Pre-Shared Authentication Keys for Software Event Brokers

Pre-shared authentication keys are used to authenticate connections between redundancy group members and must be the same for all members. By default, no key is set on an event broker.

Generating Pre-Shared Keys

Pre-shared authentication keys are 32 to 256 bytes of binary data encoded in Base64. To ensure maximum security, Solace recommends that each key be randomly generated and as long as possible.

Configuring Pre-Shared Keys

To set the pre-shared key authentication key for an event broker in a redundant deployment, enter the following commands:

solace(configure)# redundancy
solace(configure/redundancy)# authentication
solace(configure/redundancy/authentication)# pre-shared-key key <pre-shared-key>

Where:

<pre-shared-key> is 44 to 344 characters (which translates into 32 to 256 bytes of binary data encoded in Base64). The no version of this command returns the value to the default.

Changing Pre-Shared Keys

You can change the pre-shared key of an HA group when the group and config-sync are both up. Also, either the primary or backup node can be active, and the other node is standby.

To make the change, perform the following three steps.

In order to migrate from a group password to a pre-shared key, you must first add the desired pre-shared key and then remove the group password. For more information, refer to Migrating from HA Redundancy Group Passwords to Pre-Shared Keys.

  1. Change the key on the monitoring node.

    solace3(configure)# redundancy
    solace3(configure/redundancy)# authentication
    solace3(configure/redundancy/authentication)# pre-shared-key key <new-pre-shared-key>

  2. Change the key on the active node.

    solace1(configure)# redundancy
    solace1(configure/redundancy)# authentication
    solace1(configure/redundancy/authentication)# pre-shared-key key <new-pre-shared-key>

  3. Change the key on the standby node.

    solace2(configure)# redundancy
    solace2(configure/redundancy)# authentication
    solace2(configure/redundancy/authentication)# pre-shared-key key <new-pre-shared-key>

Migrating from HA Redundancy Group Passwords to Pre-Shared Keys

Prior to release 9.2.0, HA redundancy group passwords were used to authenticate connections between redundancy group members. In release 9.2.0+ pre-shared keys should be used instead of group passwords.

To migrate from a group password to a pre-shared key, perform the following steps:

  1. Add the desired pre-shared key (refer to Configuring Pre-Shared Keys).

    While both a pre-shared key and a group password are configured, the group password is used for HA group membership, and the pre-shared key is used for all other connections between redundancy group members (encrypted HA mate link, encrypted HA config-sync client, retain cache).

  2. Remove the HA Redundancy group password (refer to Removing HA Redundancy Group Passwords).

Removing HA Redundancy Group Passwords

If you had an HA Redundancy group password configured before you set a pre-shared-key, then you should remove the group password once the pre-shared keys are configured on all group nodes.

To remove the HA redundancy group password, perform the following steps:

  1. Remove the group password on the monitoring node:

    2. solace3(configure/redundancy)# group
    solace3(configure/redundancy/group)# no password

  2. Remove the group password on the active node:

    3. solace1(configure/redundancy)# group
    solace1(configure/redundancy/group)# no password

  3. Remove the group password on the standby node:

    4. solace2(configure/redundancy)# group
    solace2(configure/redundancy/group)# no password