Venafi Message Bus

Message Bus provides several benefits. For example:

• Servers in the cluster always stay in sync. Configuration changes that used to require users to log out and log back in are now updated to all servers immediately without logging out and back in.

• Permissions are kept in sync. For example, if a user is given rights to a policy folder, those rights are updated across all servers almost instantly.

• Identities and access are constantly updated. When you remove a user from the system, they will lose access right away on all servers, without waiting for their session to refresh. Thus rights and permissions are always kept synchronized.

Configuration Types

Message Bus operates in one of two ways to accommodate all deployment scenarios:

• Self-Hosted (mesh style). In this default configuration, each server in the cluster communicates with all other servers in the cluster directly by subscribing to every other server's broker. Every message published from the remote brokers will be passed to the local brokers. This configuration is supported natively by Venafi Platform, and requires no additional configuration as long as the bus port is open to allow communication with all other servers in the cluster. Most customers use this configuration method.

• Central MQTT Broker (hub-and-spoke style). In this configuration, all servers in the cluster publish and subscribe to an external MQTTv5 broker, and the broker distributes the messages to all servers in the cluster. This deployment option is provided for customers already using an external MQTTv5 broker and who are required to use that service, or who don't want another broker working on their network. Another reason you might use hub-and-spoke configuration is if your cluster cannot communicate between all servers using the configured port, but the servers can all reach the same external broker. You will need connection information to your central MQTT broker to use this configuration type.

Message Bus is not optional. It is an integral part of Venafi Platform. For new installations of Venafi Platform, Message Bus is configured during the installation steps. For upgrades, the first server in the cluster that is upgraded to version 23.3 (or higher) will require you to configure it. Subsequent servers will not require Message Bus configuration on upgrade or installation.

Network Requirements for Message Bus

Message Bus requires correct network configuration. Depending on whether you are using mesh mode or hub-and-spoke mode:

• Self-Hosted (mesh style). All servers must be able to communicate with each other over the configured port (default is 8883 for TLS, or port 1883 if you are using an unencrypted bus). Almost all configuration issues are due to incorrect port configuration.

• Central MQTT Broker (hub-and-spoke style). Each server must be able to communicate with the central MQTTv5 server over the configured port (default is 8883 for TLS, 1883 if you are using an unencrypted bus.

We suggest you get the network configured correctly before upgrading. Once a server has been upgraded to 23.3 (or higher), you can see if there are any communication issues by looking at the Message Bus node in Venafi Configuration Console where there is a graphical representation of your network which makes it easy to see where any communication issues are detected.

What's Next?

If you are just getting started with Message Bus, see Modifying Message Bus configuration settings.

For details about your Message Bus health and status, see Working with Message Bus.