is important. Follow the order of operations below to prevent service disruption.

  • To change from legacy to transacted mode:
    1. Change the standby site to transacted.
    2. Change the active site to transacted.
  • To change from transacted to legacy mode (not recommended):
    1. Change the active site to legacy.
    2. Change the standby site to legacy.