Modifying Message Bus configuration settings
The information on this page will help you configure Message Bus for your server environment. In its simplest default configuration, Message Bus just works as long as the IANA-assigned port for MQTT (port 1883 for unencrypted, or port 8883 for TLS-encrypted) is open on all Venafi servers. That means you don't necessarily need to configure Message Bus after installation or upgrade.
This topic discusses additional configuration options related to Message Bus you can make in Venafi Configuration Console post installation (or upgrade).
Before modifying the default Message Bus configuration, you need to know the answers to the following questions:
-
Do you want to use encrypted MQTT traffic or unencrypted MQTT traffic? (The default is TLS encrypted.)
While the bus itself doesn't exchange security-sensitive information, the credentials used to authenticate to MQTT might get passed over the wire, which is why we recommend using encrypted communication.
-
Do you want to use the default ports? The default port for encrypted MQTT traffic is 8883. The suggested port for unencrypted MQTT traffic is 1883. These are the IANA-assigned ports for MQTT, set by the ISO standard ISO/IEC 20922:2016.1
You'd only want to modify this setting if you have previously assigned the default port for another purpose, or if your network security team asks you to use a different port.
-
Do you want to use a self-hosted (mesh) configuration, or do you want to use a central MQTT broker service (hub and spoke) configuration? (The default is self-hosted.)
Self-hosted (mesh mode) is entirely provided by Venafi Platform. The only reason to use a central MQTT broker is if you are already using one in your organization, and you want to integrate that MQTT broker with Venafi Platform.
-
If you are using a central MQTT broker, are you authenticating with a user name and password, or are you using a certificate? If a certificate, do you have the PFX certificate file?
To modify Message Bus configuration settings
-
On one of the Venafi servers in your cluster, open Venafi Configuration Console.
-
While on the root node, click the Configure Message Bus action in the Actions panel.
-
Verify the port number.
Venafi Platform automatically assigns the default MQTT port for encrypted or unencrypted traffic, depending on your TLS setting. You likely won't need to modify this setting.
-
[Optional] If you require unencrypted communication between servers, Disable TLS.
-
For Self-Hosted (Mesh) connections between servers:
-
Click the Self-Hosted (Mesh) option, if not already selected.
-
If you need to change the hostname, click Override Hostname.
What is Override Hostname?A hostname is one way a computer is uniquely identified on a network. In mesh mode, servers need to be able to communicate with each other, and they identify each server by its hostname.
The default hostname that Venafi Configuration Console detects for a server might not resolve to the correct address for all servers. An example of this is when using a load balancer, where multiple servers self-identify with the hostname of the load balancer, not the server itself.
To address this, you can use the Override Hostname option, which allows you to enter a fully-qualified domain name (FQDN) that resolves to this server. If you are using TLS, you cannot use an IP address in this field.
-
Review the Detected name. This is the name that Venafi Configuration Console detected for this host. You can't edit this field.
-
Enter a fully-qualified domain name to use to connect to this server in the Override with field.
-
Click Save.
-
-
Click Save.
-
Ensure all servers in the cluster can communicate to each other using the selected port. In mesh mode all servers need to be able to reach all other servers in the cluster over the specified port. The Message Bus node in VCC will help you identify any communication issues between servers in the cluster.
That is all that is needed to configure Message Bus in mesh mode. You can skip the next step.
-
-
For Central MQTT Broker (Hub & Spoke) connections between servers:
- In the Central MQTT Broker field, enter the URL of the central MQTT broker.
-
If multiple clusters of Venafi servers are sharing the same central MQTT broker, select a unique ID for this cluster. This will ensure the bus correctly interprets which bus messages are intended for this particular server cluster. Other clusters must use a different ID.
For example, if you have a cluster in your development environment and a different cluster in your production environment sharing the same broker, you would assign different ID values to these clusters so the subscribers can differentiate between clusters.
-
Make sure the servers can reach the central MQTT broker over the specified port by ensuring the firewall is configured to allow traffic over that port.
It's easy to see if there are communication issues if you look at the bus overview. If you see all green check marks your ports are configured correctly. If you see red X marks, there is additional information to help you diagnose the issue. See Working with Message Bus for details on viewing communication status and diagnosing potential issues.
-
If your broker requires authentication, select an MQTT Authentication type.
-
To use a user name an password:
-
Click the Username option.
-
Add your Username and Password.
-
-
To use a certificate:
-
Click the Certificate option.
-
Click the Load PFX button.
-
Browse to the location of your PFX file and select it.
-
Enter the Password for your PFX file.
The certificate loads, and you can see its data.
-
If this is the correct certificate, click Ok.
-
-
-
Click Validateto verify communication with the central broker.