Applies To: Trust Protection Platform 23.3 and higher
Summary: With the release of 23.3, there are questions about the new message bus (MQTT) included in the product. This article serves to centralizes those questions and answers.
Q: Where can I get additional documentation on Message Bus?
A: In our Product Documentation. See Venafi Message Bus.
Q: What is the Venafi Message Bus in Trust Protection Platform?
A: The Message Bus is a new foundational capability in the platform that allows information to be communicated between software processes, both on the same Venafi Engine and in between Venafi Engines in near real-time. The Message Bus is built on the ISO Standardized MQTT protocol, invented by IBM in 1999 and used across all aspects of technology, from IoT devices, modern application design, and As A Service type products.
Q: Why did Venafi choose to incorporate Message Bus into it's technology stack? What problems does this solve?
A: Message Bus allows Venafi to simplify our designs, reduce resource utilization for certain features, improve user experience, improve product security, and allow Venafi to deliver future capabilities that previously would not have been possible.
Before Message Bus was introduced, a user's permissions at time of authentication persisted throughout a user's session. Since some of these sessions can be long lived, users would have to log out and log back in before permission changes would take affect. Other challenges would be when systems integrating with our API were trying to interact with new resource objects, like workflow tickets, the system would need to manually refresh it's permissions before new resource objects were available to the integration.
Previously in some cases, to work around these limitations, Venafi would have code that would perform periodic rights refreshes, even if no rights were changed. This puts real load not only on the database, but external identity providers like Active Directory and LDAP.
Now with the Message Bus in 23.3 and higher, Trust Protection Platform communicates that a particular identity has had a rights change therefore updates itself in all Venafi Processes on all Venafi Engines in near real-time. This includes scenarios where rights need to be revoked and taken affect as soon as possible.
Reduced Database Load
In a normal production cluster of Trust Protection platform, there are many "instances" of the software running concurrently. Each web service in IIS (Web UI, WebSDK, SCEP, ACME, etc) as well as Windows Services like VPlatform and LogServer each represent an instance of Trust Protection Platform running in it's own memory space on each Engine.
Before Message Bus, each "instance" of Trust Protection Platform ruining would have watcher threads that would wake up every 5 minutes and scan registered parts of the database for changes. With Message Bus, not only are these registered changes applied immediately, but these watcher threads are completely eliminated as well as the load on the database.
Update To Date System Status
The System Status Dashboard and GET SystemStatus API endpoint are popular methods to see what is happening on production deployments of Trust Protection Platform. Previously it would take several minutes to recognize if critical services were offline or unavailable. This is due to the original design that used the database as a means for instances to update the database that they are still up and running. With Message Bus these mechanisms are offloaded from the database and moved to the Message Bus framework so service statuses are updated in near-real time.
Future Use Cases
In the future we plan to refactor more foundational components to utilize the message bus so that UI can automatically refresh or push notify customers of changes. We also want to eliminate changes that require service restarts to make High Availability targets even easier to achieve. In short though, Message Bus will help with the performance, scalability, usability, and uptime of Venafi Trust Protection Platform as a core foundational element of functionality of the platform.
Q: What are the new requirements for the Message Bus to operate?
A: The biggest change is that most customers are going to the default Self-Hosted (mesh style mode) of the Message Bus. This will utilize the native MQTT Broker built into each Venafi Platform Engine and due to the mesh design implicitly provides High Availability (HA) for the bus. This requires that each Venafi Engine be able to communicate with each other to subscribe to each engine's brokers.
This communicates by default on TLS port 8883, but is configurable.
Q: What certificate is used when using TLS for MQTT traffic in Self-Hosted (mesh style) mode?
A: Venafi Trust Protection Platform will use the Venafi Operational Certificate (VOC) for mesh style encrypted communication between Venafi Engines when TLS is enabled (by default).
Q: What information is exchanged on the Message Bus?
A: Because the purpose of the Message Bus is to keep instances of Trust Protection Platform in sync, there is no need to exchange sensitive information between instances. Instead, the typical message on the bus will state the type of object that was updated and the ID of the object that was updated, and trigger recipients to refresh the object information from the database.
Q: Can I use my own Message Bus/Broker/MQTT?
A. Yes! Some customers with larger and/or more segmented deployments of Trust Protection Platform will find using their own broker a better fit for their architectural needs due to the fact that when you use your own Message Bus, then Venafi Trust Protection Platform will operate in a hub-and-spoke network model and we only require each Venafi Engine to have network access to your Message Bus. When you provide your own Message Bus we do not require Venafi Engines to have network access to each other.
Q: What Message Bus/MQTT Brokers is Venafi Compatible with?
A: MQTT is a protocol standardized by ISO and OASIS. There are many MQTT Broker products to choose from. In our internal testing, we worked with the very popular RabbitMQ and EMQX. We saw no problems with either, nor do we expect there to be problems with any MQTT Broker that honors Version 5 standard.
Q: What version of MQTT does Venafi Trust Protection Platform use?
A: We are using MQTT Version 5, available since 2019. We standardized on version 5 due to the performance benefits of Version 5 over older versions of the standard.
Q: What Authentication Methods does Venafi Support for connecting to my own Message Bus?
A: We currently support Username/Password and Certificate based Authentication. Version 5 allows MQTT vendors to implement additional mechanisms. We are open to supporting additional mechanisms in the future, based on customer demand. Let us know if you need us to support additional authentication mechanisms in Customer Community.
Q: If the Message Bus goes down, will there be an immediate outage of services?
A: If running in mesh mode, high-availability is designed into the the system and there is no impact at all, since a downed node implies that a Venafi Engine itself is also not running.
In Central Broker mode, there will be no immediate impact either if the broker goes down. The bus is not a datastore, nor is it a primary source of information. If the central broker becomes unavailable, then each instance of Trust Protection Platform will gradually become stale that will lead to undesirable behaviors. Since the Venafi Message Bus will retain any unsent bus messages (up to 2,000) while the broker is down, and publish them once the broker becomes available again, a short downtime of the broker will also not cause any negative impact.
Q: Is Message Bus Optional? Can I turn it off if I don't want it?
A: The Message Bus is a new and powerful capability that we are excited to introduce into Venafi Trust Protection Platform in 23.3. It is required for normal operations. All customers must plan and prepare for their upgrade to either use Self-hosted (mesh style) mode or Central MQTT Broker (hub-and-spoke style) mode and the corresponding requirements for each.
Q: How do I configure Message Bus?
A: Detailed steps on configuring the message bus can be found in the product documentation. See Modifying Message Bus configuration settings.
Q: How do I know if Message Bus is operating properly for my deployment?
A: In Venafi Configuration Console and Venafi MMC Remote Snap-ins is a new Message Bus node for both configuring, monitoring, and troubleshooting the Venafi Message Bus. See Working with Message Bus in our product documentation.
In addition, local master admins with email addresses configured will automatically receive notifications if problems are detected with the health of the message bus. These notifications can be customized to be sent to any email address.