Solace
Solace is Roche’s enterprise event bus, hosted on AWS Frankfurt as a managed cloud service. The roche-data pipeline publishes data product lifecycle events (created, updated, certified) to Solace topics, enabling downstream systems to react to data product changes in near-real-time. The pipeline also subscribes to MRHub change events for reference data cache invalidation.
Status
Section titled “Status”Access confirmed: 2026-05-07 — client certificate auth verified, test publish returned HTTP 200.
Connection Details
Section titled “Connection Details”| Property | Value |
|---|---|
| SEAL API URL | https://global-seal.roche.com |
| SEAL frontend | https://seal.roche.com |
| Auth method (SEAL) | Bearer token |
| Auth method (Broker) | Client certificate (PEM — cert + key from Vault) |
| Broker user | RXPMODE0 |
| Network | Cloud (AWS Frankfurt) — TLS only, VPN required |
| Access task | A04 |
| ServiceNow request | RITM6309240 |
| GitHub issue | #24 (shared with MRHub) |
Broker Endpoints
Section titled “Broker Endpoints”| Environment | Message VPN | Secured REST (port 9443) | Secured SMF (port 55443) |
|---|---|---|---|
| DEV | sol-aws-de-dev-01 | https://sol-aws-de-dev-01.messaging.solace.cloud:9443 | tcps://sol-aws-de-dev-01.messaging.solace.cloud:55443 |
| TST | sol-aws-de-tst-01 | https://sol-aws-de-tst-01.messaging.solace.cloud:9443 | tcps://sol-aws-de-tst-01.messaging.solace.cloud:55443 |
| UAT | sol-aws-de-uat-01 | https://sol-aws-de-uat-01.messaging.solace.cloud:9443 | tcps://sol-aws-de-uat-01.messaging.solace.cloud:55443 |
| PRD | sol-aws-de-prd-01 | https://sol-aws-de-prd-01.messaging.solace.cloud:9443 | tcps://sol-aws-de-prd-01.messaging.solace.cloud:55443 |
Environment Variables (from Vault)
Section titled “Environment Variables (from Vault)”All Solace credentials are stored in Vault at secret/{target}/solace and loaded via scripts/vault-env.sh.
| Variable | Description |
|---|---|
SOLACE_BROKER_URL | Broker REST endpoint for the target environment |
SOLACE_VPN_NAME | Message VPN name per environment |
SOLACE_USER | Broker username (RXPMODE0) |
SOLACE_CLIENT_CERT | PEM certificate (full chain: leaf + issuing CA + root CA) |
SOLACE_CLIENT_KEY | PEM private key (RSA) |
SOLACE_CLIENT_CERT_EXPIRE | Certificate expiry (2028-05-05) |
SOLACE_SEAL_API_URL | SEAL provisioning API base URL |
SOLACE_API_TOKEN | SEAL API bearer token (expires 2026-12-31) |
SOLACE_API_KEY | API key (expires 2026-06-30) |
CLI Modules
Section titled “CLI Modules”| Module | Usage |
|---|---|
rdt-model-event | Publishes data product lifecycle events to Solace topics via Secured REST |
All rdt-model-* | Automatic execution event on every module run (via rdt-model-common/events.rs) |
Automatic Execution Events
Section titled “Automatic Execution Events”Every CLI module publishes a lightweight execution event to Solace after completing its run. This is enforced at compile time — ModuleResultBuilder::finish() requires a &PublishContext parameter.
Payload:
{ "module": "rdt-model-pull", "run_id": "019600ab-cdef-7123-89ab-0123456789ab", "status": "ok", "entity_id": "waste-tracking", "duration_ms": 1247, "timestamp": "2026-05-07T14:23:01.123Z", "target": "dev"}Behavior:
- Dry-run or missing credentials → silently skipped
- Publish failure → warning logged, module succeeds normally
- Run ID (
--run-id/RDT_RUN_ID) correlates all modules in one pipeline execution - Implementation:
cli/common/src/events.rs— spawns a dedicated thread with 5s timeout
The confirmed production topic for pipeline lifecycle events:
Pharma/Tech/Solace/InterLayer/PRC/1/RSVD/RSVD/Created/v1/SYS/CLI-EXECUTETopic Taxonomy Rules
Section titled “Topic Taxonomy Rules”- Second level must be
Data,Func, orTech - No wildcards in published topics (wildcards are for subscriptions only)
- Alphanumeric, dashes, and forward slashes only
- Levels separated by
/
Authentication
Section titled “Authentication”Broker REST — Client Certificate (confirmed working)
Section titled “Broker REST — Client Certificate (confirmed working)”The pipeline authenticates to the Solace broker using a Roche-issued client certificate (PEM format). The certificate and private key are stored in Vault.
curl -s -X POST \ --cert /tmp/solace-cert.pem --key /tmp/solace-key.pem \ -H "Content-Type: application/json" \ -d '{"entity_id":"waste-tracking","event_type":"entity.created"}' \ "https://sol-aws-de-dev-01.messaging.solace.cloud:9443/Pharma/Tech/Solace/InterLayer/PRC/1/RSVD/RSVD/Created/v1/SYS/CLI-EXECUTE"# → HTTP 200 (Guaranteed Messaging, spooled to queue)In rdt-model-event, use reqwest::Identity::from_pem() with the concatenated cert + key:
let identity = reqwest::Identity::from_pem(cert_and_key_pem.as_bytes())?;let client = reqwest::Client::builder() .identity(identity) .build()?;SEAL API — Bearer Token
Section titled “SEAL API — Bearer Token”curl -s -H "Authorization: Bearer $SOLACE_API_TOKEN" \ https://global-seal.roche.com/api/v1/request/some-uuidToken is created from the SEAL frontend (https://seal.roche.com → API Tokens).
Access Verification
Section titled “Access Verification”Script: scripts/check-solace-access.sh
Loads credentials from Vault and publishes a test message using client certificate auth:
./scripts/check-solace-access.sh # dev (default)./scripts/check-solace-access.sh test # test envSEAL Provisioning API
Section titled “SEAL Provisioning API”SEAL (Self-Service Event-Driven Automated Landpoint) manages Solace object provisioning:
| Method | Path | Purpose |
|---|---|---|
GET | /ping | Connectivity test (public, no auth) |
GET | /_health | Health check (browser session auth only) |
GET | /api/v1/request/{id} | Check provisioning request status |
POST | /api/v1/create-queue | Create a new queue |
POST | /api/v1/add-topic | Add topic subscriptions to a queue |
POST | /api/v1/create-user | Create a broker user |
POST | /api/v1/promote | Promote objects between environments |
Promotion Path
Section titled “Promotion Path”Objects are created in DEV or TST, then promoted:
dev → tst → uat → prdDirect creation in UAT/PRD is not supported — promotion is required.
Messaging Configuration
Section titled “Messaging Configuration”| Setting | Value | Rationale |
|---|---|---|
| Delivery mode | Guaranteed Messaging | No message loss tolerance |
| Protocol | REST (HTTPS) | No native SDK needed — plain reqwest |
| Max redelivery | 5 | Prevents poison message loops |
| TLS | Always | Required for all cloud broker access |
| Reconnection retries | 20 | Roche default |
Certificate Renewal
Section titled “Certificate Renewal”The client certificate expires 2028-05-05. To renew:
- Go to
https://code.roche.com/roche-mulesoft-api-center-admin/certificate-manager-dicr/RXPMODE0 - Request a new certificate
- Update
SOLACE_CLIENT_CERT,SOLACE_CLIENT_KEY, andSOLACE_CLIENT_CERT_EXPIREin Vault
Contacts
Section titled “Contacts”| Role | Name |
|---|---|
| Solace Operations | gis_it.solace_operations@roche.com |
| Component Owner | Samuel Anandh |
| Tech Lead | Daniel Donovan |
| Integration Architect | Prasoon Paliwal |