Type alias MsgVpn

Type declaration

• Optional alias?: string

  The name of another Message VPN which this Message VPN is an alias for. When this Message VPN is enabled, the alias has no effect. When this Message VPN is disabled, Clients (but not Bridges and routing Links) logging into this Message VPN are automatically logged in to the other Message VPN, and authentication and authorization take place in the context of the other Message VPN.

  Aliases may form a non-circular chain, cascading one to the next. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "". Available since 2.14.

• Optional authenticationBasicEnabled?: boolean

  Enable or disable basic authentication for clients connecting to the Message VPN. Basic authentication is authentication that involves the use of a username and password to prove identity. If a user provides credentials for a different authentication scheme, this setting is not applicable. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional authenticationBasicProfileName?: string

  The name of the RADIUS or LDAP Profile to use for basic authentication. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "default".

• Optional authenticationBasicRadiusDomain?: string

  The RADIUS domain to use for basic authentication. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "".

• Optional authenticationBasicType?: MsgVpn.authenticationBasicType

  The type of basic authentication to use for clients connecting to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "radius". The allowed values and their meaning are:

  "internal" - Internal database. Authentication is against Client Usernames.
  "ldap" - LDAP authentication. An LDAP profile name must be provided.
  "radius" - RADIUS authentication. A RADIUS profile name must be provided.
  "none" - No authentication. Anonymous login allowed.
  

• Optional authenticationClientCertAllowApiProvidedUsernameEnabled?: boolean

  Enable or disable allowing a client to specify a Client Username via the API connect method. When disabled, the certificate CN (Common Name) is always used. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional authenticationClientCertCertificateMatchingRulesEnabled?: boolean

  Enable or disable certificate matching rules. When disabled, any valid certificate is accepted. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.27.

• Optional authenticationClientCertEnabled?: boolean

  Enable or disable client certificate authentication in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional authenticationClientCertMaxChainDepth?: number

  The maximum depth for a client certificate chain. The depth of a chain is defined as the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 3.

• Optional authenticationClientCertRevocationCheckMode?: authenticationClientCertRevocationCheckMode

  The desired behavior for client certificate revocation checking. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "allow-valid". The allowed values and their meaning are:

  "allow-all" - Allow the client to authenticate, the result of client certificate revocation check is ignored.
  "allow-unknown" - Allow the client to authenticate even if the revocation status of his certificate cannot be determined.
  "allow-valid" - Allow the client to authenticate only when the revocation check returned an explicit positive response.
  

  Available since 2.6.

• Optional authenticationClientCertUsernameSource?: authenticationClientCertUsernameSource

  The field from the client certificate to use as the client username. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "common-name". The allowed values and their meaning are:

  "certificate-thumbprint" - The username is computed as the SHA-1 hash over the entire DER-encoded contents of the client certificate.
  "common-name" - The username is extracted from the certificate's first instance of the Common Name attribute in the Subject DN.
  "common-name-last" - The username is extracted from the certificate's last instance of the Common Name attribute in the Subject DN.
  "subject-alternate-name-msupn" - The username is extracted from the certificate's Other Name type of the Subject Alternative Name and must have the msUPN signature.
  "uid" - The username is extracted from the certificate's first instance of the User Identifier attribute in the Subject DN.
  "uid-last" - The username is extracted from the certificate's last instance of the User Identifier attribute in the Subject DN.
  

  Available since 2.6.

• Optional authenticationClientCertValidateDateEnabled?: boolean

  Enable or disable validation of the "Not Before" and "Not After" validity dates in the client certificate. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional authenticationKerberosAllowApiProvidedUsernameEnabled?: boolean

  Enable or disable allowing a client to specify a Client Username via the API connect method. When disabled, the Kerberos Principal name is always used. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional authenticationKerberosEnabled?: boolean

  Enable or disable Kerberos authentication in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional authenticationOauthDefaultProfileName?: string

  The name of the profile to use when the client does not supply a profile name. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "". Available since 2.25.

• Optional authenticationOauthDefaultProviderName?: string

  The name of the provider to use when the client does not supply a provider name. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "". Deprecated since 2.25. authenticationOauthDefaultProviderName and authenticationOauthProviders replaced by authenticationOauthDefaultProfileName and authenticationOauthProfiles.

• Optional authenticationOauthEnabled?: boolean

  Enable or disable OAuth authentication. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.13.

• Optional authorizationLdapGroupMembershipAttributeName?: string

  The name of the attribute that is retrieved from the LDAP server as part of the LDAP search when authorizing a client connecting to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "memberOf".

• Optional authorizationLdapTrimClientUsernameDomainEnabled?: boolean

  Enable or disable client-username domain trimming for LDAP lookups of client connections. When enabled, the value of $CLIENT_USERNAME (when used for searching) will be truncated at the first occurance of the @ character. For example, if the client-username is in the form of an email address, then the domain portion will be removed. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.13.

• Optional authorizationProfileName?: string

  The name of the LDAP Profile to use for client authorization. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "".

• Optional authorizationType?: authorizationType

  The type of authorization to use for clients connecting to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "internal". The allowed values and their meaning are:

  "ldap" - LDAP authorization.
  "internal" - Internal authorization.
  

• Optional bridgingTlsServerCertEnforceTrustedCommonNameEnabled?: boolean

  Enable or disable validation of the Common Name (CN) in the server certificate from the remote broker. If enabled, the Common Name is checked against the list of Trusted Common Names configured for the Bridge. Common Name validation is not performed if Server Certificate Name Validation is enabled, even if Common Name validation is enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Deprecated since 2.18. Common Name validation has been replaced by Server Certificate Name validation.

• Optional bridgingTlsServerCertMaxChainDepth?: number

  The maximum depth for a server certificate chain. The depth of a chain is defined as the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 3.

• Optional bridgingTlsServerCertValidateDateEnabled?: boolean

  Enable or disable validation of the "Not Before" and "Not After" validity dates in the server certificate. When disabled, a certificate will be accepted even if the certificate is not valid based on these dates. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional bridgingTlsServerCertValidateNameEnabled?: boolean

  Enable or disable the standard TLS authentication mechanism of verifying the name used to connect to the bridge. If enabled, the name used to connect to the bridge is checked against the names specified in the certificate returned by the remote router. Legacy Common Name validation is not performed if Server Certificate Name Validation is enabled, even if Common Name validation is also enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true. Available since 2.18.

• Optional distributedCacheManagementEnabled?: boolean

  Enable or disable managing of cache instances over the message bus. The default value is true. Deprecated since 2.28. Distributed cache mangement is now redundancy aware and thus no longer requires administrative intervention for operational state.

• Optional dmrEnabled?: boolean

  Enable or disable Dynamic Message Routing (DMR) for the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.11.

• Optional enabled?: boolean

  Enable or disable the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional eventConnectionCountThreshold?: EventThreshold

• Optional eventEgressFlowCountThreshold?: EventThreshold

• Optional eventEgressMsgRateThreshold?: EventThresholdByValue

• Optional eventEndpointCountThreshold?: EventThreshold

• Optional eventIngressFlowCountThreshold?: EventThreshold

• Optional eventIngressMsgRateThreshold?: EventThresholdByValue

• Optional eventLargeMsgThreshold?: number

  The threshold, in kilobytes, after which a message is considered to be large for the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 1024.

• Optional eventLogTag?: string

  A prefix applied to all published Events in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "".

• Optional eventMsgSpoolUsageThreshold?: EventThreshold

• Optional eventPublishClientEnabled?: boolean

  Enable or disable Client level Event message publishing. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional eventPublishMsgVpnEnabled?: boolean

  Enable or disable Message VPN level Event message publishing. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional eventPublishSubscriptionMode?: eventPublishSubscriptionMode

  Subscription level Event message publishing mode. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "off". The allowed values and their meaning are:

  "off" - Disable client level event message publishing.
  "on-with-format-v1" - Enable client level event message publishing with format v1.
  "on-with-no-unsubscribe-events-on-disconnect-format-v1" - As "on-with-format-v1", but unsubscribe events are not generated when a client disconnects. Unsubscribe events are still raised when a client explicitly unsubscribes from its subscriptions.
  "on-with-format-v2" - Enable client level event message publishing with format v2.
  "on-with-no-unsubscribe-events-on-disconnect-format-v2" - As "on-with-format-v2", but unsubscribe events are not generated when a client disconnects. Unsubscribe events are still raised when a client explicitly unsubscribes from its subscriptions.
  

• Optional eventPublishTopicFormatMqttEnabled?: boolean

  Enable or disable Event publish topics in MQTT format. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional eventPublishTopicFormatSmfEnabled?: boolean

  Enable or disable Event publish topics in SMF format. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional eventServiceAmqpConnectionCountThreshold?: EventThreshold

• Optional eventServiceMqttConnectionCountThreshold?: EventThreshold

• Optional eventServiceRestIncomingConnectionCountThreshold?: EventThreshold

• Optional eventServiceSmfConnectionCountThreshold?: EventThreshold

• Optional eventServiceWebConnectionCountThreshold?: EventThreshold

• Optional eventSubscriptionCountThreshold?: EventThreshold

• Optional eventTransactedSessionCountThreshold?: EventThreshold

• Optional eventTransactionCountThreshold?: EventThreshold

• Optional exportSubscriptionsEnabled?: boolean

  Enable or disable the export of subscriptions in the Message VPN to other routers in the network over Neighbor links. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional jndiEnabled?: boolean

  Enable or disable JNDI access for clients in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.2.

• Optional maxConnectionCount?: number

  The maximum number of client connections to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default is the maximum value supported by the platform.

• Optional maxEgressFlowCount?: number

  The maximum number of transmit flows that can be created in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 1000.

• Optional maxEndpointCount?: number

  The maximum number of Queues and Topic Endpoints that can be created in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 1000.

• Optional maxIngressFlowCount?: number

  The maximum number of receive flows that can be created in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 1000.

• Optional maxMsgSpoolUsage?: number

  The maximum message spool usage by the Message VPN, in megabytes. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0.

• Optional maxSubscriptionCount?: number

  The maximum number of local client subscriptions that can be added to the Message VPN. This limit is not enforced when a subscription is added using a management interface, such as CLI or SEMP. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default varies by platform.

• Optional maxTransactedSessionCount?: number

  The maximum number of transacted sessions that can be created in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default varies by platform.

• Optional maxTransactionCount?: number

  The maximum number of transactions that can be created in the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default varies by platform.

• Optional mqttRetainMaxMemory?: number

  The maximum total memory usage of the MQTT Retain feature for this Message VPN, in MB. If the maximum memory is reached, any arriving retain messages that require more memory are discarded. A value of -1 indicates that the memory is bounded only by the global max memory limit. A value of 0 prevents MQTT Retain from becoming operational. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is -1. Available since 2.11.

• Optional msgVpnName?: string

  The name of the Message VPN.

• Optional replicationAckPropagationIntervalMsgCount?: number

  The acknowledgement (ACK) propagation interval for the replication Bridge, in number of replicated messages. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 20.

• Optional replicationBridgeAuthenticationBasicClientUsername?: string

  The Client Username the replication Bridge uses to login to the remote Message VPN. Changes to this attribute are synchronized to HA mates via config-sync. The default value is "".

• Optional replicationBridgeAuthenticationBasicPassword?: string

  The password for the Client Username. This attribute is absent from a GET and not updated when absent in a PUT, subject to the exceptions in note 4. Changes to this attribute are synchronized to HA mates via config-sync. The default value is "".

• Optional replicationBridgeAuthenticationClientCertContent?: string

  The PEM formatted content for the client certificate used by this bridge to login to the Remote Message VPN. It must consist of a private key and between one and three certificates comprising the certificate trust chain. This attribute is absent from a GET and not updated when absent in a PUT, subject to the exceptions in note 4. Changing this attribute requires an HTTPS connection. The default value is "". Available since 2.9.

• Optional replicationBridgeAuthenticationClientCertPassword?: string

  The password for the client certificate. This attribute is absent from a GET and not updated when absent in a PUT, subject to the exceptions in note 4. Changing this attribute requires an HTTPS connection. The default value is "". Available since 2.9.

• Optional replicationBridgeAuthenticationScheme?: replicationBridgeAuthenticationScheme

  The authentication scheme for the replication Bridge in the Message VPN. Changes to this attribute are synchronized to HA mates via config-sync. The default value is "basic". The allowed values and their meaning are:

  "basic" - Basic Authentication Scheme (via username and password).
  "client-certificate" - Client Certificate Authentication Scheme (via certificate file or content).
  

• Optional replicationBridgeCompressedDataEnabled?: boolean

  Enable or disable use of compression for the replication Bridge. Changes to this attribute are synchronized to HA mates via config-sync. The default value is false.

• Optional replicationBridgeEgressFlowWindowSize?: number

  The size of the window used for guaranteed messages published to the replication Bridge, in messages. Changes to this attribute are synchronized to HA mates via config-sync. The default value is 255.

• Optional replicationBridgeRetryDelay?: number

  The number of seconds that must pass before retrying the replication Bridge connection. Changes to this attribute are synchronized to HA mates via config-sync. The default value is 3.

• Optional replicationBridgeTlsEnabled?: boolean

  Enable or disable use of encryption (TLS) for the replication Bridge connection. Changes to this attribute are synchronized to HA mates via config-sync. The default value is false.

• Optional replicationBridgeUnidirectionalClientProfileName?: string

  The Client Profile for the unidirectional replication Bridge in the Message VPN. It is used only for the TCP parameters. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "#client-profile".

• Optional replicationEnabled?: boolean

  Enable or disable replication for the Message VPN. Changes to this attribute are synchronized to HA mates via config-sync. The default value is false.

• Optional replicationEnabledQueueBehavior?: replicationEnabledQueueBehavior

  The behavior to take when enabling replication for the Message VPN, depending on the existence of the replication Queue. This attribute is absent from a GET and not updated when absent in a PUT, subject to the exceptions in note 4. Changes to this attribute are synchronized to HA mates via config-sync. The default value is "fail-on-existing-queue". The allowed values and their meaning are:

  "fail-on-existing-queue" - The data replication queue must not already exist.
  "force-use-existing-queue" - The data replication queue must already exist. Any data messages on the Queue will be forwarded to interested applications. IMPORTANT: Before using this mode be certain that the messages are not stale or otherwise unsuitable to be forwarded. This mode can only be specified when the existing queue is configured the same as is currently specified under replication configuration otherwise the enabling of replication will fail.
  "force-recreate-queue" - The data replication queue must already exist. Any data messages on the Queue will be discarded. IMPORTANT: Before using this mode be certain that the messages on the existing data replication queue are not needed by interested applications.
  

• Optional replicationQueueMaxMsgSpoolUsage?: number

  The maximum message spool usage by the replication Bridge local Queue (quota), in megabytes. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 60000.

• Optional replicationQueueRejectMsgToSenderOnDiscardEnabled?: boolean

  Enable or disable whether messages discarded on the replication Bridge local Queue are rejected back to the sender. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional replicationRejectMsgWhenSyncIneligibleEnabled?: boolean

  Enable or disable whether guaranteed messages published to synchronously replicated Topics are rejected back to the sender when synchronous replication becomes ineligible. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional replicationRole?: replicationRole

  The replication role for the Message VPN. Changes to this attribute are synchronized to HA mates via config-sync. The default value is "standby". The allowed values and their meaning are:

  "active" - Assume the Active role in replication for the Message VPN.
  "standby" - Assume the Standby role in replication for the Message VPN.
  

• Optional replicationTransactionMode?: replicationTransactionMode

  The transaction replication mode for all transactions within the Message VPN. Changing this value during operation will not affect existing transactions; it is only used upon starting a transaction. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "async". The allowed values and their meaning are:

  "sync" - Messages are acknowledged when replicated (spooled remotely).
  "async" - Messages are acknowledged when pending replication (spooled locally).
  

• Optional restTlsServerCertEnforceTrustedCommonNameEnabled?: boolean

  Enable or disable validation of the Common Name (CN) in the server certificate from the remote REST Consumer. If enabled, the Common Name is checked against the list of Trusted Common Names configured for the REST Consumer. Common Name validation is not performed if Server Certificate Name Validation is enabled, even if Common Name validation is enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Deprecated since 2.17. Common Name validation has been replaced by Server Certificate Name validation.

• Optional restTlsServerCertMaxChainDepth?: number

  The maximum depth for a REST Consumer server certificate chain. The depth of a chain is defined as the number of signing CA certificates that are present in the chain back to a trusted self-signed root CA certificate. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 3.

• Optional restTlsServerCertValidateDateEnabled?: boolean

  Enable or disable validation of the "Not Before" and "Not After" validity dates in the REST Consumer server certificate. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional restTlsServerCertValidateNameEnabled?: boolean

  Enable or disable the standard TLS authentication mechanism of verifying the name used to connect to the remote REST Consumer. If enabled, the name used to connect to the remote REST Consumer is checked against the names specified in the certificate returned by the remote router. Legacy Common Name validation is not performed if Server Certificate Name Validation is enabled, even if Common Name validation is also enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true. Available since 2.17.

• Optional sempOverMsgBusAdminClientEnabled?: boolean

  Enable or disable "admin client" SEMP over the message bus commands for the current Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional sempOverMsgBusAdminDistributedCacheEnabled?: boolean

  Enable or disable "admin distributed-cache" SEMP over the message bus commands for the current Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional sempOverMsgBusAdminEnabled?: boolean

  Enable or disable "admin" SEMP over the message bus commands for the current Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional sempOverMsgBusEnabled?: boolean

  Enable or disable SEMP over the message bus for the current Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional sempOverMsgBusShowEnabled?: boolean

  Enable or disable "show" SEMP over the message bus commands for the current Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional serviceAmqpMaxConnectionCount?: number

  The maximum number of AMQP client connections that can be simultaneously connected to the Message VPN. This value may be higher than supported by the platform. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default is the maximum value supported by the platform. Available since 2.7.

• Optional serviceAmqpPlainTextEnabled?: boolean

  Enable or disable the plain-text AMQP service in the Message VPN. Disabling causes clients connected to the corresponding listen-port to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.7.

• Optional serviceAmqpPlainTextListenPort?: number

  The port number for plain-text AMQP clients that connect to the Message VPN. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0. Available since 2.7.

• Optional serviceAmqpTlsEnabled?: boolean

  Enable or disable the use of encryption (TLS) for the AMQP service in the Message VPN. Disabling causes clients currently connected over TLS to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.7.

• Optional serviceAmqpTlsListenPort?: number

  The port number for AMQP clients that connect to the Message VPN over TLS. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0. Available since 2.7.

• Optional serviceMqttAuthenticationClientCertRequest?: serviceMqttAuthenticationClientCertRequest

  Determines when to request a client certificate from an incoming MQTT client connecting via a TLS port. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "when-enabled-in-message-vpn". The allowed values and their meaning are:

  "always" - Always ask for a client certificate regardless of the "message-vpn > authentication > client-certificate > shutdown" configuration.
  "never" - Never ask for a client certificate regardless of the "message-vpn > authentication > client-certificate > shutdown" configuration.
  "when-enabled-in-message-vpn" - Only ask for a client-certificate if client certificate authentication is enabled under "message-vpn >  authentication > client-certificate > shutdown".
  

  Available since 2.21.

• Optional serviceMqttMaxConnectionCount?: number

  The maximum number of MQTT client connections that can be simultaneously connected to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default is the maximum value supported by the platform. Available since 2.1.

• Optional serviceMqttPlainTextEnabled?: boolean

  Enable or disable the plain-text MQTT service in the Message VPN. Disabling causes clients currently connected to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.1.

• Optional serviceMqttPlainTextListenPort?: number

  The port number for plain-text MQTT clients that connect to the Message VPN. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0. Available since 2.1.

• Optional serviceMqttTlsEnabled?: boolean

  Enable or disable the use of encryption (TLS) for the MQTT service in the Message VPN. Disabling causes clients currently connected over TLS to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.1.

• Optional serviceMqttTlsListenPort?: number

  The port number for MQTT clients that connect to the Message VPN over TLS. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0. Available since 2.1.

• Optional serviceMqttTlsWebSocketEnabled?: boolean

  Enable or disable the use of encrypted WebSocket (WebSocket over TLS) for the MQTT service in the Message VPN. Disabling causes clients currently connected by encrypted WebSocket to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.1.

• Optional serviceMqttTlsWebSocketListenPort?: number

  The port number for MQTT clients that connect to the Message VPN using WebSocket over TLS. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0. Available since 2.1.

• Optional serviceMqttWebSocketEnabled?: boolean

  Enable or disable the use of WebSocket for the MQTT service in the Message VPN. Disabling causes clients currently connected by WebSocket to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false. Available since 2.1.

• Optional serviceMqttWebSocketListenPort?: number

  The port number for plain-text MQTT clients that connect to the Message VPN using WebSocket. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0. Available since 2.1.

• Optional serviceRestIncomingAuthenticationClientCertRequest?: serviceRestIncomingAuthenticationClientCertRequest

  Determines when to request a client certificate from an incoming REST Producer connecting via a TLS port. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "when-enabled-in-message-vpn". The allowed values and their meaning are:

  "always" - Always ask for a client certificate regardless of the "message-vpn > authentication > client-certificate > shutdown" configuration.
  "never" - Never ask for a client certificate regardless of the "message-vpn > authentication > client-certificate > shutdown" configuration.
  "when-enabled-in-message-vpn" - Only ask for a client-certificate if client certificate authentication is enabled under "message-vpn >  authentication > client-certificate > shutdown".
  

  Available since 2.21.

• Optional serviceRestIncomingAuthorizationHeaderHandling?: serviceRestIncomingAuthorizationHeaderHandling

  The handling of Authorization headers for incoming REST connections. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "drop". The allowed values and their meaning are:

  "drop" - Do not attach the Authorization header to the message as a user property. This configuration is most secure.
  "forward" - Forward the Authorization header, attaching it to the message as a user property in the same way as other headers. For best security, use the drop setting.
  "legacy" - If the Authorization header was used for authentication to the broker, do not attach it to the message. If the Authorization header was not used for authentication to the broker, attach it to the message as a user property in the same way as other headers. For best security, use the drop setting.
  

  Available since 2.19.

• Optional serviceRestIncomingMaxConnectionCount?: number

  The maximum number of REST incoming client connections that can be simultaneously connected to the Message VPN. This value may be higher than supported by the platform. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default is the maximum value supported by the platform.

• Optional serviceRestIncomingPlainTextEnabled?: boolean

  Enable or disable the plain-text REST service for incoming clients in the Message VPN. Disabling causes clients currently connected to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional serviceRestIncomingPlainTextListenPort?: number

  The port number for incoming plain-text REST clients that connect to the Message VPN. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0.

• Optional serviceRestIncomingTlsEnabled?: boolean

  Enable or disable the use of encryption (TLS) for the REST service for incoming clients in the Message VPN. Disabling causes clients currently connected over TLS to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.

• Optional serviceRestIncomingTlsListenPort?: number

  The port number for incoming REST clients that connect to the Message VPN over TLS. The port must be unique across the message backbone. A value of 0 means that the listen-port is unassigned and cannot be enabled. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is 0.

• Optional serviceRestMode?: serviceRestMode

  The REST service mode for incoming REST clients that connect to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "messaging". The allowed values and their meaning are:

  "gateway" - Act as a message gateway through which REST messages are propagated.
  "messaging" - Act as a message broker on which REST messages are queued.
  

  Available since 2.6.

• Optional serviceRestOutgoingMaxConnectionCount?: number

  The maximum number of REST Consumer (outgoing) client connections that can be simultaneously connected to the Message VPN. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default varies by platform.

• Optional serviceSmfMaxConnectionCount?: number

  The maximum number of SMF client connections that can be simultaneously connected to the Message VPN. This value may be higher than supported by the platform. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default varies by platform.

• Optional serviceSmfPlainTextEnabled?: boolean

  Enable or disable the plain-text SMF service in the Message VPN. Disabling causes clients currently connected to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional serviceSmfTlsEnabled?: boolean

  Enable or disable the use of encryption (TLS) for the SMF service in the Message VPN. Disabling causes clients currently connected over TLS to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional serviceWebAuthenticationClientCertRequest?: serviceWebAuthenticationClientCertRequest

  Determines when to request a client certificate from a Web Transport client connecting via a TLS port. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is "when-enabled-in-message-vpn". The allowed values and their meaning are:

  "always" - Always ask for a client certificate regardless of the "message-vpn > authentication > client-certificate > shutdown" configuration.
  "never" - Never ask for a client certificate regardless of the "message-vpn > authentication > client-certificate > shutdown" configuration.
  "when-enabled-in-message-vpn" - Only ask for a client-certificate if client certificate authentication is enabled under "message-vpn >  authentication > client-certificate > shutdown".
  

  Available since 2.21.

• Optional serviceWebMaxConnectionCount?: number

  The maximum number of Web Transport client connections that can be simultaneously connected to the Message VPN. This value may be higher than supported by the platform. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default is the maximum value supported by the platform.

• Optional serviceWebPlainTextEnabled?: boolean

  Enable or disable the plain-text Web Transport service in the Message VPN. Disabling causes clients currently connected to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional serviceWebTlsEnabled?: boolean

  Enable or disable the use of TLS for the Web Transport service in the Message VPN. Disabling causes clients currently connected over TLS to be disconnected. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is true.

• Optional tlsAllowDowngradeToPlainTextEnabled?: boolean

  Enable or disable the allowing of TLS SMF clients to downgrade their connections to plain-text connections. Changing this will not affect existing connections. Changes to this attribute are synchronized to HA mates and replication sites via config-sync. The default value is false.