Client Username Configuration
A client is only authorized to connect to a Message VPN that is associated with a client username that that client has been assigned. When a client username is created in a Message VPN, itʼs associated with that particular Message VPN.
Client access to the resources and messaging capabilities on an event broker is facilitated through the client username accounts that are provisioned on the event broker. When clients are authenticated, they are provided with the predefined configurations that are associated with those client usernames.
To create a client username account, enter the following command:
solace(configure)# create client-username <username> message-vpn <vpn-name>
To edit an existing client username account, enter the following command:
solace(configure)# client-username <username> message-vpn <vpn-name>
To delete an existing client username account, enter the following command:
solace(configure)# no client-username <username> message-vpn <vpn-name>
Where:
<username>
is the username of the client username account. If the client username account does not already exist, it is created.
The username must be unique among all created client usernames within its local Message VPN. A username can contain up to 189 printable ASCII characters (that is, characters in the range 0x20 – 0x7e) are permitted. Usernames are case-sensitive. Note that the characters “?” and “*” are not permitted, because they are used in some Solace CLI commands (for example, show
commands).
<vpn-name>
is the name of an existing Message VPN that the client username is in.
You can perform the following configuration tasks for a given client username:
- Assigning ACL Profiles
- Assigning Client Profiles
- Configuring Subscription Managers
- Enabling Endpoint Permission Overrides
- Enabling/Disabling Client Username Accounts
- Setting Client Username Passwords
- Setting Client Username Attributes
Assigning ACL Profiles
To assign an existing Access Control List (ACL) profile to a client username account, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# acl-profile <name>
Where:
<name>
is the name of an existing ACL profile within the given Message VPN
The no version of this command, no acl-profile
, resets the assigned ACL profile back to the default ACL profile named default
.
For information on ACL profiles, refer to ACL Configuration.
Assigning Client Profiles
To assign an existing client profile to a client username account, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# client-profile <name>
Where:
<name>
is the name of an existing client profile within the given Message VPN
The no version of this command, no client-profile
, resets the assigned client profile back to the default client profile named default
.
For information on creating and configuring client profiles, refer to Configuring Client Profiles.
Configuring Subscription Managers
Clients that are configured as Subscription Managers can add or remove subscriptions for direct messaging on behalf of other clients within the Message VPN.
To configure clients using the given client username the ability to act as Subscription Managers within the given Message VPN, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# subscription-manager
The no version of this command, no subscription-manager
, disables Subscription Manager capability for the given client username.
Clients configured as Subscription Managers are subject to the rules in the ACL profile associated with their client username. This may limit the subscriptions they can add on behalf of other clients.
Enabling Endpoint Permission Overrides
This command enables endpoint permission override for a client username account. When enabled, all endpoints may be accessed, modified, or deleted with the same permission as the owner. (The only exception to this permission override is that endpoints provisioned by a CLI user can still only be deleted by that CLI user (that is, the owner)).
Endpoint permission override is disabled by default.
To enable endpoint permission override for the given client username account, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# guaranteed-endpoint-permission-override
The no version of this command, no guaranteed-endpoint-permission-override
, disables endpoint permission override for a client username account.
Enabling/Disabling Client Username Accounts
To enable a client username account, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# no shutdown
To disable a client username account, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# shutdown
By default, when you create a new client username account, it is automatically enabled. Likewise, the client username account named default
is not enabled.
Setting Client Username Passwords
By default, no password is set for a client username. To set a password for the given client username account, which is then used to authenticate the client username account when internal authentication is the provisioned method of user authentication on the event broker, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# password <password>
Where:
<password>
is the password for the specified client username account. Passwords can contain from 1 to 128 non-null characters. Passwords cannot contain the following characters: :()";'<>,`\&|
The no version of this command, no password
, removes any password set for the client username account.
- The password is encrypted by one-way encryption before being stored in the event broker database. If internal authentication is enabled, but no password is assigned to a given client username, then authentication fails for that client.
- Changing the password for a client username has no effect on connections which have already been authenticated with the event broker using the old password.
- The password is displayed on the screen as it is being typed (so that the operator can verify the password is correct), but it is not displayed in any
show
User EXEC command display outputs.
Setting Client Username Attributes
A client username attribute is a key-value pair that can be used to locate a client username, for example when using client certificate to Message VPN matching. For more information, see Configuring Client Certificate to Message VPN Matching.
There are fewer client username attribute objects on the broker than there are client username objects. Therefore you must be judicious about the number of attributes you create. For more information, see the System Limits and Alerts spreadsheet (available from the Solace Products site for Appliance and PubSub+ Enterprise customers).
To create a client username attribute, enter the following commands:
solace(configure)# client-username <username> message-vpn <vpn-name>
solace(configure/client-username)# create attribute <name> <value>
Where:
<name>
is the name of the attribute (of up to 64 characters).
<value>
is the value of the attribute (of up to 256 characters).
The no version of this command, no attribute <name> <value>
, removes the attribute.
The following example sets a client username attribute named ou
with a value of Unit1
for client username App1
. If an appropriate client certificate matching rule is configured on the event broker, the event broker will compare the organizational unit in the client certificate to make sure it matches Unit1
before the client is permitted to connect to the Message VPN.
solace(configure)# client-username App1 message-vpn vpn1 solace(configure/client-username)# create attribute ou Unit1
If you are using LDAP authorization, username attributes must be configured on the external LDAP server.
Example: Configuring Client Username Accounts
This example shows how to:
- Create client username accounts (
pascal
) in separate Message VPNs (blue
andred
) - Create client profiles (
Sales_Access
) in both Message VPNs - Assign those client profiles to the client username accounts
- Activate the client username accounts for service
- Create the Message VPN
blue
:solace> enable
solace# configure
solace(configure)# create message-vpn blue
solace(configure/message-vpn)# exit - Create the Message VPN
red
:solace(configure)# create message-vpn red
solace(configure/message-vpn)# exit - Create the client username account
pascal
in Message VPNblue
:solace(configure)# create client-username pascal message-vpn blue
solace(configure/client-username)# exit - Create the client username account
pascal
in Message VPNred
:solace(configure)# create client-username pascal message-vpn red
solace(configure/client-username)# exit - Enter the following show command on the client username accounts
pascal
to confirm their creation:solace(configure)# show client-username pascal message-vpn *
- Create the client profile
Sales_Access
in Message VPNblue
:solace(configure)# create client-profile Sales_Access message-vpn blue
solace(configure/client-profile)# exit - Create the client profile
Sales_Access
in Message VPNred
:solace(configure)# create client-profile Sales_Access message-vpn red
solace(configure/client-profile)# exit - Enter the following show command on the client profile
Sales_Access
to confirm its creation and configuration.solace(configure)# show client-profile Sales_Access detail
- Enter the client-profile Client Username CONFIG command to assign client profile
Sales_Access
to the client username accountpascal
in Message VPNblue
:solace(configure)# client-username pascal message-vpn blue
solace(configure/client-username)# client-profile Sales_Access
solace(configure/client-username)# exit - Assign client profile
Sales_Access
to the client username accountpascal
in Message VPNred
:solace(configure)# client-username pascal message-vpn red
solace(configure/client-username)# client-profile Sales_Access
solace(configure/client-username)# exit - Enter the following show command to confirm the client username accounts have been assigned to client profile
Sales_Access
:solace(configure)# show client-username pascal detail
- Activate the client username account
pascal
in Message VPNblue
for service:solace(configure)# client-username pascal message-vpn blue
solace(configure/client-username)# no shutdown
solace(configure/client-username)# exit - Activate the client username account
pascal
in Message VPNred
for service:solace(configure)# client-username pascal message-vpn red
solace(configure/client-username)# no shutdown
solace(configure/client-username)# exit - Enter the following show command to confirm the client username accounts’ activation:
solace(configure)# show client-username pascal message-vpn *
Username Message VPN Enabled # Clients
------------------------------- --------------------------- ------- --------
pascal blue Yes 0
pascal red Yes 0
- To activate the Message VPNs
blue
,red
, anddefault
for service, go to CLI Steps to Set Up VPNs With Client Profiles.