Event Broker Releases

The Network Time Protocol (NTP) implementation on the PubSub+ Appliance has added support for up to eight NTP servers.

The Network Time Protocol (NTP) implementation on the PubSub+ Appliance has added support for Network Time Security (NTS). NTS allows the client to validate the identity of the server and the integrity of communication.

Proxies are required for security and local network isolation. This feature provides proxy support for Rest Delivery Points, allowing a broker connection from a private network to REST Consumers on an external network via HTTP proxy. REST Consumers must have TLS enabled to support end-to-end TLS connection.

A new event (SYSTEM_AD_MESSAGE_BUFFER_LEVEL_LOW) indicates a sustained low level of available buffers in the guaranteed messaging datapath.

This feature builds on distributed tracing (ingress) receive spans to complete the end-to-end tracing of events through the broker success path. It adds a distributed tracing egress span containing information on the transmission to and response from the consumer, including the outcome (ACK/NACK).

This feature allows customer to opt and use the Color-Contrast compliant version of Pubsub+ Manager (WebUI) as per WCAG 2.1 AA Guidelines.

While there will not be any default color changes in the WebUI, interested customers can choose to utilize the new WebUI colors to make their WebUI version WCAG 2.1 AA Color Compliant.

To give applications time to recover from a temporary inability to process a message, this feature allows for the delayed redelivery of messages to clients who are consuming guaranteed messages using local transactions. Delayed redelivery is controlled by a timer and is triggered by a client-initated transaction rollback. While the redelivery timer is running, the consumer flow is blocked if it participated in a rolled back transaction, and message delivery to the application is suspended until the timer expires. A multiplier is used to allow for exponential back-off of redelivery attempts.

The entire delayed redelivery configuration is performed on the PubSub+ Event Broker.

Delayed redelivery is a Controlled Availability (CA) feature, and is only available to clients using the Solace JMS or JCSMP APIs (requires API version 10.18.0 or later). Please contact Solace to find out if this feature is supported for your use case.

Introduction of a new product key that enables the PubSub+ software to be FIPS compliant when running on a supported FIPS host with a compatible configuration.

The PubSub+ container is now available as a container supporting ARM processors available in major cloud providers. PubSub+ Standard is now available as a multi architecture image supporting x86-64 and ARM64. Customers using the AWS Graviton instance types can pull PubSub+ Standard directly from Docker Hub. PubSub+ Enterprise customers can download a container image supporting ARM processors from http://products.solace.com.

Stalled Bridges are now shown as an operational attribute in the "show bridge" command.

The PubSub+ container is now available as a container supporting devices with Apple M-series processors. PubSub+ Standard Edition is now available as a multi architecture image supporting x86-64 and ARM64. MAC users running Docker Desktop for MAC can pull the new image directly from Docker Hub. PubSub+ Enterprise customers can download a container image supporting Apple M-series processors from http://products.solace.com. This allows MAC users to create instances of PubSub+ locally.

Context Propagation allows events being traced to carry "context". This context can uniquely identify the event being traced, the current and parent spans, and additional content. This allows each telemetry message generated by an event to be correlated easily by the observability backend (e.g., Jaeger) and enables the backend to better visualize the event's telemetry.

With this feature, the PubSub+ event broker can accept event context from the publishing application or API and can pass this context along to additional brokers and ultimately to the message consumer API or Application for full end-to-end event visibility.

Distributed Tracing provides telemetry about important events as they traverse the event mesh. The receive span telemetry provided is triggered upon an important event's receipt by the broker and provides a timestamp of its arrival in the broker and which queues the event has been enqueued. A Solace OpenTelemetry receiver is already integrated into the OpenTelemetry Collector for interoperability with a wide variety of observability backends.

You can define a collection of RDP Queue Binding header name/value pairs where the value is treated as a "protected" value, similar to how passwords are handled in the management interfaces in the broker configuration. This new collection is very similar to the existing collection of RDP Queue Binding headers/value, except the values in the new collection are always masked or omitted from display in the CLI, SEMPv2, or Broker Manager UI.

A rootless PubSub+ container instance can now be created using Podman. This will allow an unprivileged user (without sudo or any other root access) to create a container instance of PubSub+.

Manager GUI creation of RDPs to publish to Amazon Web Services S3 including Authentication, Connector setup, Subscription setup, and customization of REST targets and headers.

Broker logging facilities can now connect to a remote syslog receiver using TLS. The use of TLS ensures integrity and confidentiality of the logs during transport.

In previous releases, the Cache Manager had to be manually activated on a broker following an HA failover. This limitation has been removed, Cache Manager activity status now follows broker HA activity status.

With this enhancement, there is no need for a broker administrator to manually activate the Cache Manager following an HA failover. This eliminates the risk of a PubSub+ Cache outage caused by cache instances being restarted after an HA failover before the administrator has enabled the Cache Manager.

The syslog entries for the system and event logs can now be configured to be in JSON format. This allows for efficient parsing and processing of log entries especially when forwarded to a remote syslog receiver.

When using multiple Message VPNs on a PubSub+ event broker, an administrator may only want to enable replication on a subset of those Message VPNs. In previous releases, if the brokers that were connected in an event mesh using Dynamic Message Routing (DMR), this was not possible - replication needed to be enabled on either all or none of the Message VPNs. With this feature, you can now enable replication on a subset of the Message VPNs while still using DMR to create the event mesh.

When using multiple Message VPNs on a PubSub+ event broker, an administrator may only want to enable replication on a subset of those Message VPNs. In previous releases, if the brokers that were connected in an event mesh using DMR, this was not possible - replication needed to be enabled on either all or none of the Message VPNs. With this feature, you can now enable replication on a subset of the Message VPNs while still using DMR to create the event mesh.

Enables broker administrator to configure topics (including Prefixes/Wildcards) that are eligible for storage in the Replay Log.

With this feature, the replay log contents can be limited to just the set of messages that are important enough to retain for replay, reducing the frequency of replay log pruning, and enabling replay on brokers with limited resources.

This feature allows messages to be replayed to a named temporary endpoint.

With this feature, an application can use a Solace messaging API to create a named temporary queue, add topic subscriptions to that queue, and then initiate a replay to the temporary queue. This is useful for applications that wish to consume messages from the replay log using a temporary endpoint which will automatically be removed from the broker when the application disconnects.

This feature introduces a new management command to copy a single message from one endpoint (either a queue or a topic endpoint) to another endpoint, or from the replay log to an endpoint. Broker administrators can use the command to initiate re-delivery of a specific message to an application.

For example, if the broker moves a message to a dead message queue (DMQ) because an application is unable to consume the message (e.g. max-redeliveries exceeded, or TTL time-out), the administrator can use this command to copy that message from the DMQ back to the original queue once the application issues have been resolved.

OAuth / OpenID Connect has been added as a method of authenticating and authorizing REST producer clients connecting to the PubSub+ Event Broker. REST producer clients may present a token in the authorization header using the "Bearer" type as a credential during login. This enables clients to integrate with modern identity and access management systems.

OAuth / OpenID Connect has been added as a method of authenticating and authorizing clients connecting to the PubSub+ Event Broker using the AMQP protocol. Clients using an AMQP API supporting the XOAUTH2 method will be able to present a token as a credential during client login. This enables clients to integrate with modern identity and access management systems.

Manager GUI creation of RDPs to publish to Azure Data Lake Gen 2 & Google Cloud Storage including Authentication, Connector setup, Subscription setup, and customization of REST targets and headers.

The PubSub+ Container image is now based on Red Hat Universal Base Image 8 (UBI 8). This aligns the container with the latest version of Red Hat Enterprise Linux.

OAuth / OpenID Connect has been added as a method of authenticating and authorizing clients connecting to the PubSub+ Event Broker using the SMF protocol. Clients using Solace APIs will be able to present a token as a credential during client login. This enables clients to integrate with modern identity and access management systems. This feature implements the broker half of the SMF login using OAuth/OIDC; support will be added to the Solace APIs individually. For details, see the release notes for each API.

A fragmented message spool can result in the PubSub+ Event Broker being unable to accept new guaranteed messages, even though the queues and message-VPNs are below quota. To minimize the risk of a service interruption due to message spool fragmentation, the Event Broker can now be configured to defragment the message spool automatically at a scheduled time and frequency. The Event Broker can also be configured to automatically defragment the message spool whenever a specified level of fragmentation is reached.

The PubSub+ Event Broker now implements a new rate-based statistic that tracks the rate that clients are binding to topic and queue endpoints. High rates of client binds can congest the broker's control plane. This feature allows users to monitor for unexpected changes in the rate at which the clients are binding.

OAuth / OpenID Connect has been added as a method of authenticating and authorizing users connecting to the PubSub+ Manager or using SEMPv2. Users of the PubSub+ Manager will be able to integrate with third party identity providers using an interactive flow. SEMPv2 users will be able to present a bearer token as a credential to access SEMPv2 APIs. This enables users to integrate with modern identity and access management systems.

The storage-group is a single location for all of the persistent storage required by a PubSub+ instance. This feature makes it easier for users to properly configure persistent storage in a new PubSub+ instance. The changes are fully backwards compatible; users that wish to configure the storage-elements at their previous locations may continue to do so.

To help users properly size the storage-group and calculate system resource requirements, a new System Resource Calculator tool has been created. See System Resource Requirements for details on how to calculate storage requirements using the System Resource Calculator and to configure an instance to use the storage-group.

The PubSub+ Event Broker can now connect to other brokers using IPv6. This applies to VPN bridges, MNR and DMR, augmenting the functionality of previous releases that allowed clients to connect using IPv6.

Allows for message-specific variables to be included in the RDP HTTP target to a cloud-native service or an application like a data lake. These metadata variables can include the full topic, a topic field, all or part of a timestamp, ids, and much more in a variety of formats and encodings including URL.

RDP HTTP headers can be added to outgoing messages with a fixed name and fixed or variable values to work with cloud-native services or applications. These variable values can include metadata including the full topic, a topic field, all or part of a timestamp, ids, and much more in a variety of formats and encodings including base 32 and 64.

The PubSub+ Container will now be able to detect the resources available using the cgroups v2 interface on operating systems that support cgroups v2. Containers running on systems using cgroups v1 will continue to use the cgroups v1 interface.

The PubSub+ Event Broker now sends TCP keep-alive messages on syslog connections. This ensures that network equipment such as firewalls will not disconnect "idle" syslog connections originated by the broker.

With this feature, endpoints on the PubSub+ broker can now be configured with a delivery delay time. Any messages published to the endpoint will be held by the broker for the configured amount of time, before being delivered to a consumer connected to the endpoint . The feature makes it easier to build stateless microservices - when a delay is needed, an event can simply be sent to a delayed delivery queue.

The CLIENT_CLIENT_CONNECT log entry now contains the certificate expiry time when a client connects using a client certificate. This makes it easier for the broker administrator to identify clients whose TLS certificates are about to expire, so that new certificates can be supplied to those clients.

Applications can now replay messages following the message-ID of the last message which they successfully-processed.

The feature uses "replication group message ID" which uniquely identifies messages within an HA group and Replication/DR group of brokers. The broker includes this ID in all guaranteed messages it delivers to the consumer. Consuming applications can extract and save this ID along with the message payload, and then use it later to initiate a replay.

This is a more "fine-grained" way to start a replay than from date-and-time, and is ideal in cases where the last message-ID successfully processed is known by the application (e.g. recovery from a database crash).

To initiate replay after message-ID from an application, both the PubSub+ Event Broker and PubSub+ Event API must be upgraded. The following versions introduce support for replay after message-ID:

Broker:

• PubSub+ Event Broker version 9.9.0

Messaging API:

• PubSub+ Messaging API for Java version 10.11.0
• PubSub+ Messaging API for C version 7.18.0
• PubSub+ Messaging API for Java RTO version 7.18.0
• PubSub+ Messaging API for .NET version 10.12.0
• PubSub+ Messaging API for JavaScript version 10.7.0

This feature introduces MQTT 5.0 support in the PubSub+ Event Broker. With this feature, the broker now supports both MQTT 5.0 and MQTT 3.1.1 clients.

MQTT 5.0 offers many improvements over MQTT 3.1.1, making it easier to build powerful IoT apps and making it more appealing as a server-side protocol for developers who want to use open source wirelines and APIs.

Refer to the "MQTT 5.0 Protocol Conformance Specification" in the product documentation for a full list of MQTT 5.0 features supported by the event broker.

This feature introduces the "Replication Group Message ID", which uniquely identifies messages within an HA group and Replication/DR group of brokers. The broker includes this ID in all guaranteed messages it delivers to the consumers.

Consumers can use this ID to initiate a replay request on the broker. Also, a "compare" function is provided in the Solace APIs to compare 2 IDs - are they equal, or is one a greater ID than the other (i.e. "newer" than the other)? Users are cautioned that "compare" can return "fail" under certain corner cases, such as after a DR failover or message-spool reset.

Upon creation, queue and topic endpoints now default to a max-size of 5 GBytes, and generate alerts when they are 25% full. These defaults give an administrator more time to react to offline consumers, before the queues fill up and cause head-of-line blocking on DMR and VPN-bridge links.

For setting up outgoing MNR connections using TLS, support for server name validation using SNI is now available. Application developers can take advantage of SNI and SubjectAltName in TLS to verify the identity of the remote neighbors. Server name validation will be done with SubjectAltName instead of the outdated Trusted Common Names. This feature makes it easier and more reliable to configure secure TLS connections for MNR.

Broker managed sessions for PubSub+ Manager and SEMPv2, will allow PubSub+ to implement a time-out of inactive Manager sessions and invalidate a user session on logout.

Two new sources of client username for clients using client certificates (in addition to common name and msupn) are being added: 1) Thumbprint, a unique hash of certificate and 2) UID, user ID.

This feature increases the transaction scaling limits to allow up to 20,000 messages (consume plus publish) in a single transaction. The previous limit was 256 messages.

This feature is a Controlled Availability feature. Solace recommends that before you enable this feature on your event broker you contact Solace to review your use case. Solace will work with you to verify that the feature is suitable for production use in your environment.

This feature requires a PubSub+ Messaging API that supports increased transaction scaling limits. Updated PubSub+ Messaging APIs that support increased transaction scaling limits will be available soon.

Introduced an option for PubSub+ event brokers to indicate to clients whether this is the 1st, 2nd, 3rd, or n^th time the broker has tried to deliver a message to a consumer application.

This feature is a Controlled Availability feature. Solace recommends that before you enable this feature on your event broker to contact Solace to review your use case. Solace will work with you to verify that the feature is suitable for production use in your environment.

This feature is also available in the latest versions of the Solace client APIs with this release.

Introduced an option for the event broker to monitor for keep-alive messages from the Solace client APIs. This feature is available in the latest versions of the Solace client APIs with this release.

This enables the broker to detect client apps that are stalled/hung, and disconnects them from the broker, freeing up resources on the broker.

Pre-populate the broker with standard trusted root certificates from Microsoft, Apple and Mozilla. The trusted root certificates are used by the broker to validate TLS certificates presented to the broker whenever TLS connections are made to/from the broker.

Enables the event broker to authenticate with Azure services through REST Delivery Points using OAuth2 client credentials grant mechanism for the following benefits:

• allows you to manage access tokens using Service account (two-legged OAuth)
• no more expired tokens
• now credentials are associated with the event broker rather than an individual's SAS token

Introduced a new Click-to-Connect wizard with a gallery of vendors / services and a New Summary page of related components for REST delivery points (REST delivery point, RDP Client, REST Consumer, Queue and Queue binding). This provides the following benefits:

• simpler, faster way to create and configure a connection to key cloud-native services
• an easy way for customers to see available services
• an easier way to identify and manage related assets

In this release, we have enabled Azure Event Hubs, Azure Service Bus and Azure Functions using OAuth2 Client Credentials grant with Azure. In addition, we have enabled Amazon SNS, Amazon SQS and AWS Lambda via Amazon API Gateway.

Additional REST connectors to various cloud native services will be available in a future release.

PubSub+ Enterprise now supports up to three billion messages queued and up to six terabytes of spooled messages. This is for the support of applications that require large numbers of messages to be available for Message Replay. Increasing the number of queued messages requires additional resources. For more information, see System Resource Requirements.

Provides better security and improves an event broker's outgoing TLS connections (VPN bridges, DMR, Config-Sync). In previous releases, the event broker did not verify the requested hostname against the certificate returned by the server.

A new option to check Subject Alternative Name (SAN) against the hostname of the target server instead of CN, maintains backward compatibility.

As indicated in the 9.6 Product Notification, the redundant private attributes, currentSpooledMsgCount (for queues and topic endpoints) and MsgsLogged (for the replay log) have been deleted.

Enables the use of Dynamic Message Routing (DMR) to create a mesh of PubSub+ Event Brokers, while using Replication to backup guaranteed messages to a disaster recovery (DR) site.

REST Delivery Points will allow PUT as an alternative to POST as the HTTP method used for an outgoing REST request. Application developers can now leverage additional use cases where the use of PUT as the HTTP method is preferred.

The HTTP method defined on the REST consumer will not be used in gateway mode.

For setting up outgoing RDP connections using TLS, support for server name validation using SNI is now available. Application developers can take advantage of SNI and SubjectAltName in TLS to verify the identity of the remote REST consumers.

Server name validation will be done with SubjectAltName instead of the outdated Trusted Common Names. This feature makes it easier and more reliable to configure secure TLS connections for RDP connections.

It's now easier to get a count of messages (specifically the message count on a message spool and queue) in the replay log and a list of queues or topic endpoints and their message count with this new addition to SEMPv2. There will now be a message count property associated with the replay log, queues, topic endpoints to enable you to more directly get this list. If you are trying to populate a dashboard or just capture the list of queues, for example, with message counts, you will get there faster and easier with this change. For additional information about this change as it relates to queues and topic endpoints, and some recommendations to optimize performance, refer to this document SEMP-API.

Network Acceleration Blades (NAB) now support topic-routing functions and the Topic-Routing Blade (TRB) hardware is no longer active (in a low-power reset state).

This feature supports the following chassis configurations:

• PubSub+ 3530
• PubSub+ 3560 with NAB-0410EM-01 (4x10GE)
• PubSub+ 3560 with NAB-0810EM-01 (8x10GE)

Topic-routing functions on the NAB provides the same function and performance that was previously handled by the TRB hardware (TRB-000000-02). In this release, TRB hardware continues to support topic-routing functions on chassis configurations that aren't capable of supporting topic-routing functions on the NAB [specifically the PubSub+ 3560 with either a NAB-0801ET (8x1GE), NAB-0210EM (2x10GE), or NAB-0610EM (6x10GE)].

Introduces the VPN aliases feature, which can be used to migrate or collapse multiple Message VPNs into a single common VPN.

This feature is available as Controlled Availability in this release. Contact Solace to determine if the feature is suitable for production use in your application.

Adds the following support:

• configuration of REST Delivery Points (RDPs) and all associated components
• Message VPN client certificate management for outgoing Bridge client connections and RDP client connections
• a Beta version of a new Click-to-Connect wizard in the PubSub+ Event Broker: Software, which facilitates the configuration of Dynamic Message Routing (DMR) between event brokers

Adds support for the following upgrades:

• from Evaluation to Enterprise​
• from Standard to Standard​
• from Standard to Enterprise​

where the original version is 8.10.0 or later.

Introduces Solace PubSub+ Standard is now available for free for production use cases with the option to purchase a support plan. Solace PubSub+ Standard’ replaces the VMR Community Edition and removes restrictions on the following features: high-availability (HA), Replication, and In-Service Upgrade.

Adds IPv6 support to the PubSub+ appliance for REST producers and consumers. REST clients can now connect to the appliance using IPv6. MQTT clients can also use IPv6 to connect to the appliance (IPv6 MQTT support was delivered earlier this year in appliance release 8.4).​

Adds support for JMS message priority, so that higher-priority AD messages are delivered to consumers before lower-priority AD messages.

Allows MQTT clients to connect to the Solace appliance using IPv6.​

Non-exclusive Durable Topic Endpoints (DTEs) allow multiple consumers to bind to a durable topic endpoint where each consumer is serviced in a round-robin fashion.

Adds support for CLI configured Certificate Revocation Lists (CRLs) and for the Online Certificate Status Protocol (OCSP).​

Adds the option to enable encryption on Multi-­Node Routing links.

Encryption applies to both the data and the control connections of a neighbor link.​

In ­service SolOS upgrade – upgrade the standby router in an HA pair while the active is providing service, then switch activity to the upgraded router (and then upgrade the previously active router). Reduces the outage time for an upgrade to be comparable to an unplanned HA fail­over (under 60 seconds)​

This feature adds:

• Out-­of-­order-­ack and egress selector support​
• Replication queue trimming when the replication link is down ​
• Full transactional semantics across replication links

This features adds:

• Solace PubSub+ 3530 firmware changes to increase guaranteed messaging ingress rate to 75K msg/sec, and ingress bandwidth to 1 Gbps​
• Configurable TTL on guaranteed endpoints, for better management of stale messages​
• More flexible DTE naming (up to 200 characters, with minimal restrictions on acceptable characters), to make it easier to port existing JMS apps to Solace appliances
• ​ CLI command to defragment the Guaranteed Message spool

Adds MQTT support in the router data path. MQTT is the emerging wireline standard for IoT and M2M applications.​

This feature adds:

• Support for 100K guaranteed endpoints with ADB-3 and 6x10GE NAB (200K producer flows, 100K consumer flows)​
• Support for 500K topic- to- queue mappings with ADB- 3​
• Per client- profile definition of a "copy- from" queue, to give the administrator control of the attributes of API-created endpoints

MQTT v3.1 adds:

• REST client interface for Guaranteed and Direct Messaging. Up to 200K publishing REST clients are now supported.
• REST delivery points for consuming Guaranteed Messages using the REST interface

Assured Delivery adds:

• support for JMSXA transactions.​
• increased capacity where the maximum number of messages that can be spooled increases to 10 billion (depending on platform) and the the maximum amount of data that can be spooled increases to 6 TB.​
• AD redundant pairs can be configured in active-standby redundancy mode, reducing the number of IP addresses that need to be assigned​

• improved performance when streaming messages and spooling to disk​
• maximum guaranteed message size increased to 30 MB (except on the following chassis: CHS-3230AC- 01- A, CHS-3230AC- 01- B, CHS-3230AC- 01- C)​
• support for a license key to unlock additional performance for ADB-04210M-01-A blades​

• improved system robustness when internal disk are failed or about to fail
• improved system robustness when the external disk array is experiencing errors or SAN delays​ Configurable hostname for active DNS server monitoring