Appendix B. Configuration Reference
The AMQ Interconnect component behavior is totally configurable using a configuration file which can be passed as parameter (with the --conf
option) on the command line when running it. After installation, a default configuration file is placed at the following path :
[install-prefix]/etc/qpid-dispatch/qdrouterd.conf
This file is used when the router is started without specify configuration file path on the command line and when it is started as a service. In case of starting router on the command line the configuration file can be placed anywhere on the file system.
B.1. Configuration File
The configuration file is made up of sections with following syntax :
sectionName { attributeName: attributeValue attributeName: attributeValue ... }
A section could be referenced by another section using its name
attribute. An example is the sslProfile section which describes attributes for setting SSL/TLS configuration and can be applied to one or more listener and connector sections.
sslProfile { name: ssl-profile-one certDb: ca-certificate-1.pem certFile: server-certificate-1.pem keyFile: server-private-key.pem } listener { sslProfile: ssl-profile-one host: 0.0.0.0 port: amqp saslMechanisms: ANONYMOUS }
In the above example, the sslProfile section named ssl-profile-one is used to define the sslProfile attribute for the listener section.
B.1.1. Configuration Sections
B.1.1.1. sslProfile
Attributes for setting SSL/TLS configuration for connections.
- certDb (path) : The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).
- certFile (path) : The absolute path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.
- keyFile (path) : The absolute path to the file containing the PEM-formatted private key for the above certificate.
- passwordFile (path) : If the above private key is password protected, this is the absolute path to a file containing the password that unlocks the certificate key.
- password (string) : An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This option can be used by supplying the password in the ‘password’ option. Don’t use both password and passwordFile in the same profile.
- uidFormat (string) : A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For example, a value of ‘cou’ indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of ‘oF’ indicates that the uid will consist of o (organization name) concatenated with F (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of comma separated ‘c’( ISO3166 two character country code), ‘s’(state or province), ‘l’(Locality; generally - city), ‘o’(Organization - Company Name), ‘u’(Organization Unit - typically certificate type or brand), ‘n’(CommonName - typically a username for client certificates) and ‘1’(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate fingerprint) and 5 (sha512 certificate fingerprint).
- displayNameFile (string) : The absolute path to the file containing the unique id to display name mapping.
- name (string) : The name of the profile used for referencing it from listener and connector sections.
Used by : listener, connector.
B.1.1.2. router
Describe main information about the router related to identity, internal processes and inter routers communication.
- id (string) : Router’s unique identity. It is required and the router will fail to start without it.
-
mode (One of [
standalone
,interior
], default=standalone
) : In standalone mode, the router operates as a single component. It does not participate in the routing protocol and therefore will not cooperate with other routers. In interior mode, the router operates in cooperation with other interior routers in an interconnected network. -
helloInterval (integer, default=
1
) : Interval in seconds between HELLO messages sent to neighbor routers in order to announce its presence (as a keep alive). -
helloMaxAge (integer, default=
3
) : Time in seconds after which a neighbor router is declared lost if no HELLO is received. -
raInterval (integer, default=
30
) : Interval in seconds between Router-Advertisements sent to all routers in a stable network. -
raIntervalFlux (integer, default=
4
) : Interval in seconds between Router-Advertisements sent to all routers during topology fluctuations. -
remoteLsMaxAge (integer, default=
60
) : Time in seconds after which link state is declared stale if no RA is received. -
workerThreads (integer, default=
4
) : The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, and so on). - debugDump (path) : The absolute path for a file to dump debugging information that can’t be logged normally.
- saslConfigPath (path) : The absolute path to the SASL configuration file.
-
saslConfigName (string, default=
qdrouterd
) : Name of the SASL configuration. This string + ‘.conf’ is the name of the configuration file.
B.1.1.3. listener
Listens for incoming connections to the router.
-
host (string, default=
127.0.0.1
) : IP address: ipv4 or ipv6 literal or a hostname. -
port (string, default=
amqp
) : Port number or symbolic service name. -
protocolFamily (One of [
IPv4
,IPv6
]) : IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address. -
role (One of [
normal
,inter-router
,route-container
], default=normal
) : The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. The route-container role can be used for router-container connections, for example, a router-broker connection. -
cost (integer, default=
1
) : For theinter-route
role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress. - saslMechanisms (string) : Space separated list of accepted SASL authentication mechanisms.
- authenticatePeer (boolean) : yes: Require the peer’s identity to be authenticated; no: Do not require any authentication.
- requireEncryption (boolean) : yes: Require the connection to the peer to be encrypted; no: Permit non-encrypted communication with the peer. It is related to SASL mechanisms which support encryption.
- requireSsl (boolean) : yes: Require the use of SSL/TLS on the connection; no: Allow clients to connect without SSL/TLS.
- trustedCerts (path) : This optional setting can be used to reduce the set of available CAs for client authentication. If used, this setting must provide an absolute path to a PEM file that contains the trusted certificates.
-
maxFrameSize (integer, default=
16384
) : Defaults to 16384. If specified, it is the maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity. -
idleTimeoutSeconds : (integer, default=
16
) : The idle timeout, in seconds, for connections through this listener. If no frames are received on the connection for this time interval, the connection shall be closed. -
stripAnnotations (One of [
in
,out
,both
,no
], default=both
) : in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations. - linkCapacity (integer) : The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.
- sslProfile (string) : The name of the sslProfile entity to use in order to have SSL/TLS configuration.
-
http (boolean): If set to
yes
, the listener will accept HTTP connections using AMQP over WebSockets.
B.1.1.4. connector
Establishes an outgoing connection from the router.
- name (string) : Name using to reference the connector in the configuration file for example for a link routing to queue on a broker.
-
host (string, default=
127.0.0.1
) : IP address: ipv4 or ipv6 literal or a hostname. -
port (string, default=
amqp
) : Port number or symbolic service name. -
protocolFamily (One of [
IPv4
,IPv6
]) : IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address. -
role (One of [
normal
,inter-router
,route-container
], default=normal
) : The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. -
cost (integer, default=
1
) : For the ‘inter-router’ role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress. - saslMechanisms (string) : Space separated list of accepted SASL authentication mechanisms.
- allowRedirect (boolean, default=True) : Allow the peer to redirect this connection to another address.
-
maxFrameSize (integer, default=
65536
) : Maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity. -
idleTimeoutSeconds (integer, default=
16
) : The idle timeout, in seconds, for connections through this connector. If no frames are received on the connection for this time interval, the connection shall be closed. -
stripAnnotations (One of [
in
,out
,both
,no
], default=both
) : in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations. - linkCapacity (integer) : The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.
- verifyHostName (boolean, default=True) : yes: Ensures that when initiating a connection (as a client) the hostname in the URL to which this connector connects to matches the hostname in the digital certificate that the peer sends back as part of the SSL/TLS connection; no: Does not perform hostname verification
- saslUsername (string) : The username that the connector is using to connect to a peer.
- saslPassword (string) : The password that the connector is using to connect to a peer.
- sslProfile (string) : The name of the sslProfile entity to use in order to have SSL/TLS configuration.
B.1.1.5. log
Configure logging for a particular module which is part of the router. You can use the UPDATE operation to change log settings while the router is running.
-
module (One of [
ROUTER
,ROUTER_CORE
,ROUTER_HELLO
,ROUTER_LS
,ROUTER_MA
,MESSAGE
,SERVER
,AGENT
,CONTAINER
,ERROR
,POLICY
,DEFAULT
], required) : Module to configure. The special moduleDEFAULT
specifies defaults for all modules. -
enable (string, default=
default
, required) Levels are:trace
,debug
,info
,notice
,warning
,error
,critical
. The enable string is a comma-separated list of levels. A level may have a trailing+
to enable that level and above. For exampletrace,debug,warning+
means enable trace, debug, warning, error and critical. The value ‘none’ means disable logging for the module. The valuedefault
means use the value from theDEFAULT
module. - timestamp (boolean) : Include timestamp in log messages.
- source (boolean) : Include source file and line number in log messages.
-
output (string) : Where to send log messages. Can be
stderr
,syslog
or a file name.
B.1.1.6. address
Entity type for address configuration. This is used to configure the treatment of message-routed deliveries within a particular address-space. The configuration controls distribution and address phasing.
- prefix (string, required) : The address prefix for the configured settings.
-
distribution (One of [
multicast
,closest
,balanced
], default=balanced
) : Treatment of traffic associated with the address. - waypoint (boolean) : Designates this address space as being used for waypoints. This will cause the proper address-phasing to be used.
- ingressPhase (integer) : Advanced - Override the ingress phase for this address.
- egressPhase (integer) : Advanced - Override the egress phase for this address.
B.1.1.7. linkRoute
Entity type for link-route configuration. This is used to identify remote containers that shall be destinations for routed link-attaches. The link-routing configuration applies to an addressing space defined by a prefix.
- prefix (string, required) : The address prefix for the configured settings.
- containerId (string) : it specifies that the link route will be activated if a remote container will provide a container-id matching with this value.
- connection (string) : The name from a connector or listener.
-
distribution (One of [
linkBalanced
], default=linkBalanced
) : Treatment of traffic associated with the address. -
dir (One of [
in
,out
], required) : The permitted direction of links. It is defined from a router point of view so ‘in’ means client senders (router ingress) and ‘out’ means client receivers (router egress).
B.1.1.8. autoLink
Entity type for configuring auto-links. Auto-links are links whose lifecycle is managed by the router. These are typically used to attach to waypoints on remote containers (brokers, and so on.).
- addr (string, required) : The address of the provisioned object.
-
dir (One of [
in
,out
], required) : The direction of the link to be created. In means into the router, out means out of the router. -
phase (integer) : The address phase for this link. Defaults to
0
forout
links and1
forin
links. - containerId (string) : ContainerID for the target container.
- connection (string) : The name from a connector or listener.
B.1.1.9. console
Start a websocket/tcp proxy and http file server to serve the web console.
- listener (string) : The name of the listener to send the proxied tcp traffic to.
-
wsport (integer, default=
5673
) : The port on which to listen for websocket traffic. - proxy (string) : The full path to the proxy program to run.
- home (string) : The full path to the html/css/js files for the console.
- args (string) : Optional args to pass to the proxy program for logging, authentication, and so on.
B.1.1.10. policy
Defines global connection limit
- maximumConnections (integer) : Global maximum number of concurrent client connections allowed. Zero implies no limit. This limit is always enforced even if no other policy settings have been defined.
- enableAccessRules (boolean) : Enable user rule set processing and connection denial.
- policyFolder (path) : The absolute path to a folder that holds policyRuleset definition .json files. For a small system the rulesets may all be defined in this file. At a larger scale it is better to have the policy files in their own folder and to have none of the rulesets defined here. All rulesets in all .json files in this folder are processed.
- defaultApplication (string) : Application policyRuleset to use for connections with no open.hostname or a hostname that does not match any existing policy. For users that don’t wish to use open.hostname or any multi-tennancy feature, this default policy can be the only policy in effect for the network.
- defaultApplicationEnabled (boolean) : Enable defaultApplication policy fallback logic.
B.1.1.11. policyRuleset
Per application definition of the locations from which users may connect and the groups to which users belong.
- maxConnections (integer) : Maximum number of concurrent client connections allowed. Zero implies no limit.
- maxConnPerUser (integer) : Maximum number of concurrent client connections allowed for any single user. Zero implies no limit.
- maxConnPerHost (integer) : Maximum number of concurrent client connections allowed for any remote host. Zero implies no limit.
- userGroups (map) : A map where each key is a user group name and the corresponding value is a CSV string naming the users in that group. Users who are assigned to one or more groups are deemed ‘restricted’. Restricted users are subject to connection ingress policy and are assigned policy settings based on the assigned user groups. Unrestricted users may be allowed or denied. If unrestricted users are allowed to connect then they are assigned to user group default.
- ingressHostGroups (map) : A map where each key is an ingress host group name and the corresponding value is a CSV string naming the IP addresses or address ranges in that group. IP addresses may be FQDN strings or numeric IPv4 or IPv6 host addresses. A host range is two host addresses of the same address family separated with a hyphen. The wildcard host address ‘*’ represents any host address.
- ingressPolicies (map) : A map where each key is a user group name and the corresponding value is a CSV string naming the ingress host group names that restrict the ingress host for the user group. Users who are members of the user group are allowed to connect only from a host in one of the named ingress host groups.
- connectionAllowDefault (boolean) : Unrestricted users, those who are not members of a defined user group, are allowed to connect to this application. Unrestricted users are assigned to the ‘default’ user group and receive ‘default’ settings.
- settings (map) : A map where each key is a user group name and the value is a map of the corresponding settings for that group.