MQTT Messaging Management
Solace PubSub+ event brokers support the OASIS MQTT v3.1.1 and v5.0 standards to meet the needs of connected devices and mobile applications that need an efficient way to send and receive information that requires very little bandwidth, client-side processing power and/or bandwidth. The Solace PubSub+ event broker works with any third-party MQTT v3.1.1 or v5.0 compliant client API, including open source APIs available through an Eclipse initiative called Paho.
Transports
Solace PubSub+ event brokers support the following transports for the MQTT service:
- Plain-Text
- TLS
- WebSocket
- WebSocket Secure
Enabling and Disabling the MQTT Service
For information on how to enable and disable the MQTT service, refer to MQTT Service Management.
Managing the MQTT Service
MQTT service on a Solace PubSub+ event broker can be configured on a per-Message VPN level.
You can configure the following settings for MQTT service.
- Setting Listen Ports
- Setting the Maximum Number of MQTT Connections
- Enabling and Disabling MQTT Connections
- Configuring When to Request a Client Certificate from an MQTT Client
Setting Listen Ports
You must configure a TCP port number for MQTT clients to use when connecting to a Message VPN. Separate ports can be configured for each transport type that MQTT clients can use. The possible transport types are: plain-text, TLS/SSL, WebSocket, and WebSocket Secure.
To set a listen port for MQTT connections to the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# listen-port <port> [ssl] [web]
Where:
<port> is the port number from 1 to 65535. This port must not be in use for any other service. Note that if the ssl and/or web parameters are not included with the command, the port will use a plain text transport.
[ssl] specifies that the given port uses TLS/SSL encryption.
[web] specifies that the given port uses WebSockets.
[ssl] and [web] together specify that the given port uses WebSockets Secure.
The no version of this command, no listen port, removes the currently configured port number.
- Enter the command a separate time for each transport type that you want to configure.
- To change a port number, the MQTT connection must be shutdown (refer to Enabling and Disabling MQTT Connections).
Setting the Maximum Number of MQTT Connections
To set the maximum number of MQTT clients that can simultaneously connect to the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# max-connections <value>
Where:
<value> is the maximum number of simultaneous connections permitted
The no version of this command, no max-connections, resets the value to the maximum limit supported by the event broker.
This parameter can be set to a value that is higher than the maximum number of simultaneous connections permitted by the event broker, but the connection limit for the event broker will still be enforced.
Enabling and Disabling MQTT Connections
Within a Message VPN, the MQTT service for the given Message VPN can be enabled or disabled according to the specific transport type that is used. By default, MQTT service is not enabled for a Message VPN.
The following transports can be enabled and disabled for MQTT service:
Plain-Text
To enable MQTT connections using TCP plain-text transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# no plain-text shutdown
To disable MQTT connections using TCP plain-text transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# plain-text shutdown
Disabling plain-text connections will disconnect any clients currently connected to the configured plain-text listen port.
TLS
To enable MQTT connections using Transport Layer Security (TLS) / Secure Sockets Layer (SSL) transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# no ssl shutdown
To disable MQTT connections using Transport Layer Security (TLS) / Secure Sockets Layer (SSL) transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# ssl shutdown
Disabling TLS/SSL connections will disconnect any clients currently connected to the configured TLS/SSL listen port.
WebSocket
To enable MQTT connections using Websocket transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# no websocket shutdown
To disable MQTT connections using Websocket transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# websocket shutdown
Disabling Websocket connections will disconnect any clients currently connected to the configured Websocket listen port.
WebSocket Secure
To enable MQTT connections using Websocket Secure transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# no websocket-secure shutdown
To disable MQTT connections using Websocket Secure transport for the given Message VPN, enter the following commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# websocket-secure shutdown
Disabling Websocket Secure connections will disconnect any clients currently connected to the configured Websocket Secure listen port.
Configuring When to Request a Client Certificate from an MQTT Client
By default, PubSub+ event brokers request client certificates from MQTT clients connecting via a TLS port if client certificate authentication is enabled in a given Message VPN. Because many popular web browsers handle the request for a client certificate poorly, this can result in clients running in web browsers being unable to connect over the web sockets secure (WSS) protocol. If you have clients connecting from a web browser using WSS and other clients in the same Message VPN that need to authenticate using client certificates, you may want to prevent the broker from requesting a client certificate from incoming web clients.
To configure when the broker requests a client certificate from incoming MQTT clients connecting via a TLS port, enter the following CONFIG commands:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# service mqtt
solace(configure/message-vpn/service/mqtt)# authentication
solace(...ssage-vpn/service/mqtt/authentication)# client-certificate
solace(...qtt/authentication/client-certificate)# request-client-certificate {always | never | when-enabled-in-message-vpn}
Where:
always configures the broker to always request a client certificate regardless of whether client certificate authentication is enabled in the Message VPN. For more information, see Enabling/Disabling Client Certificate Authentication For Clients .
never configures the broker to never request a client certificate regardless of whether client certificate authentication is enabled in the Message VPN. This setting is useful if you don't want the broker to request a client certificate from your web socket secure clients, but you still want to use client certificate authentication for other types of clients (such as bridges).
when-enabled-in-message-vpn configures the broker to request a client certificate only if client certificate authentication is enabled in the Message VPN. This is the default setting.
The no version of command, no request-client-certificate, resets the value to the default.