Configuring Server Certificate Validation Settings

You can configure server certificate validation settings to make certificate validation more secure or less secure. These settings are used for validating the server certificate that is passed from a remote event broker to the local event broker during a TLS/SSL handshake.

Certificate validation settings can be specified for Message VPN bridges and replication Config-Sync bridges.

You can make the following certificate validation configurations:

When you make a change to the server certificate validation settings for Message VPN bridges, the PubSub+ broker automatically disconnects and then reconnects all TLS-enabled bridges in the Message VPN to enable the change.

For information on setting a client certificate for Message VPN bridges, refer to Configuring Client Certificate Authentication.

Enabling Server Name Validation

You can enable or disable the TLS authentication mechanism to verify the name used to connect to the remote broker. If enabled, the server name used for that connection is verified against the server names in the Subject Alternative Name (SAN) extension in the certificate returned from the remote broker.

Server name validation is enabled by default and should remain enabled in all production scenarios.

  • Message VPN Bridges

    To enable the validation of server names for Message VPN bridges, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# bridging ssl server-certificate-validation
    solace(...ing/ssl/server-certificate-validation)# validate-server-name

  • Replication Config-Sync Bridges

    To enable the validation of server names for replication Config-Sync bridges, enter the following commands:

    solace(configure)# replication
    solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
    solace(...dge/ssl-server-certificate-validation)# validate-server-name

The no version of these commands, no validate-server-name, disables the validation of server names.

Configuring Maximum Certificate Chain Depths

The depth of a certificate chain is the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate. Setting a maximum certificate chain depth means that bridge connections will reject any certificates whose depth is higher than the maximum limit.

  • Message VPN Bridges

    To configure the maximum certificate chain depth for Message VPN bridges, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# bridging ssl server-certificate-validation
    solace(...ing/ssl/server-certificate-validation)# max-certificate-chain-depth <max-depth>

    Where:

    <max-depth> is a number from 0 to 8 specifying the maximum number of signing CA certificates that may be present in the certificate chain. The default value is 3.

  • Replication Config-Sync Bridges

    To configure the maximum certificate chain depth for replication Config-Sync bridges, enter the following commands:

    solace(configure)# replication
    solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
    solace(...dge/ssl-server-certificate-validation)# max-certificate-chain-depth <max-depth>

    Where:

    <max-depth> is a number from 0 to 8 specifying the maximum number of signing CA certificates that may be present in the certificate chain. The default value is 3.

The no version of these commands, no max-certificate-chain-depth, resets this parameter to its default value.

Enabling Certificate Date Validation

Certificates may specify "not before" and "not after" dates to provide a time range for which they will be valid. This setting will enable or disable the validation of these dates. If this check is disabled, the bridge will accept a certificate even if the valid date range provided in the certificate is not fulfilled.

By default, validation of certificate dates is enabled.

  • Message VPN Bridges

    To enable validation of certificate dates for Message VPN bridges, enter the following commands:

    solace(configure)# message-vpn <vpn-name>
    solace(configure/message-vpn)# bridging ssl server-certificate-validation
    solace(...ing/ssl/server-certificate-validation)# validate-certificate-date

  • Replication Config-Sync Bridges

    To enable validation of certificate dates for replication Config-Sync bridges, enter the following commands:

    solace(configure)# replication
    solace(configure/replication)# config-sync bridge ssl-server-certificate-validation
    solace(...dge/ssl-server-certificate-validation)# validate-certificate-date

The no version of these commands, no validate-certificate-date, disables validation of the certificate dates.