Running CLI in Docker container:
docker exec -it pubSubStandardSingleNode /usr/sw/loads/currentload/bin/cli -A
# Scripts to be in /cliscripts
# -e: Auto exit mode, -s: execute CLI script
/usr/sw/loads/currentload/bin/cli -A -es /cliscripts/setup.cli
# Config dump: show current-config all > cliscripts/setup.cli
# User EXEC
solace> enable
# Privileged EXEC
solace> configure
# Global CONFIG
solace(configure)# end
solace> admin
# Admin EXEC Level (admin from Privileged)
solace(admin)#
# Configure no session timeout
session timeout 0
solace> show client-profile default
solace> show client-username default
copy sftp://foo@172.19.0.3/upload/rootCA.crt /certs/rootCA.crt
copy sftp://foo@172.19.0.3/upload/localhost.crt /certs/localhost.crt
# Create a new CLI user account.
create username <name> password <password> cli
# Create a new File Transfer user account.
create username <name> password <password> file-transfer
# Edit the properties for an existing File Transfer account
username <name>
# Delete user
no <name>
For Server TLS, the Certificate Authority (CA) on the broker need not be configured.
The server certificate file must be PEM formatted. It must consist of a private key and between one and three certificates comprising the certificate trust chain. If loading from a file, it must be located in the
/certs
(/usr/sw/jail/certs
in docker) directory.
ssl
server-certificate localhost.crt
# Alternatively, file contents can be provided:
server-certificate localhost.crt file-contents "-----BEGIN RSA PRIVATE KEY-----\n....."
cipher-suite msg-backbone name AES128-SHA
show ssl certificate-files [filename <filename>] [detail]
show ssl server-certificate [detail]
show stats ssl
The certificate file must be PEM formatted (have a .pem extension). If loading from a file, it must be located in the
/certs
directory. Note that Client CA does not have private key.
authentication
! Note: Older version of PubSub+ might be using `certificate-authority` instead of `client-client-certificate-authority`
create client-certificate-authority rootCA
! To remove: no client-certificate-authority <ca-name>
certificate file rootCA.crt
# Alternativey
certificate content "-----BEGIN CERTIFICATE-----\n....."
show certificate-authority ca-name *
The Server Root CA has to be trusted by clients. (e.g. added to client trusted store)
# Create root key (for non password-protected key, remove the -des3 option)
openssl genrsa -des3 -out serverCA.key 2048
# Create and self sign the Root Certificate
openssl req -x509 -new -key serverCA.key -sha256 -days 1825 -out serverCA.crt
# The above is equivalent to the following (for non password-protected key):
openssl req -nodes -new -x509 -newkey rsa:2048 -keyout serverCA.key -days 1825 -out serverCA.crt
The Server root CA need not be configured in the broker for Server TLS.
# Create the certificate key (for non password-protected key, remove the -des3 option)
openssl genrsa -des3 -out mydomain.com.key 2048
# Generate CSR
openssl req -new -key mydomain.com.key -out mydomain.com.csr
# The above is equivalent to the following (for non password-protected key):
openssl req -nodes -new -newkey rsa:2048 -keyout mydomain.com.key -out mydomain.com.csr
# Sign certificate using the mydomain csr with our root CA cert and key
openssl x509 -req -in mydomain.com.csr -CA serverCA.crt -CAkey serverCA.key -CAcreateserial -out mydomain.com.crt -days 1825 -sha256
Generate Self-Signed Client Root CA (see above)
The Client Root CA (with the private key) need be configured in the broker.
# Create a client certificate client authenticate with and a request to be signed by your root CA.
openssl req -nodes -new -newkey rsa:2048 -keyout client.key -out client.csr
# Sign this certificate using client CSR with our root CA cert and key.
openssl x509 -req -in client.csr -CA clientCA.crt -CAkey clientCA.key -CAcreateserial -out client.crt -days 1825 -sha256
Substitution variables are a feature of ACLs that can be helpful for deployments that have a lot of connecting clients (for example, IoT deployments may have thousands or hundreds of thousands of clients) where you may want to configure ACL rules so that those clients can only:
-
publish to topics containing their own client username or MQTT client ID (to prevent a client from impersonating another client)
-
subscribe to topics containing their own client username or MQTT client ID (to prevent a client from receiving data that is intended for another client)
Example of topic exceptions in ACL could be device/$client-username/>
to allow publish or subscribe to topics starting with device/$client-username/status
or device/$client-username/telemetry
. See here for more details.
By default, when using client certificates, the common name (CN) in a client certificate’s subject is used as the client username. If no client username has been provisioned, the event broker will attempt to apply the client username named default
and the associated client and ACL profile. Note that the substitution variable for $client-username
for ACL will still be the common name and NOT default
.
The client username
default
cannot be deleted. To be secure by default, the associated ACL profile should should be as restrictive as possible.
This client username can be 'blacklisted' by creating a client username which is not enabled.
Note that there is a limit of 100 client username for each Message VPN.
Alternatively, client certificates authentication can be configured to allow API provided username. Similarly, if no username or an invalid username is provided, the client username named default
will be applied and the substitution variable for $client-username
for ACL will still be evaluated to certificate common name.
This is not recommended as any client with the client certificate (and key) can connect as any arbitrary username (which will be used subsequently for authorization).