qdrouterd.conf (5) - Linux Manuals

qdrouterd.conf: dispatch router configuration

NAME

qdrouterd.conf - dispatch router configuration

SYNOPSIS

qdroutered.conf is the configuration file for the dispatch router.

DESCRIPTION

The configuration file is made up of sections with this syntax:

SECTION-NAME {
    ATTRIBUTE-NAME: ATTRIBUTE-VALUE
    ATTRIBUTE-NAME: ATTRIBUTE-VALUE
    ...
}

There are two types of sections:

Configuration sections correspond to configuration entities. They can be queried and configured via management tools as well as via the configuration file.

Annotation sections define a group of attribute values that can be included in one or more entity sections.

For example you can define an "ssl-profile" annotation section with SSL credentials that can be included in multiple "listener" entities. Here's an example, note how the 'ssl-profile' attribute of 'listener' sections references the 'name' attribute of 'ssl-profile' sections.

ssl-profile {
    name: ssl-profile-one
    cert-db: ca-certificate-1.pem
    cert-file: server-certificate-1.pem
    key-file: server-private-key.pem
}

listener {
    ssl-profile: ssl-profile-one
    host: 0.0.0.0
    port: 20102
    sasl-mechanisms: ANONYMOUS
}

ANNOTATION SECTIONS

addrPort

Attributes for internet address and port.

Used by: listener, connector.

addr (string, default='127.0.0.1')

(DEPRECATED)IP address: ipv4 or ipv6 literal or a host name. This attribute has been deprecated. Use host instead

host (string, default='127.0.0.1')

IP address: ipv4 or ipv6 literal or a host name

port (string, default='amqp')

Port number or symbolic service name.

protocolFamily (One of ['IPv4', 'IPv6'])

['IPv4', 'IPv6'] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.

connectionRole

Attribute for the role of a connection.

Used by: listener, connector.

role (One of ['normal', 'inter-router', 'route-container', 'on-demand'], default='normal')

The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. on-demand role has been deprecated.

cost (integer, default='1')

For the 'inter-router' role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.

sslProfile

Attributes for setting TLS/SSL configuration for connections.

Used by: listener, connector.

certDb (path)

The path to the database that contains the public certificates of trusted certificate authorities (CA).

certFile (path)

The path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.

keyFile (path)

The path to the file containing the PEM-formatted private key for the above certificate.

passwordFile (path)

If the above private key is password protected, this is the path to a file containing the password that unlocks the certificate key.

password (string)

An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This option can be used by supplying the password in the 'password' option. Don't use both password and passwordFile in the same profile.

uidFormat (string)

A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of 'cou' indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of 'o2' indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of comma separated 'c'( ISO3166 two character country code), 's'(state or province), 'l'(Locality; generally - city), 'o'(Organization - Company Name), 'u'(Organization Unit - typically certificate type or brand), 'n'(CommonName - typically a user name for client certificates) and '1'(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate fingerprint) and 5 (sha512 certificate fingerprint).

displayNameFile (string)

The path to the file containing the unique id to dispay name mapping

CONFIGURATION SECTIONS

container

(DEPRECATED)Attributes related to the AMQP container. This entity has been deprecated. Use the router entity instead.

containerName (string)

The name of the AMQP container. If not specified, the container name will be set to a value of the container's choosing. The automatically assigned container name is not guaranteed to be persistent across restarts of the container.

workerThreads (integer, default=4)

The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, etc.) .

debugDump (path)

A file to dump debugging information that can't be logged normally.

saslConfigPath (path)

Absolute path to the SASL configuration file.

saslConfigName (string)

Name of the SASL configuration. This string + '.conf' is the name of the configuration file.

router

Tracks peer routers and computes routes to destinations.

routerId (string)

(DEPRECATED) Router's unique identity. This attribute has been deprecated. Use id instead

id (string)

Router's unique identity. One of id or routerId is required. The router will fail to start without id or routerId

mode (One of ['standalone', 'interior'], default='standalone')

In standalone mode, the router operates as a single component. It does not participate in the routing protocol and therefore will not cooperate with other routers. In interior mode, the router operates in cooperation with other interior routers in an interconnected network.

helloInterval (integer, default=1)

Interval in seconds between HELLO messages sent to neighbor routers.

helloMaxAge (integer, default=3)

Time in seconds after which a neighbor is declared lost if no HELLO is received.

raInterval (integer, default=30)

Interval in seconds between Router-Advertisements sent to all routers in a stable network.

raIntervalFlux (integer, default=4)

Interval in seconds between Router-Advertisements sent to all routers during topology fluctuations.

remoteLsMaxAge (integer, default=60)

Time in seconds after which link state is declared stale if no RA is received.

mobileAddrMaxAge (integer, default=60)

(DEPRECATED) This value is no longer used in the router.

workerThreads (integer, default=4)

The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, etc.) .

debugDump (path)

A file to dump debugging information that can't be logged normally.

saslConfigPath (path)

Absolute path to the SASL configuration file.

saslConfigName (string, default='qdrouterd')

Name of the SASL configuration. This string + '.conf' is the name of the configuration file.

listener

Listens for incoming connections to the router.

Annotations: addrPort, connectionRole, sslProfile.

addr (string, default='127.0.0.1')

(DEPRECATED)IP address: ipv4 or ipv6 literal or a host name. This attribute has been deprecated. Use host instead

host (string, default='127.0.0.1')

IP address: ipv4 or ipv6 literal or a host name

port (string, default='amqp')

Port number or symbolic service name.

protocolFamily (One of ['IPv4', 'IPv6'])

['IPv4', 'IPv6'] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.

role (One of ['normal', 'inter-router', 'route-container', 'on-demand'], default='normal')

The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. on-demand role has been deprecated.

cost (integer, default='1')

For the 'inter-router' role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.

certDb (path)

The path to the database that contains the public certificates of trusted certificate authorities (CA).

certFile (path)

The path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.

keyFile (path)

The path to the file containing the PEM-formatted private key for the above certificate.

passwordFile (path)

If the above private key is password protected, this is the path to a file containing the password that unlocks the certificate key.

password (string)

An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This option can be used by supplying the password in the 'password' option. Don't use both password and passwordFile in the same profile.

uidFormat (string)

A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of 'cou' indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of 'o2' indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of comma separated 'c'( ISO3166 two character country code), 's'(state or province), 'l'(Locality; generally - city), 'o'(Organization - Company Name), 'u'(Organization Unit - typically certificate type or brand), 'n'(CommonName - typically a user name for client certificates) and '1'(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate fingerprint) and 5 (sha512 certificate fingerprint).

displayNameFile (string)

The path to the file containing the unique id to dispay name mapping

saslMechanisms (string)

Comma separated list of accepted SASL authentication mechanisms.

authenticatePeer (boolean)

yes: Require the peer's identity to be authenticated; no: Do not require any authentication.

requireEncryption (boolean)

yes: Require the connection to the peer to be encrypted; no: Permit non-encrypted communication with the peer

requireSsl (boolean)

yes: Require the use of SSL or TLS on the connection; no: Allow clients to connect without SSL or TLS.

trustedCerts (path)

This optional setting can be used to reduce the set of available CAs for client authentication. If used, this setting must provide a path to a PEM file that contains the trusted certificates.

maxFrameSize (integer, default=16384)

Defaults to 16384. If specified, it is the maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity.

idleTimeoutSeconds (integer, default=16)

The idle timeout, in seconds, for connections through this listener. If no frames are received on the connection for this time interval, the connection shall be closed.

requirePeerAuth (boolean)

(DEPRECATED) This attribute is now controlled by the authenticatePeer attribute.

allowUnsecured (boolean)

(DEPRECATED) This attribute is now controlled by the requireEncryption attribute.

allowNoSasl (boolean)

(DEPRECATED) This attribute is now controlled by the authenticatePeer attribute.

stripAnnotations (One of ['in', 'out', 'both', 'no'], default='both')

['in', 'out', 'both', 'no'] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations

linkCapacity (integer)

The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.

connector

Establishes an outgoing connection from the router.

Annotations: addrPort, connectionRole, sslProfile.

addr (string, default='127.0.0.1')

(DEPRECATED)IP address: ipv4 or ipv6 literal or a host name. This attribute has been deprecated. Use host instead

host (string, default='127.0.0.1')

IP address: ipv4 or ipv6 literal or a host name

port (string, default='amqp')

Port number or symbolic service name.

protocolFamily (One of ['IPv4', 'IPv6'])

['IPv4', 'IPv6'] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.

role (One of ['normal', 'inter-router', 'route-container', 'on-demand'], default='normal')

The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection. on-demand role has been deprecated.

cost (integer, default='1')

For the 'inter-router' role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.

certDb (path)

The path to the database that contains the public certificates of trusted certificate authorities (CA).

certFile (path)

The path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.

keyFile (path)

The path to the file containing the PEM-formatted private key for the above certificate.

passwordFile (path)

If the above private key is password protected, this is the path to a file containing the password that unlocks the certificate key.

password (string)

An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This option can be used by supplying the password in the 'password' option. Don't use both password and passwordFile in the same profile.

uidFormat (string)

A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of 'cou' indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of 'o2' indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of comma separated 'c'( ISO3166 two character country code), 's'(state or province), 'l'(Locality; generally - city), 'o'(Organization - Company Name), 'u'(Organization Unit - typically certificate type or brand), 'n'(CommonName - typically a user name for client certificates) and '1'(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate fingerprint) and 5 (sha512 certificate fingerprint).

displayNameFile (string)

The path to the file containing the unique id to dispay name mapping

saslMechanisms (string)

Comma separated list of accepted SASL authentication mechanisms.

allowRedirect (boolean, default=True)

Allow the peer to redirect this connection to another address.

maxFrameSize (integer, default=65536)

Maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity.

idleTimeoutSeconds (integer, default=16)

The idle timeout, in seconds, for connections through this connector. If no frames are received on the connection for this time interval, the connection shall be closed.

stripAnnotations (One of ['in', 'out', 'both', 'no'], default='both')

['in', 'out', 'both', 'no'] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations

linkCapacity (integer)

The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.

verifyHostName (boolean, default=True)

yes: Ensures that when initiating a connection (as a client) the host name in the URL to which this connector connects to matches the host name in the digital certificate that the peer sends back as part of the SSL connection; no: Does not perform host name verification

saslUsername (string)

The user name that the connector is using to connect to a peer.

saslPassword (string)

The password that the connector is using to connect to a peer.

log

Configure logging for a particular module. You can use the UPDATE operation to change log settings while the router is running.

module (One of ['ROUTER', 'ROUTER_CORE', 'ROUTER_HELLO', 'ROUTER_LS', 'ROUTER_MA', 'MESSAGE', 'SERVER', 'AGENT', 'CONTAINER', 'CONFIG', 'ERROR', 'DISPATCH', 'POLICY', 'DEFAULT'], required)

Module to configure. The special module 'DEFAULT' specifies defaults for all modules.

enable (string, default='default', required)

Levels are: trace, debug, info, notice, warning, error, critical. The enable string is a comma-separated list of levels. A level may have a trailing '+' to enable that level and above. For example 'trace,debug,warning+' means enable trace, debug, warning, error and critical. The value 'none' means disable logging for the module. The value 'default' means use the value from the DEFAULT module.

timestamp (boolean)

Include timestamp in log messages.

source (boolean)

Include source file and line number in log messages.

output (string)

Where to send log messages. Can be 'stderr', 'syslog' or a file name.

fixedAddress

(DEPRECATED) Establishes treatment for addresses starting with a prefix. This entity has been deprecated. Use address instead

prefix (string, required)

The address prefix (always starting with '/').

phase (integer)

The phase of a multi-hop address passing through one or more waypoints.

fanout (One of ['multiple', 'single'], default='multiple')

One of 'multiple' or 'single'. Multiple fanout is a non-competing pattern. If there are multiple consumers using the same address, each consumer will receive its own copy of every message sent to the address. Single fanout is a competing pattern where each message is sent to only one consumer.

bias (One of ['closest', 'spread'], default='closest')

Only if fanout is single. One of 'closest' or 'spread'. Closest bias means that messages to an address will always be delivered to the closest (lowest cost) subscribed consumer. Spread bias will distribute the messages across subscribers in an approximately even manner.

waypoint

(DEPRECATED) A remote node that messages for an address pass through. This entity has been deprecated. Use autoLink instead

address (string, required)

The AMQP address of the waypoint.

connector (string, required)

The name of the on-demand connector used to reach the waypoint's container.

inPhase (integer, default=-1)

The phase of the address as it is routed _to_ the waypoint.

outPhase (integer, default=-1)

The phase of the address as it is routed _from_ the waypoint.

linkRoutePattern

(DEPRECATED) An address pattern to match against link sources and targets to cause the router to link-route the attach across the network to a remote node. This entity has been deprecated. Use linkRoute instead

prefix (string, required)

An address prefix to match against target and source addresses. This pattern must be of the form '<text>.<text1>.<textN>' or '<text>' or '<text>.' and matches any address that contains that prefix. For example, if the prefix is set to org.apache (or org.apache.), any address that has the prefix 'org.apache' (like org.apache.dev) will match. Note that a prefix must not start with a (.), can end in a (.) and can contain zero or more dots (.). Any characters between the dots are simply treated as part of the address

dir (One of ['in', 'out', 'both'], default='both')

Link direction for match: 'in' matches only links inbound to the client; 'out' matches only links outbound from the client; 'both' matches any link.

connector (string)

The name of the on-demand connector used to reach the target node's container. If this value is not provided, it means that the target container is expected to be connected to a different router in the network. This prevents links to a link-routable address from being misinterpreted as message-routing links when there is no route to a valid destination available.

address

Entity type for address configuration. This is used to configure the treatment of message-routed deliveries within a particular address-space. The configuration controls distribution and address phasing.

prefix (string, required)

The address prefix for the configured settings

distribution (One of ['multicast', 'closest', 'balanced'], default='balanced')

Treatment of traffic associated with the address

waypoint (boolean)

Designates this address space as being used for waypoints. This will cause the proper address-phasing to be used.

ingressPhase (integer)

Advanced - Override the ingress phase for this address

egressPhase (integer)

Advanced - Override the egress phase for this address

linkRoute

Entity type for link-route configuration. This is used to identify remote containers that shall be destinations for routed link-attaches. The link-routing configuration applies to an addressing space defined by a prefix.

prefix (string, required)

The address prefix for the configured settings

containerId (string)

ContainerID for the target container

connection (string)

The name from a connector or listener

distribution (One of ['linkBalanced'], default='linkBalanced')

Treatment of traffic associated with the address

dir (One of ['in', 'out'], required)

The permitted direction of links: 'in' means client senders; 'out' means client receivers

autoLink

Entity type for configuring auto-links. Auto-links are links whose lifecycle is managed by the router. These are typically used to attach to waypoints on remote containers (brokers, etc.).

addr (string, required)

The address of the provisioned object

dir (One of ['in', 'out'], required)

The direction of the link to be created. In means into the router, out means out of the router.

phase (integer)

The address phase for this link. Defaults to '0' for 'out' links and '1' for 'in' links.

containerId (string)

ContainerID for the target container

connection (string)

The name from a connector or listener

console

Start a websocket/tcp proxy and http file server to serve the web console

policy

Defines global connection limit

maximumConnections (integer)

Global maximum number of concurrent client connections allowed. Zero implies no limit. This limit is always enforced even if no other policy settings have been defined.

enableAccessRules (boolean)

Enable user rule set processing and connection denial.

policyFolder (path)

The path to a folder that holds policyRuleset definition .json files. For a small system the rulesets may all be defined in this file. At a larger scale it is better to have the policy files in their own folder and to have none of the rulesets defined here. All rulesets in all .json files in this folder are processed.

defaultApplication (string)

Application policyRuleset to use for connections with no open.hostname or a hostname that does not match any existing policy. For users that don't wish to use open.hostname or any multi-tennancy feature, this default policy can be the only policy in effect for the network.

defaultApplicationEnabled (boolean)

Enable defaultApplication policy fallback logic.

policyRuleset

Per application definition of the locations from which users may connect and the groups to which users belong.

maxConnections (integer)

Maximum number of concurrent client connections allowed. Zero implies no limit.

maxConnPerUser (integer)

Maximum number of concurrent client connections allowed for any single user. Zero implies no limit.

maxConnPerHost (integer)

Maximum number of concurrent client connections allowed for any remote host. Zero implies no limit.

userGroups (map)

A map where each key is a user group name and the corresponding value is a CSV string naming the users in that group. Users who are assigned to one or more groups are deemed 'restricted'. Restricted users are subject to connection ingress policy and are assigned policy settings based on the assigned user groups. Unrestricted users may be allowed or denied. If unrestricted users are allowed to connect then they are assigned to user group default.

ingressHostGroups (map)

A map where each key is an ingress host group name and the corresponding value is a CSV string naming the IP addresses or address ranges in that group. IP addresses may be FQDN strings or numeric IPv4 or IPv6 host addresses. A host range is two host addresses of the same address family separated with a hyphen. The wildcard host address '*' represents any host address.

ingressPolicies (map)

A map where each key is a user group name and the corresponding value is a CSV string naming the ingress host group names that restrict the ingress host for the user group. Users who are members of the user group are allowed to connect only from a host in one of the named ingress host groups.

connectionAllowDefault (boolean)

Unrestricted users, those who are not members of a defined user group, are allowed to connect to this application. Unrestricted users are assigned to the 'default' user group and receive 'default' settings.

settings (map)

A map where each key is a user group name and the value is a map of the corresponding settings for that group.

COPYRIGHT

2013, Apache Qpid <http://qpid.apache.org/>