TLS/SSL Service Connections

This section provides the general steps that are required to enable TLS/SSL-encrypted communication links for the following use cases:

  • Publishing and Receiving Messages
  • By default, when a client messaging application connects to an event broker, that connection is unsecured. However, a client application can optionally establish a TLS/SSL-encrypted connection to an event broker. For information on the basic steps required to establish a secure connection for clients to publish and/or receive messages, see TLS/SSL Encryption Configuration for Publishing / Receiving Messages.

  • Message VPN Bridges
  • Messages may travel between Message VPNs by way of Message VPN bridges. See TLS/SSL Encryption Configuration for VPN Bridges. For more information on Message VPN bridges, see Message VPN Bridge Configuration.

  • Replication Config-Sync Bridges
  • Event brokers in a replication configuration can use Config-Sync to ensure that the configurations of replicated Message VPNs are synchronized. When enabled, the replication feature creates a special bridge to transfer Config-Sync commands. See TLS/SSL Encryption Configuration for Replication Config-Sync Bridges. For more information on replication and Config-Sync, see Configuring Replication.

  • Message VPN Replication Bridges
  • Message VPNs that use replication synchronize all messages received on one Message VPN to a separate standby Message VPN. Messages that are synchronized travel over a Message VPN replication bridge. See TLS/SSL Encryption Configuration for Replication Bridges.

    For more information on Message VPN replication, see Configuring Replication.

  • SEMP Requests
  • Solace Element Management Protocol (SEMP) is protocol that you can use to manage and monitor event brokers. For information on the basic steps required to establish secure connection for either the current RESTful SEMP API or the Legacy SEMP API, see TLS/SSL Encryption Configuration for SEMP Service.

  • Multi-Node Routing Links
  • Multi-Node Routing (MNR) allows multiple event brokers to be networked together so that Direct messages published from clients connected to one event broker can be delivered to clients connected to the other event brokers. TLS/SSL encryption can be applied to the MNR linksʼ data channels for appliances running Solace PubSub+ version 8.2 or higher.

    For information on the basic steps required to use TLS/SSL encryption on the data connections between neighboring appliances, see Configuring Neighbor Link Encryption.

  • HA Config-Sync
  • TLS/SSL encryption can be applied to secure the config-sync communication between event brokers in an HA group. Refer to Step 4: Enable Config-Sync for instructions on configuring in a software event broker HA group, and Enabling Guaranteed Messaging for HA Appliances for instructions applicable to appliances.

  • HA Mate-Link
  • TLS/SSL encryption can be applied to secure the mate link between software event brokers in an HA group. Refer to Step 3: Enable Guaranteed Messaging on the HA Group Configuration page for configuration instructions.

:  TLS/SSL service is only supported on event brokers running Solace PubSub+ version 6.0 or higher. Although it is possible to upgrade event brokers that use earlier versions of Solace PubSub+ to version 6.0 or higher, TLS/SSL service is not supported by a Solace PubSub+ 3230 using a CHS-3230AC-01-A chassis.

TLS/SSL Encryption Configuration for Publishing / Receiving Messages

The following configuration steps are required to use TLS/SSL-encrypted communications between an event broker and a client application for publishing and receiving messages:

  1. Set and configure the server certificate for the event broker.

    See Managing Server Certificates.

  2. Optionally, configure the cipher suite list for message backbone connections to the event broker.

    See Configuring Cipher Suites for Inbound Connections.

  3. Configure a TLS/SSL service listen port as one of the service ports to be used by the event broker.

    Depending on the service you are using, refer to one of the following:

    AMQP—Set Message VPN AMQP Listen Ports.

    MQTT—Setting Listen Ports.

    REST—Setting Listen Ports.

    SMF—Setting SMF Listen Ports.

    Web Transport—Setting Web Transport Listen Ports.

  4. Ensure that TLS/SSL over SMF service is enabled on the Message VPN to be used by clients.

    See Configuring Services.

  5. Start the service.

    See Services.

If you are configuring TLS/SSL for the Solace Message Format (SMF) service, perform the following additional steps:

  1. If you want to only use encryption to protect the clientsʼ credentials, but for performance reasons you do not want to encrypt the data transmitted after clients are authenticated and authorized, you must enable SSL connection downgrades on the Message VPN to be used by clients.

    See Enabling TLS/SSL Connection Downgrades on Message VPNs.

  2. Configure the TLS/SSL-related Session properties required for the client connections to the event broker.

    See Creating Client Sessions for Solace messaging APIs or Establishing Connections for the Solace JMS messaging API.

TLS/SSL Encryption Configuration for VPN Bridges

TLS/SSL can be configured on a Message VPN bridge after the bridge has been created. Establishing TLS/SSL encryption on a Message VPN bridge requires different steps depending on whether the bridge is unidirectional or bidirectional, and whether the bridge uses basic or client certificate authentication.

If you are configuring TLS/SSL encryption on an existing bridge, you must create a new remote Message VPN when following the appropriate steps below.

If you want a bridge connection to an existing remote Message VPN to use SSL encryption, you must delete and recreate the bridge, setting the connect-via parameter for the remote Message VPN to use the TLS/SSL port of the remote event broker.

For an example of the CLI commands required to create Message VPN bridges, see VPN Bridge Setup Examples.

:  TLS/SSL to plain-text, or plain-text compressed, downgrades are not supported.

Uni-Directional VPN Bridge Configuration

After the bridge has been established, follow these steps to enable encryption on the bridge.

  1. Shut down the Message VPN bridge.

    solace1(configure/bridge)# shutdown

  2. Upload and configure the SSL server certificate on the remote event broker. The trusted CA certificate set on the local event broker must match the certificate set on the remote event broker.

    See Managing Server Certificates.

  3. Optionally, configure the server certificate validation settings. These settings will be used to validate the server certificate on the remote event broker during the SSL handshake.

    See Configuring Server Certificate Validation Settings.

  4. Configure the TLS/SSL settings (trusted common name list and cipher suite list) to be used for the Message VPN bridge. See Enabling TLS/SSL Encryption for Bridge Connections.

    The trusted common name should match the common name in the server certificate configured in Step 2.

  5. Select the authentication scheme for the bridge.

    See Configuring Remote Authentication.

  6. Configure a new remote Message VPN with the connect-via parameter set to use the SSL port of the remote event broker. The remote Message VPN authentication parameters must be configured to allow SSL connections. See Configuring Remote Message VPNs.
  7. Configure the remote Message VPN to use SSL.
  8. solace1(configure/bridge/remote/message-vpn)# ssl

  9. Start the remote Message VPN.

    solace1(configure/bridge/remote/message-vpn)# no shutdown

  10. Start the Message VPN bridge.

    solace1(configure/bridge)# no shutdown

    A unidirectional Message VPN bridge with TLS/SSL encryption and compression has been established on the new remote Message VPN.

Bi-Directional VPN Bridge Configuration

To establish a bi-directional Message VPN bridge that uses encryption, repeat the steps above to configure another bridge of the same name using the same Message VPNs but in reverse order.

That is, the second bridge must be created in the Message VPN that was previously specified as the remote Message VPN, and the remote Message VPN of the second bridge must be the Message VPN that was previously specified as the local Message VPN.

If the bi-directional bridge is not a loopback bridge (that is, if it is connecting two different event brokers), and the second bridge was configured using the connect-via parameter, an SSL server certificate must be configured on the local event broker of the second bridge, which was the remote event broker of the first bridge.

TLS/SSL Encryption Configuration for Replication Config-Sync Bridges

The following configuration steps can be used to enable TLS/SSL-encrypted communications on event brokers over replication Config-Sync bridges.

When replication and Config-Sync are enabled on paired event brokers, configuration changes are synchronized from one event broker to the other using a replication Config-Sync bridge.

Because the ssl parameter used on the replication Config-Sync bridge is not synchronized with Config-Sync, it is necessary to enable TLS/SSL on the replication Config-Sync bridge on both event brokers before encrypted configuration synchronization will work properly.

For more information on replication and Config-Sync, see Configuring Replication and Config-Sync Configuration.

  1. Shut down the replication Config-Sync bridge.

    solace1(configure)# replication config-sync bridge
    solace1(configure/replication/config-sync/bridge)# shutdown

  2. Upload and configure the SSL server certificate on the remote event broker and the matching trusted CA certificate on the local event broker.

    See Managing Server Certificates.

  3. Optionally, configure the server certificate validation settings for replication Config-Sync bridges.

    See Configuring Server Certificate Validation Settings.

  4. Choose and configure an authentication scheme for the bridge.

    See Setting Authentication Schemes.

  5. Configure the replication Config-Sync bridge to use TLS/SSL.
  6. solace1(configure)# replication config-sync bridge
    solace1(configure/replication/config-sync/bridge)# ssl

  7. Enable the replication Config-Sync bridge.

    solace1(configure)# replication config-sync bridge
    solace1(configure/replication/config-sync/bridge)# no shutdown

  8. Repeat steps 1 through 6 on the mate event broker to create a bi-directional replication Config-Sync bridge.

SSL-encrypted communications are now enabled for the replication Config-Sync bridge that connects the event brokers.

TLS/SSL Encryption Configuration for Replication Bridges

The following configuration steps can be used to enable TLS/SSL-encrypted communications on event brokers through Message VPN replication bridges.

Event brokers using replication and Config-Sync use different bridges for Message VPN replication and configuration replication.

This procedure requires that replication be set up between event brokers. See Configuring Replication for more information on setting up replication.

Before beginning this procedure, the replication must be shutdown.

  1. Choose a client username that will be used for bridge authentication. This must be a valid client username on the replicated Message VPN.
  2. For the chosen client username, configure the client profile to allow bridge connections. This parameter will be automatically set on the mate event broker through Config-Sync.

    See Allowing Bridge Connections.

  3. Upload and configure the TLS/SSL server certificate. The trusted CA certificate that is set on an event broker must match the certificate set on its mate event broker.

    See Managing Server Certificates.

  4. Optionally, configure the server certificate validation settings for Message VPN replication bridges.

    See Configuring Server Certificate Validation Settings.

  5. Optionally, configure TLS/SSL settings (trusted common name list and cipher suite list) for Message VPN replication bridges.

    See Configuring TLS/SSL for Replication.

  6. Choose an authentication scheme for the bridge.

    See Setting Authentication Schemes.

  7. Configure the chosen authentication scheme:
    • If you are using basic authentication, specify the client username to be used for authentication.

      solace1(configure/message-vpn)# replication bridge authentication basic
      solace1(...plication/bridge/authentication/basic)# client-username <name>

    • If you are using client certificate authentication, specify the certificate to be used for authentication.

      solace1(configure/message-vpn)# replication bridge authentication client-certificate
      solace1(...dge/authentication/client-certificate)# certificate-file <filename>

      :  The common name in the client certificate is used as the client username to log on to the remote Message VPN, and so it must match a valid user on the remote event broker. The remote Message VPN must have client certificate authentication enabled and follow the client certificate rules that are configured on the local Message VPN.

  8. Configure the replication bridge to use TLS/SSL encryption.
  9. solace1(configure)# message-vpn <local-message-vpn>
    solace1(configure/msg-vpn)# replication bridge ssl

  10. Enable replication.

    solace1(configure/msg-vpn)# no replication shutdown

  11. Repeat steps 2 through 9 on the event broker of the remote Message VPN to create a bi-directional Message VPN replication bridge.

TLS/SSL Encryption Configuration for SEMP Service

The following configuration steps are required to use TLS/SSL-encrypted communications between an event broker and a management application using SEMP request over HTTP service:

  1. Set the server certificate for the event broker.

    See Managing Server Certificates.

  2. Optionally, configure the cipher suite list for management connections to the event broker.

    See Configuring Cipher Suites for Inbound Connections.

  3. Configure a TLS/SSL service listen port as one of the service ports to be used by the event broker.

    See Setting a SEMP Listen Port.

  4. Enable SEMP service.

    See Enabling System-Level SEMP Service.

  5. Before establishing a connection from the management application to the event broker, an HTTPS URL scheme with the appropriate port must be used.

:  TLS/SSL service is only supported on Solace PubSub+ event brokers running version 6.0 or higher. Although it is possible to upgrade Solace PubSub+ event brokers that use versions prior to version 6.0 or higher, TLS/SSL service is not supported by a Solace PubSub+ 3230 using a CHS-3230AC-01-A chassis.