Secure communication between clients and your messaging broker is critical in modern distributed systems. Transport Layer Security (TLS) protects data in transit from eavesdropping and tampering by encrypting the connection between clients and the broker. In this guide, you’ll learn how to generate certificates, configure TLS on a Solace PubSub+ broker, and validate secure connections.
1. Overview
PubSub+ supports TLS encryption (e.g., TLSv1.1 and TLSv1.2) for secure client connections. This guide focuses on server-side authentication only (the broker authenticating to clients).
2. Certificate and Key Generation
Before enabling TLS, you must create the cryptographic materials:
2.1 Generate a Private Key (RSA 2048 bit)
Use OpenSSL to create a password-protected RSA private key in PEM format:
openssl genpkey -algorithm RSA \
-aes-256-cbc \
-out private_key.pem \
-pkeyopt rsa_keygen_bits:2048
You will be prompted for a passphrase — make sure to record it.
2.2 Extract Public Key
From the private key, export the public key. You will need this later:
ssh-keygen -e -f private_key.pem > public_key.pem
Again you will enter the passphrase you set earlier.
2.3 Create a Certificate Signing Request (CSR)
Generate a CSR to issue a certificate:
openssl req -new -key private_key.pem -out certificate.csr
You will be asked to complete the Distinguished Name (DN) attributes (e.g., Common Name, Organization). Use your broker’s real hostname in Common Name (CN) — this ensures hostname verification works during TLS handshakes.
2.4 Generate the TLS Certificate
You can use the CSR to create a self-signed certificate (for testing), or send the CSR to a CA (recommended for production).
For a self-signed certificate:
openssl x509 -req -in certificate.csr \
-signkey private_key.pem \
-days 365 \
-out server_certificate.pem
This results in a PEM-encoded TLS certificate valid for one year.
3. Prepare the PubSub+ Broker
TLS on PubSub+ requires the certificate file and key to be available in the broker’s certificate directory (/usr/sw/jail/certs)
4. Configure TLS on Solace PubSub+
4.1 Load the Certificate File
Transfer the certificate file to the broker’s /certs directory, for example using SFTP:
solace# copy sftp://admin@<host-ip>/server_certificate.pem /certs/server_certificate.pem
Replace <host-ip> and credentials as appropriate.
4.2 Set the Server Certificate
In the broker CLI:
solace(configure)# ssl
solace(configure/ssl)# server-certificate server_certificate.pem
This tells the broker to use that certificate for all TLS connections. Solace
⚠️ Only one TLS certificate can be active at a time.
4.3 Cipher Suite (Optional, Recommended)
Solace supports selecting specific cipher suites. For example:
solace(configure/ssl)# cipher-suite msg-backbone name AES256-SHA
This forces a secure symmetric cipher for session encryption.
5. Client-Side Requirements
5.1 Trust Store
Clients must trust the CA that signed the server’s certificate. For self-signed certificates, distribute the root certificate to all clients’ trust stores. If using a public CA, clients will automatically trust the certificate.
5.2 Secure Connection URI
Instead of using plaintext connections like:
tcp://broker.example.com:55555
Clients must connect over TLS, e.g.:
tcps://broker.example.com:55443
Where tcps:// indicates TLS transport.
6. Verify the Setup
Once TLS is enabled, attempt a secure connection from a client using TLS-enabled APIs (e.g., Solace Messaging APIs or MQTT with TLS support):
- Confirm that the TLS handshake completes
- Ensure the client validates the server certificate and hostname
- Observe that plaintext connections are rejected
Tools like openssl s_client can also be used for validation:
openssl s_client -connect broker.example.com:55443 \
-CAfile rootCA.pem
If the certificate is trusted and connection succeeds, you should see handshake details and certificate information.
Regards
Osama
Technology Geek 