add: docker-compose.yml for create a Solace docker instance with tls …

…enabled

examples/tls/README.md

@@ -0,0 +1,152 @@
+# Solace PS+ with TLS
+
+## Reference
+
+[Secrets Configuration](https://docs.solace.com/Configuring-and-Managing/SW-Broker-Specific-Config/Docker-Tasks/Config-Secrets.htm)
+
+## Setup a PS+ broker with TLS enable
+
+### Create a self signed certificate
+
+```bash
+# Generate a Private Key
+$ openssl genrsa -out localhost.key 2048
+Generating RSA private key, 2048 bit long modulus
+......................+++
+.....................................................................+++
+e is 65537 (0x10001)
+
+# Generate a CSR (Certificate Signing Request) with subjectAltName
+$ openssl req -new -sha256 \
+-out localhost.csr \
+-key localhost.key \
+-config openssl.cnf \
+-subj "/C=CN/ST=GuangDong/L=ShenZhen/O=Acme, Inc./CN=localhost/"
+
+# Generating a Self-Signed Certificate
+$ openssl x509 -req \
+ -sha256 \
+ -days 365 \
+ -in localhost.csr \
+ -signkey localhost.key \
+ -out localhost.crt \
+ -extensions req_ext \
+ -extfile openssl.cnf
+
+Signature ok
+subject=/C=CN/ST=GuangDong/L=ShenZhen/O=Acme, Inc./CN=localhost
+Getting Private key
+
+# Generate a PEM file for Solace PS+ broker
+$ cat localhost.crt localhost.key > localhost.pem
+
+# Check the CSR and Certificate, you should see "Subject Alternative Name"
+$ openssl req -text -noout -in localhost.csr
+$ openssl x509 -text -noout -in localhost.crt
+```
+
+### Create a PS+ docker instance with TLS enabled
+
+Update the "volumes" section of `./docker-compose.yml` with the full path of the folder contains above certificate.
+
+## Start the PS+ broker
+
+```bash
+docker-compose up -d
+Creating network "tls_default" with the default driver
+Creating tlsbroker ... done
+```
+
+## Verify the TLS service is enable
+
+You will find that ports like `1943` (Access to PubSub+ Manager over HTTPS, SEMP over TLS), 55443 (SMF TLS / SSL) all open now.
+
+```bash
+docker exec -it tlsbroker /usr/sw/loads/currentload/bin/cli -A
+
+Solace PubSub+ Standard Version 9.5.0.25
+
+The Solace PubSub+ Standard is proprietary software of
+Solace Corporation. By accessing the Solace PubSub+ Standard
+you are agreeing to the license terms and conditions located at
+http://www.solace.com/license-software
+
+Copyright 2004-2020 Solace Corporation. All rights reserved.
+
+To purchase product support, please contact Solace at:
+https://solace.com/contact-us/
+
+Operating Mode: Message Routing Node
+
+3dd5cd886d54> show service
+
+Msg-Backbone: Enabled
+ VRF: management
+ SMF: Enabled
+ Web-Transport: Enabled
+ REST Incoming: Enabled
+ REST Outgoing: Enabled
+ MQTT: Enabled
+ AMQP: Enabled
+ Health-check: Enabled
+ Mate-link: Enabled
+ Redundancy: Enabled
+
+Max Incoming Connections: 100
+ Service SMF: 100
+ Service Web-Transport: 100
+ Service REST: 100
+ Service MQTT: 100
+ Service AMQP: 100
+Max Outgoing Connections:
+ Service REST: 100
+Max SSL Connections: 100
+
+Event Threshold Set Value Clear Value
+---------------------------------- ---------------- ----------------
+Incoming Connections 80%(80) 60%(60)
+ Service SMF 80%(80) 60%(60)
+Outgoing Connections
+ Service REST 80%(80) 60%(60)
+SSL Connections 80%(80) 60%(60)
+
+
+Flags Legend:
+TP - Transport
+T+U - TCP and UDP
+S - SSL (Y=Yes, N=No, -=not-applicable)
+C - Compressed (Y=Yes, N=No, -=not-applicable)
+R - Routing Ctrl (Y=Yes, N=No, -=not-applicable)
+VRF - VRF (Mgmt=management, MsgBB=msg-backbone)
+A - Admin State (U=Up, D=Down, -=not-applicable)
+O - Oper State (U=Up, D=Down, -=not-applicable)
+
+ Status
+Service TP S C R VRF MsgVpn Port A O Failed Reason
+---------- --- ----- ----- --------------- ----- --- --------------------------
+SEMP TCP N - - Mgmt 8080 U U
+SEMP TCP Y - - Mgmt 1943 U U
+SMF TCP N N N Mgmt 55555 U U
+---Press any key to continue, or `q' to quit---
+SMF TCP N Y N Mgmt 55003 U U
+SMF TCP N N Y Mgmt 55556 U D
+SMF TCP Y N N Mgmt 55443 U U
+SMF WEB N - - Mgmt 8008 U U
+SMF WEB Y - - Mgmt 1443 U U
+MQTT TCP N - - Mgmt default 1883 U U
+MQTT TCP Y - - Mgmt default 8883 U U
+MQTT WEB N - - Mgmt default 8000 U U
+MQTT WEB Y - - Mgmt default 8443 U U
+AMQP TCP N - - MsgBB default 5672 U U
+AMQP TCP Y - - MsgBB default 5671 U U
+REST WEB N - - Mgmt default 9000 U U
+REST WEB Y - - Mgmt default 9443 U U
+MATELINK TCP N N N Mgmt 8741 U D Missing Mate Address
+HEALTHCHK TCP N N N Mgmt 5550 U U
+REDUNDANCY TCP Y N N Mgmt 8300 U D
+REDUNDANCY T+U Y N N Mgmt 8301 U D
+REDUNDANCY T+U Y N N Mgmt 8302 U D
+
+3dd5cd886d54>
+
+```

examples/tls/docker-compose.yml

@@ -0,0 +1,56 @@
+# docker-compose --compatibility up -d
+# docker exec -it tlsbroker /usr/sw/loads/currentload/bin/cli -A
+version: '3.9'
+
+services:
+ tlsbroker:
+ container_name: tlsbroker
+ image: solace/solace-pubsub-standard:latest
+ shm_size: 2g
+ ulimits:
+ nofile:
+ soft: 2448
+ hard: 38048
+ ports:
+ #Port Mappings: Ports are mapped straight through from host to
+ #container. This may result in port collisions on commonly used
+ #ports that will cause failure of the container to start.
+ # Solace CLI SSH/SFTP
+ - 2222:2222
+ #Web transport
+ #- '80:80'
+ #Web transport over TLS
+ #- '443:443'
+ #MQTT Default VPN
+ - '1883:1883'
+ #AMQP Default VPN over TLS
+ #- '5671:5671'
+ #AMQP Default VPN
+ #- '5672:5672'
+ #MQTT Default VPN over WebSockets
+ #- '8000:8000'
+ #MQTT Default VPN over WebSockets / TLS
+ #- '8443:8443'
+ #MQTT Default VPN over TLS
+ - '8883:8883'
+ #SEMP / PubSub+ Manager
+ - '8080:8080'
+ #SEMP / PubSub+ Manager over TLS
+ - '1943:1943'
+ #REST Default VPN
+ - '9000:9000'
+ #REST Default VPN over TLS
+ - '9443:9443'
+ #SMF
+ - '44444:55555'
+ #SMF Compressed
+ - '55003:55003'
+ #SMF over TLS
+ - '55443:55443' 
+ volumes:
+ - "./:/run/secrets"
+ environment:
+ - username_admin_globalaccesslevel=admin
+ - username_admin_password=admin
+ - system_scaling_maxconnectioncount=1000
+ - tls_servercertificate_filepath=/run/secrets/localhost.pem 

examples/tls/localhost.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIJAJawWnFv0vT9MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcMCFNoZW5aaGVuMRMw
+EQYDVQQKDApBY21lLCBJbmMuMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNjE2
+MDgzOTA3WhcNMjEwNjE2MDgzOTA3WjBdMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ
+R3VhbmdEb25nMREwDwYDVQQHDAhTaGVuWmhlbjETMBEGA1UECgwKQWNtZSwgSW5j
+LjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAzDBLQKokCWnLrp4r/CzSWQ3asG70d2eo9mNMCUfZkpBPXsWK9czsRNSK
+6CYu6AiHhdPxo+Kgla1UH31FLwLQvTQhpc5LKtynf+vYtQxRa4Y3Sq+h9o8VaIho
+0WBellk4t22ge1awEAAE8JVmsBa+RmF/EmYaeg/n6F6lul5w/TRszWUA4FVq8Qji
+rjMDWvTy/n57M9a9btjYUa/cVLYf1q3g9RX6JCeEsdsUWJZ9V5Em3Twb1W/rLEb6
+/Qsl8MutVkYY4llq/ppWST++ksTnHp+XM5lD/76UC9Q3361zgV+IoTVNAGTtfMg6
+OgN+utNpXlQYx7ICqFc1pa9+hfBYiwIDAQABoxgwFjAUBgNVHREEDTALgglsb2Nh
+bGhvc3QwDQYJKoZIhvcNAQELBQADggEBAFbut9NmYgy+HWXrBffXTz0PC999e7FC
+pXvjdBNAMSyL6hvZypo7L9J8MtomoAYUqyT+0vNA+beCfpRyYIF3jw3EnuHVp9/h
+4D+lpvQpkSabCTHqs1BBPtTzVis6IbK8QX9KuFM6v7q5HGuRSssvIS0QJPZ4mq/A
+M1hoTz/mwLwmq/l2pvcYX0mV7M2T6Wq0sOjWDgNBtuX79+F+wZ6JlodGccJYKt/3
+bPZOr8nfl+Mm2qHGk59Bo3Jr3iEveJTfMDWUJ9civg0PbiWDeuI3MingVNkMqC1w
+dqjA8zbP0ZIUCZAgjHgp/y9DfbLOQ5/jOTZUHGwjZ62rILgPCYPNylo=
+-----END CERTIFICATE-----

examples/tls/localhost.csr

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICyTCCAbECAQAwXTELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUd1YW5nRG9uZzER
+MA8GA1UEBwwIU2hlblpoZW4xEzARBgNVBAoMCkFjbWUsIEluYy4xEjAQBgNVBAMM
+CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwwS0Cq
+JAlpy66eK/ws0lkN2rBu9HdnqPZjTAlH2ZKQT17FivXM7ETUiugmLugIh4XT8aPi
+oJWtVB99RS8C0L00IaXOSyrcp3/r2LUMUWuGN0qvofaPFWiIaNFgXpZZOLdtoHtW
+sBAABPCVZrAWvkZhfxJmGnoP5+hepbpecP00bM1lAOBVavEI4q4zA1r08v5+ezPW
+vW7Y2FGv3FS2H9at4PUV+iQnhLHbFFiWfVeRJt08G9Vv6yxG+v0LJfDLrVZGGOJZ
+av6aVkk/vpLE5x6flzOZQ/++lAvUN9+tc4FfiKE1TQBk7XzIOjoDfrrTaV5UGMey
+AqhXNaWvfoXwWIsCAwEAAaAnMCUGCSqGSIb3DQEJDjEYMBYwFAYDVR0RBA0wC4IJ
+bG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQBKecNl6n3JqlubC4fRK6RQiZGn
+yHYl5BCXDfFobOyIbTZsC1NymA71gwE2lXZpbTdGA2V9tIY/wVSYrRRSa1rVhwu8
+wtfg70UucUvbSI679LPVmbN7W+bICPVf3KKYy3xbCXAhmllUSwWSNWvQNF3ya1XP
+/FLM7JTv5UiYAZJpvd9vCzEB0R4pKfBHGt3+qfZ8iitFQB3JtsJRo+gBbWfALtNd
+Fc3e6+zpn8hCYE2HlU3RrmsGNaZxZEkuHMu3YW7uZ+sh7m8eytnzZq2LaLXmUubx
+E831wg5z987o/gWpUBoyzKsJ+vZpG5/oVu+jnxWXsknu+hGM+WLYUufAzKlh
+-----END CERTIFICATE REQUEST-----

examples/tls/localhost.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzDBLQKokCWnLrp4r/CzSWQ3asG70d2eo9mNMCUfZkpBPXsWK
+9czsRNSK6CYu6AiHhdPxo+Kgla1UH31FLwLQvTQhpc5LKtynf+vYtQxRa4Y3Sq+h
+9o8VaIho0WBellk4t22ge1awEAAE8JVmsBa+RmF/EmYaeg/n6F6lul5w/TRszWUA
+4FVq8QjirjMDWvTy/n57M9a9btjYUa/cVLYf1q3g9RX6JCeEsdsUWJZ9V5Em3Twb
+1W/rLEb6/Qsl8MutVkYY4llq/ppWST++ksTnHp+XM5lD/76UC9Q3361zgV+IoTVN
+AGTtfMg6OgN+utNpXlQYx7ICqFc1pa9+hfBYiwIDAQABAoIBAEWXMA6Z7i5HIGQj
+BFqt7ALt9dqr9iW77poKvZ9sHXsWM/bY3MNpVB0hUzZLzTDHt2ilE3YHhzN8H2+c
+AjhDfWD+o3kfFf9FtNCkUPdje1xqIe4SbeDaYzF9TDwP3Czhu7LIaimfIeJSH1zf
+jl/1YGQcVnKu2ddAFInduB4MkfW5jIFP6zHGNThHwJcxlxmd5EE1tGm5GE8Me1YS
+bkAkT8DUBqYPHDVRTfwzROvgncGfpctoLvsnc/ZVA+YWNF4c4zDxfZtZ06/Nvu4a
+3KOHXVIINrvFiVlxkPwtGkMvYRufzlJtZE1IW93Zjz00ZQo+FD0pkc5Aalf2ojeb
+YpGmVAECgYEA5upV1D8ReSKWFlil5s5pF/E2ElLHTVOaBrs5TZ+MIhU0POLaJJ7W
+c84+ZQlxJP853PqOhTw8ozIFAMh8LDITHMmA4lNwxKXAIoHmLoe2GTLYD9N/mir5
+HaYejSEDAG7uX61hoeYzXiwuPHA759gH31zEYoXcHQqBhc3Pbpq7i/MCgYEA4l6y
++UOKpkVQZ3yWHeM6dXgUcsnMqfYlwoVvLDPZ2tq9ChlR0FXZdrG3z/X1jjvDZf/b
+3Vhknuzzjm7w9vHesWZj2rhzevVxgZRw6Y02Z6uIWGJX9EupGi63nEEfZb4ThYjI
+Ccm6Qdtb28kBJTSMG0xn7hlIaV8bcDrtsvqCHwkCgYAiWn6GYxOgZ+rYTDvySIcO
+Ds6yjyojcOqbUcNGrxPUBj+NR1qY1CCnfel+cpcon+fl3kjRvZJv3QMtiKYglRqO
+z9Oi2DMQrnAVMioihgIrYYsPX7G+J+KD7LDi4iRmLhq8lTjPM0Y1HnGKgFAJP/R7
+4Hs/BRcoIuX+GA5iMBbyzQKBgQDJeRF/qq6HR9/FC2ysUyYfkO1aMONYTfzTgWEu
+DUQTdmWTzG81poLzEj+P9tBDdEt3x94OxfJgRHKNTY5nq2PRrlinPU2CnVsVwmEw
+bP+EC3ZBe93eT0zFQdknWAqyyhaj3dZ0Z7e/j5XVKrQ7QeaFEV7a2mPJbN2F6NzQ
+VAdlyQKBgDE4+VS0F+HmdfkQljNaGQacN0pd+IdcHeiSyhwkly6e6BQjOL167qy8
+x02y3iBSo2LgHhr3xfJ2Ang8meUui41O/D+UOrGWsni8T95Vg9EpXNmR3pV29gC4
+dfyyi0TubTv+Z1s3PkAZ5OqUkYv+hqY5ebWmuS/3LQdWaADvn9cv
+-----END RSA PRIVATE KEY-----

examples/tls/localhost.pem

@@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIDVTCCAj2gAwIBAgIJAJawWnFv0vT9MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAkNOMRIwEAYDVQQIDAlHdWFuZ0RvbmcxETAPBgNVBAcMCFNoZW5aaGVuMRMw
+EQYDVQQKDApBY21lLCBJbmMuMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjAwNjE2
+MDgzOTA3WhcNMjEwNjE2MDgzOTA3WjBdMQswCQYDVQQGEwJDTjESMBAGA1UECAwJ
+R3VhbmdEb25nMREwDwYDVQQHDAhTaGVuWmhlbjETMBEGA1UECgwKQWNtZSwgSW5j
+LjESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAzDBLQKokCWnLrp4r/CzSWQ3asG70d2eo9mNMCUfZkpBPXsWK9czsRNSK
+6CYu6AiHhdPxo+Kgla1UH31FLwLQvTQhpc5LKtynf+vYtQxRa4Y3Sq+h9o8VaIho
+0WBellk4t22ge1awEAAE8JVmsBa+RmF/EmYaeg/n6F6lul5w/TRszWUA4FVq8Qji
+rjMDWvTy/n57M9a9btjYUa/cVLYf1q3g9RX6JCeEsdsUWJZ9V5Em3Twb1W/rLEb6
+/Qsl8MutVkYY4llq/ppWST++ksTnHp+XM5lD/76UC9Q3361zgV+IoTVNAGTtfMg6
+OgN+utNpXlQYx7ICqFc1pa9+hfBYiwIDAQABoxgwFjAUBgNVHREEDTALgglsb2Nh
+bGhvc3QwDQYJKoZIhvcNAQELBQADggEBAFbut9NmYgy+HWXrBffXTz0PC999e7FC
+pXvjdBNAMSyL6hvZypo7L9J8MtomoAYUqyT+0vNA+beCfpRyYIF3jw3EnuHVp9/h
+4D+lpvQpkSabCTHqs1BBPtTzVis6IbK8QX9KuFM6v7q5HGuRSssvIS0QJPZ4mq/A
+M1hoTz/mwLwmq/l2pvcYX0mV7M2T6Wq0sOjWDgNBtuX79+F+wZ6JlodGccJYKt/3
+bPZOr8nfl+Mm2qHGk59Bo3Jr3iEveJTfMDWUJ9civg0PbiWDeuI3MingVNkMqC1w
+dqjA8zbP0ZIUCZAgjHgp/y9DfbLOQ5/jOTZUHGwjZ62rILgPCYPNylo=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzDBLQKokCWnLrp4r/CzSWQ3asG70d2eo9mNMCUfZkpBPXsWK
+9czsRNSK6CYu6AiHhdPxo+Kgla1UH31FLwLQvTQhpc5LKtynf+vYtQxRa4Y3Sq+h
+9o8VaIho0WBellk4t22ge1awEAAE8JVmsBa+RmF/EmYaeg/n6F6lul5w/TRszWUA
+4FVq8QjirjMDWvTy/n57M9a9btjYUa/cVLYf1q3g9RX6JCeEsdsUWJZ9V5Em3Twb
+1W/rLEb6/Qsl8MutVkYY4llq/ppWST++ksTnHp+XM5lD/76UC9Q3361zgV+IoTVN
+AGTtfMg6OgN+utNpXlQYx7ICqFc1pa9+hfBYiwIDAQABAoIBAEWXMA6Z7i5HIGQj
+BFqt7ALt9dqr9iW77poKvZ9sHXsWM/bY3MNpVB0hUzZLzTDHt2ilE3YHhzN8H2+c
+AjhDfWD+o3kfFf9FtNCkUPdje1xqIe4SbeDaYzF9TDwP3Czhu7LIaimfIeJSH1zf
+jl/1YGQcVnKu2ddAFInduB4MkfW5jIFP6zHGNThHwJcxlxmd5EE1tGm5GE8Me1YS
+bkAkT8DUBqYPHDVRTfwzROvgncGfpctoLvsnc/ZVA+YWNF4c4zDxfZtZ06/Nvu4a
+3KOHXVIINrvFiVlxkPwtGkMvYRufzlJtZE1IW93Zjz00ZQo+FD0pkc5Aalf2ojeb
+YpGmVAECgYEA5upV1D8ReSKWFlil5s5pF/E2ElLHTVOaBrs5TZ+MIhU0POLaJJ7W
+c84+ZQlxJP853PqOhTw8ozIFAMh8LDITHMmA4lNwxKXAIoHmLoe2GTLYD9N/mir5
+HaYejSEDAG7uX61hoeYzXiwuPHA759gH31zEYoXcHQqBhc3Pbpq7i/MCgYEA4l6y
++UOKpkVQZ3yWHeM6dXgUcsnMqfYlwoVvLDPZ2tq9ChlR0FXZdrG3z/X1jjvDZf/b
+3Vhknuzzjm7w9vHesWZj2rhzevVxgZRw6Y02Z6uIWGJX9EupGi63nEEfZb4ThYjI
+Ccm6Qdtb28kBJTSMG0xn7hlIaV8bcDrtsvqCHwkCgYAiWn6GYxOgZ+rYTDvySIcO
+Ds6yjyojcOqbUcNGrxPUBj+NR1qY1CCnfel+cpcon+fl3kjRvZJv3QMtiKYglRqO
+z9Oi2DMQrnAVMioihgIrYYsPX7G+J+KD7LDi4iRmLhq8lTjPM0Y1HnGKgFAJP/R7
+4Hs/BRcoIuX+GA5iMBbyzQKBgQDJeRF/qq6HR9/FC2ysUyYfkO1aMONYTfzTgWEu
+DUQTdmWTzG81poLzEj+P9tBDdEt3x94OxfJgRHKNTY5nq2PRrlinPU2CnVsVwmEw
+bP+EC3ZBe93eT0zFQdknWAqyyhaj3dZ0Z7e/j5XVKrQ7QeaFEV7a2mPJbN2F6NzQ
+VAdlyQKBgDE4+VS0F+HmdfkQljNaGQacN0pd+IdcHeiSyhwkly6e6BQjOL167qy8
+x02y3iBSo2LgHhr3xfJ2Ang8meUui41O/D+UOrGWsni8T95Vg9EpXNmR3pV29gC4
+dfyyi0TubTv+Z1s3PkAZ5OqUkYv+hqY5ebWmuS/3LQdWaADvn9cv
+-----END RSA PRIVATE KEY-----

examples/tls/openssl.cnf

@@ -0,0 +1,23 @@
+# https://langui.sh/2009/02/27/creating-a-subjectaltname-sanucc-csr/
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = req_ext # The extentions to add to the self signed cert
+
+[req_distinguished_name]
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_default = CN
+stateOrProvinceName = State or Province Name (full name)
+stateOrProvinceName_default = GuangDong
+localityName = Locality Name (eg, city)
+localityName_default = ShenZhen
+organizationName = Organization Name (eg, company)
+organizationName_default = Solace, Co.
+commonName = Common Name (eg, YOUR name)
+commonName_max = 64
+commonName_default = localhost
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost