qdrouterd.conf man page

qdrouterd.conf — configuration file for the dispatch router.

Synopsis

Provides the initial configuration when qdrouterd(8) starts. The configuration of a running router can be modified using qdmanage(8).

Description

The configuration file is made up of sections with this syntax:

sectionName {
    attributeName: attributeValue
    attributeName: attributeValue
    ...
}

For example you can define a router using the router section

router {
    mode: standalone
    id: Router.A
    ...
}

or define a listener using the listener section

listener {
    host: 0.0.0.0
    port: 20102
    saslMechanisms: ANONYMOUS
    ...
}

or define a connector using the connector section

connector {
    role: inter-router
    host: 0.0.0.0
    port: 20003
    saslMechanisms: ANONYMOUS
    ...
}

An sslProfile section with SSL credentials can be included in multiple listener or connector entities. Here’s an example, note how the sslProfile attribute of listener sections references the name attribute of sslProfile sections.

sslProfile {
    name: my-ssl
    certDb: ca-certificate-1.pem
    certFile: server-certificate-1.pem
    keyFile: server-private-key.pem
}

listener {
    sslProfile: my-ssl
    host: 0.0.0.0
    port: 20102
    saslMechanisms: ANONYMOUS
}

Configuration Sections

router

Tracks peer routers and computes routes to destinations. This entity is mandatory. The router will not start without this entity.

id (string)

Router’s unique identity. The router will fail to start without id.

mode (One of [standalone, interior], default=standalone)

In standalone mode, the router operates as a single component. It does not participate in the routing protocol and therefore will not cooperate with other routers. In interior mode, the router operates in cooperation with other interior routers in an interconnected network.

helloInterval (integer, default=1)

Interval in seconds between HELLO messages sent to neighbor routers.

helloMaxAge (integer, default=3)

Time in seconds after which a neighbor is declared lost if no HELLO is received.

raInterval (integer, default=30)

Interval in seconds between Router-Advertisements sent to all routers in a stable network.

raIntervalFlux (integer, default=4)

Interval in seconds between Router-Advertisements sent to all routers during topology fluctuations.

remoteLsMaxAge (integer, default=60)

Time in seconds after which link state is declared stale if no RA is received.

workerThreads (integer, default=4)

The number of threads that will be created to process message traffic and other application work (timers, non-amqp file descriptors, etc.) .

debugDump (path)

A file to dump debugging information that can’t be logged normally.

saslConfigPath (path)

Absolute path to the SASL configuration file.

saslConfigName (string, default=qdrouterd)

Name of the SASL configuration. This string + .conf is the name of the configuration file.

allowUnsettledMulticast (boolean)

If true, allow senders to send unsettled deliveries to multicast addresses. These deliveries shall be settled by the ingress router. If false, unsettled deliveries to multicast addresses shall be rejected.

defaultDistribution (One of [multicast, closest, balanced, unavailable], default=balanced)

Default forwarding treatment for any address without a specified treatment. multicast - one copy of each message delivered to all subscribers; closest - messages delivered to only the closest subscriber; balanced - messages delivered to one subscriber with load balanced across subscribers; unavailable - this address is unavailable, link attaches to an address of unavilable distribution will be rejected.

sslProfile

Attributes for setting TLS/SSL configuration for connections.

ciphers (string)

Specifies the enabled ciphers so the SSL Ciphers can be hardened. In other words, use this field to disable weak ciphers. The ciphers are specified in the format understood by the OpenSSL library. For example, ciphers can be set to ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; — The full list of allowed ciphers can be viewed using the openssl ciphers command

certDb (path)

The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).

certFile (path)

The absolute path to the file containing the PEM-formatted public certificate to be used on the local end of any connections using this profile.

keyFile (path)

The absolute path to the file containing the PEM-formatted private key for the above certificate.

passwordFile (path)

If the above private key is password protected, this is the absolute path to a file containing the password that unlocks the certificate key.

password (string)

An alternative to storing the password in a file referenced by passwordFile is to supply the password right here in the configuration file. This takes precedence over the passwordFile if both are specified.

uidFormat (string)

A list of x509 client certificate fields that will be used to build a string that will uniquely identify the client certificate owner. For e.g. a value of cou indicates that the uid will consist of c - common name concatenated with o - organization-company name concatenated with u - organization unit; or a value of o2 indicates that the uid will consist of o (organization name) concatenated with 2 (the sha256 fingerprint of the entire certificate) . Allowed values can be any combination of c( ISO3166 two character country code), s(state or province), l(Locality; generally - city), o(Organization - Company Name), u(Organization Unit - typically certificate type or brand), n(CommonName - typically a user name for client certificates) and 1(sha1 certificate fingerprint, as displayed in the fingerprints section when looking at a certificate with say a web browser is the hash of the entire certificate) and 2 (sha256 certificate fingerprint) and 5 (sha512 certificate fingerprint). The user identifier (uid) that is generated based on the uidFormat is a string which has a semi-colon as a separator between the components

displayNameFile (string)

The absolute path to the file containing the unique id to display name mapping

authServicePlugin

EXPERIMENTAL. Attributes for setting SASL plugin.

authService (string, required)

Address of a service to delegate authentication to.

saslInitHostname (string)

Value to set for hostname field on sasl-init

authSslProfile (string)

Name of the sslProfile to use for the authentication service.

listener

Listens for incoming connections to the router.

host (string)

A host name, IPV4 or IPV6 literal, or the empty string. The empty string listens on all local addresses. A host name listens on all addresses associated with the name. An IPV6 literal address (or wildcard [::]) listens only for IPV6. An IPV4 literal address (or wildcard 0.0.0.0) listens only for IPV4.

port (string, default=amqp)

Port number or symbolic service name.

protocolFamily (One of [IPv4, IPv6])

[IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.

role (One of [normal, inter-router, route-container], default=normal)

The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection.

cost (integer, default=1)

For the inter-router role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.

sslProfile (string)

Name of the sslProfile.

saslMechanisms (string)

Space separated list of accepted SASL authentication mechanisms.

authenticatePeer (boolean)

yes: Require the peer’s identity to be authenticated; no: Do not require any authentication.

saslPlugin (string)

EXPERIMENTAL. Name of the a sasl plugin configuration section to use for this listener (e.g. authServicePlugin).

requireEncryption (boolean)

yes: Require the connection to the peer to be encrypted; no: Permit non-encrypted communication with the peer

requireSsl (boolean)

yes: Require the use of SSL or TLS on the connection; no: Allow clients to connect without SSL or TLS.

trustedCerts (path)

This optional setting can be used to reduce the set of available CAs for client authentication. If used, this setting must provide the absolute path to a PEM file that contains the trusted certificates.

maxFrameSize (integer, default=16384)

The maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity. Policy settings, if specified, will overwrite this value. Defaults to 16384.

maxSessions (integer, default=32768)

The maximum number of sessions that can be simultaneously active on the connection. Setting this value to zero selects the default number of sessions. Policy settings, if specified, will overwrite this value. Defaults to 32768.

maxSessionFrames (integer)

Session incoming window measured in transfer frames for sessions created on this connection. This is the number of transfer frames that may simultaneously be in flight for all links in the session. Setting this value to zero selects the default session window size. Policy settings, if specified, will overwrite this value. The numerical product of maxFrameSize and maxSessionFrames may not exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize). maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited window).

idleTimeoutSeconds (integer, default=16)

The idle timeout, in seconds, for connections through this listener. If no frames are received on the connection for this time interval, the connection shall be closed.

initialHandshakeTimeoutSeconds (integer)

The timeout, in seconds, for the initial handshake for connections coming in through listeners. If the time interval expires before the peer sends the AMQP OPEN frame, the connection shall be closed. A value of zero (the default) disables this timeout.

stripAnnotations (One of [in, out, both, no], default=both)

[in, out, both, no] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations

linkCapacity (integer)

The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.

multiTenant (boolean)

If true, apply multi-tenancy to endpoints connected at this listener. The address space is defined by the virtual host (hostname field in the Open).

failoverList (string)

A comma-separated list of failover urls to be supplied to connected clients. Form: [(amqp|amqps|ws|wss)://]host_or_ip[:port]

http (boolean)

Accept HTTP connections that can upgrade to AMQP over WebSocket. Plain AMQP connections are not accepted on this listener.

httpRoot (path)

Serve HTTP files from this directory, defaults to the installed stand-alone console directory

logMessage (string, default=none)

A comma separated list that indicates which components of the message should be logged. Defaults to none (log nothing). If you want all properties and application properties of the message logged use all. Specific components of the message can be logged by indicating the components via a comma separated list. The components are message-id, user-id, to, subject, reply-to, correlation-id, content-type, content-encoding, absolute-expiry-time, creation-time, group-id, group-sequence, reply-to-group-id, app-properties. The application-data part of the bare message will not be logged. No spaces are allowed

connector

Establishes an outgoing connection from the router.

host (string, default=127.0.0.1)

IP address: ipv4 or ipv6 literal or a host name

port (string, default=amqp)

Port number or symbolic service name.

protocolFamily (One of [IPv4, IPv6])

[IPv4, IPv6] IPv4: Internet Protocol version 4; IPv6: Internet Protocol version 6. If not specified, the protocol family will be automatically determined from the address.

role (One of [normal, inter-router, route-container], default=normal)

The role of an established connection. In the normal role, the connection is assumed to be used for AMQP clients that are doing normal message delivery over the connection. In the inter-router role, the connection is assumed to be to another router in the network. Inter-router discovery and routing protocols can only be used over inter-router connections. route-container role can be used for router-container connections, for example, a router-broker connection.

cost (integer, default=1)

For the inter-router role only. This value assigns a cost metric to the inter-router connection. The default (and minimum) value is one. Higher values represent higher costs. The cost is used to influence the routing algorithm as it attempts to use the path with the lowest total cost from ingress to egress.

sslProfile (string)

Name of the sslProfile.

saslMechanisms (string)

Space separated list of accepted SASL authentication mechanisms.

allowRedirect (boolean, default=True)

Allow the peer to redirect this connection to another address.

maxFrameSize (integer, default=16384)

The maximum frame size in octets that will be used in the connection-open negotiation with a connected peer. The frame size is the largest contiguous set of uninterrupted data that can be sent for a message delivery over the connection. Interleaving of messages on different links is done at frame granularity. Policy settings will not overwrite this value. Defaults to 16384.

maxSessions (integer, default=32768)

The maximum number of sessions that can be simultaneously active on the connection. Setting this value to zero selects the default number of sessions. Policy settings will not overwrite this value. Defaults to 32768.

maxSessionFrames (integer)

Session incoming window measured in transfer frames for sessions created on this connection. This is the number of transfer frames that may simultaneously be in flight for all links in the session. Setting this value to zero selects the default session window size. Policy settings will not overwrite this value. The numerical product of maxFrameSize and maxSessionFrames may not exceed 231-1. If (maxFrameSize x maxSessionFrames) exceeds 231-1 then maxSessionFrames is reduced to (2^31-1 / maxFrameSize). maxSessionFrames has a minimum value of 1. Defaults to 0 (unlimited window).

idleTimeoutSeconds (integer, default=16)

The idle timeout, in seconds, for connections through this connector. If no frames are received on the connection for this time interval, the connection shall be closed.

stripAnnotations (One of [in, out, both, no], default=both)

[in, out, both, no] in: Strip the dispatch router specific annotations only on ingress; out: Strip the dispatch router specific annotations only on egress; both: Strip the dispatch router specific annotations on both ingress and egress; no - do not strip dispatch router specific annotations

linkCapacity (integer)

The capacity of links within this connection, in terms of message deliveries. The capacity is the number of messages that can be in-flight concurrently for each link.

verifyHostName (boolean, default=True)

yes: Ensures that when initiating a connection (as a client) the host name in the URL to which this connector connects to matches the host name in the digital certificate that the peer sends back as part of the SSL connection; no: Does not perform host name verification

saslUsername (string)

The user name that the connector is using to connect to a peer.

saslPassword (string)

The password that the connector is using to connect to a peer.

logMessage (string, default=none)

A comma separated list that indicates which components of the message should be logged (no spaces allowed between list components). Defaults to none (log nothing). If you want all properties and application properties of the message logged use all. Specific components of the message can be logged by indicating the components via a comma separated list. The components are message-id, user-id, to, subject, reply-to, correlation-id, content-type, content-encoding, absolute-expiry-time, creation-time, group-id, group-sequence, reply-to-group-id, app-properties. The application-data part of the bare message will not be logged. This log message is written to the MESSAGE logging module. In the log entity, set module property to MESSAGE or DEFAULT and enable to trace+ to see this log message

log

Configure logging for a particular module. You can use the UPDATE operation to change log settings while the router is running.

module (One of [ROUTER, ROUTER_CORE, ROUTER_HELLO, ROUTER_LS, ROUTER_MA, MESSAGE, SERVER, AGENT, CONTAINER, ERROR, POLICY, HTTP, CONN_MGR, PYTHON, DEFAULT], required)

Module to configure. The special module DEFAULT specifies defaults for all modules.

enable (string)

Levels are: trace, debug, info, notice, warning, error, critical. The enable string is a comma-separated list of levels. A level may have a trailing + to enable that level and above. For example trace,debug,warning+ means enable trace, debug, warning, error and critical. The value none means disable logging for the module.

timestamp (boolean)

Include timestamp in log messages.

source (boolean)

Include source file and line number in log messages.

output (string)

Where to send log messages. Can be stderr, stdout, syslog or a file name.

address

Entity type for address configuration. This is used to configure the treatment of message-routed deliveries within a particular address-space. The configuration controls distribution and address phasing.

prefix (string)

The address prefix for the configured settings. Cannot be used with a pattern attribute.

pattern (string)

A wildcarded pattern for address matching. Incoming addresses are matched against this pattern. Matching addresses use the configured settings. The pattern consists of one or more tokens separated by a forward slash /. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. Cannot be used with a prefix attribute.

distribution (One of [multicast, closest, balanced, unavailable], default=balanced)

Treatment of traffic associated with the address

waypoint (boolean)

Designates this address space as being used for waypoints. This will cause the proper address-phasing to be used.

ingressPhase (integer)

Advanced - Override the ingress phase for this address

egressPhase (integer)

Advanced - Override the egress phase for this address

linkRoute

Entity type for link-route configuration. This is used to identify remote containers that shall be destinations for routed link-attaches. The link-routing configuration applies to an addressing space defined by a prefix or a pattern.

prefix (string)

The address prefix for the configured settings. Cannot be used with the pattern attribute.

pattern (string)

A wildcarded pattern for address matching. Link addresses are matched against this pattern. Matching addresses use the configured settings. The pattern consists of one or more tokens separated by a forward slash /. A token can be one of the following: a * character, a # character, or a sequence of characters that do not include /, *, or #. The * token matches any single token. The # token matches zero or more tokens. * has higher precedence than #, and exact match has the highest precedence. Cannot be used with the prefix attribute.

containerId (string)

ContainerID for the target container. Only one of containerId or connection should be specified for a linkRoute. Specifying both will result in the linkRoute not being created.

connection (string)

The name from a connector or listener. Only one of containerId or connection should be specified for a linkRoute. Specifying both will result in the linkRoute not being created.

distribution (One of [linkBalanced], default=linkBalanced)

Treatment of traffic associated with the address

dir (One of [in, out], required)

The permitted direction of links: in means client senders; out means client receivers

console

(DEPRECATED) Start a websocket/tcp proxy and http file server to serve the web console

listener (string)

The name of the listener to send the proxied tcp traffic to.

wsport (integer, default=5673)

port on which to listen for websocket traffic

proxy (string, required)

The full path to the proxy program to run.

home (string, required)

The full path to the html/css/js files for the console.

args (string)

Optional args to pass the proxy program for logging, authentication, etc.

policy

Defines global connection limit

maxConnections (integer, default=65535)

Global maximum number of concurrent client connections allowed. This limit is always enforced even if no other policy settings have been defined.

enableVhostPolicy (boolean)

Enable vhost policy user groups, connection denial, and resource limit enforcement

policyDir (path)

Absolute path to a directory that holds vhost definition .json files. All vhost definitions in all .json files in this directory are processed.

defaultVhost (string)

Vhost rule set name to use for connections with a vhost that is otherwise not defined. Default vhost processing may be disabled either by erasing the definition of defaultVhost or by not defining a vhost object named $default.

vhost

AMQP virtual host policy definition of users, user groups, allowed remote hosts, and AMQP restrictions.

id (string, required)

The vhost name.

maxConnections (integer, default=65535)

Maximum number of concurrent client connections allowed.

maxConnectionsPerUser (integer, default=65535)

Maximum number of concurrent client connections allowed for any single user.

maxConnectionsPerHost (integer, default=65535)

Maximum number of concurrent client connections allowed for any remote host.

allowUnknownUser (boolean)

Unrestricted users, those who are not members of a defined user group, are allowed to connect to this application. Unrestricted users are assigned to the default user group and receive default settings.

groups (map)

A map where each key is a user group name and the value is a map of the corresponding settings for that group.

See Also

qdrouterd(8), qdmanage(8)

http://qpid.apache.org/components/dispatch-router

Referenced By

qdmanage(8), qdrouterd(8), qdstat(8).

11/21/2017