content/releases/qpid-dispatch-1.14.0/user-guide/index.html - qpid-site - Git at Google

 <!DOCTYPE html>
 <!--
  -
  - Licensed to the Apache Software Foundation (ASF) under one
  - or more contributor license agreements.  See the NOTICE file
  - distributed with this work for additional information
  - regarding copyright ownership.  The ASF licenses this file
  - to you under the Apache License, Version 2.0 (the
  - "License"); you may not use this file except in compliance
  - with the License.  You may obtain a copy of the License at
  -
  -   http://www.apache.org/licenses/LICENSE-2.0
  -
  - Unless required by applicable law or agreed to in writing,
  - software distributed under the License is distributed on an
  - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  - KIND, either express or implied.  See the License for the
  - specific language governing permissions and limitations
  - under the License.
  -
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
     <title>Using Qpid Dispatch - Apache Qpid&#8482;</title>
     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
     <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
     <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
     <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
     <script type="text/javascript">var _deferredFunctions = [];</script>
     <script type="text/javascript" src="/deferred.js" defer="defer"></script>
     <!--[if lte IE 8]>
       <link rel="stylesheet" href="/ie.css" type="text/css"/>
       <script type="text/javascript" src="/html5shiv.js"></script>
     <![endif]-->

     <!-- Redirects for `go get` and godoc.org -->
     <meta name="go-import"
           content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/>
     <meta name="go-source"
           content="qpid.apache.org
 https://github.com/apache/qpid-proton/blob/go1/README.md
 https://github.com/apache/qpid-proton/tree/go1{/dir}
 https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
   </head>
   <body>
     <div id="-content">
       <div id="-top" class="panel">
         <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>

         <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>

         <ul id="-global-navigation">
           <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
           <li><a href="/documentation.html">Documentation</a></li>
           <li><a href="/download.html">Download</a></li>
           <li><a href="/discussion.html">Discussion</a></li>
         </ul>
       </div>

       <div id="-menu" class="panel" style="display: none;">
         <div class="flex">
           <section>
             <h3>Project</h3>

             <ul>
               <li><a href="/overview.html">Overview</a></li>
               <li><a href="/components/index.html">Components</a></li>
               <li><a href="/releases/index.html">Releases</a></li>
             </ul>
           </section>

           <section>
             <h3>Messaging APIs</h3>

             <ul>
               <li><a href="/proton/index.html">Qpid Proton</a></li>
               <li><a href="/components/jms/index.html">Qpid JMS</a></li>
               <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
             </ul>
           </section>

           <section>
             <h3>Servers and tools</h3>

             <ul>
               <li><a href="/components/broker-j/index.html">Broker-J</a></li>
               <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
               <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
             </ul>
           </section>

           <section>
             <h3>Resources</h3>

             <ul>
               <li><a href="/dashboard.html">Dashboard</a></li>
               <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
               <li><a href="/resources.html">More resources</a></li>
             </ul>
           </section>
         </div>
       </div>

       <div id="-search" class="panel" style="display: none;">
         <form action="http://www.google.com/search" method="get">
           <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
           <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
           <button type="submit">Search</button>
           <a href="/search.html">More ways to search</a>
         </form>
       </div>

       <div id="-middle" class="panel">
         <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-dispatch-1.14.0/index.html">Qpid Dispatch 1.14.0</a></li><li>Using Qpid Dispatch</li></ul>

         <div id="-middle-content">
           <h1>Using Qpid Dispatch</h1>
 <div id="toc" class="toc">
 <div id="toctitle">Table of Contents</div>
 <ul class="sectlevel0">
 <li><a href="#overview">Overview</a>
 <ul class="sectlevel1">
 <li><a href="#overview-router-qdr">1. Overview of Dispatch Router</a>
 <ul class="sectlevel2">
 <li><a href="#key-features-qdr">1.1. Key features</a></li>
 <li><a href="#supported-standards-protocols-qdr">1.2. Supported standards and protocols</a></li>
 <li><a href="#document-conventions-qdr">1.3. Document conventions</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#learn">Learn</a>
 <ul class="sectlevel1">
 <li><a href="#important-terms-concepts-qdr">2. Important terms and concepts</a>
 <ul class="sectlevel2">
 <li><a href="#overview-of-amqp-qdr">2.1. Overview of AMQP</a></li>
 <li><a href="#what-routers-are-qdr">2.2. What routers are</a></li>
 <li><a href="#how-routers-route-messages-qdr">2.3. How routers route messages</a></li>
 <li><a href="#router-security-qdr">2.4. Router security</a></li>
 <li><a href="#router-management-qdr">2.5. Router management</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#get_started">Get started</a>
 <ul class="sectlevel1">
 <li><a href="#getting-started-qdr">3. Getting started</a>
 <ul class="sectlevel2">
 <li><a href="#installing-router-linux-getting-started">3.1. Installing Dispatch Router on Linux</a></li>
 <li><a href="#exploring-default-router-configuration-file-qdr">3.2. Exploring the default router configuration file</a></li>
 <li><a href="#starting-router-getting-started-qdr">3.3. Starting the router</a></li>
 <li><a href="#sending-test-messages-qdr">3.4. Sending test messages</a></li>
 <li><a href="#next-steps-qdr">3.5. Next steps</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#install">Install</a>
 <ul class="sectlevel1">
 <li><a href="#router-deployment-guidelines-qdr">4. Dispatch Router deployment guidelines</a>
 <ul class="sectlevel2">
 <li><a href="#router-operating-modes-qdr">4.1. Router operating modes</a></li>
 <li><a href="#security-guidelines-qdr">4.2. Security guidelines</a></li>
 <li><a href="#router-connection-guidelines-qdr">4.3. Router connection guidelines</a></li>
 </ul>
 </li>
 <li><a href="#installing-router-qdr">5. Installing Dispatch Router</a>
 <ul class="sectlevel2">
 <li><a href="#installing-router-linux-qdr">5.1. Installing Dispatch Router on Linux</a></li>
 <li><a href="#preparing-router-configurations-qdr">5.2. Preparing router configurations</a></li>
 <li><a href="#starting-router-qdr">5.3. Starting a router</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#configuration">Configure</a>
 <ul class="sectlevel1">
 <li><a href="#configuring-router-properties-qdr">6. Configuring router properties</a></li>
 <li><a href="#configuring-network-connections-qdr">7. Configuring network connections</a>
 <ul class="sectlevel2">
 <li><a href="#connecting-routers-qdr">7.1. Connecting routers</a></li>
 <li><a href="#listening-client-connections-qdr">7.2. Listening for client connections</a></li>
 <li><a href="#connecting-to-external-amqp-containers-qdr">7.3. Connecting to external AMQP containers</a></li>
 <li><a href="#adding-metadata-to-connections-qdr">7.4. Adding metadata to connections</a></li>
 <li><a href="#understanding-connection-failover-qdr">7.5. Understanding connection failover</a></li>
 </ul>
 </li>
 <li><a href="#securing-network-connections-qdr">8. Securing network connections</a>
 <ul class="sectlevel2">
 <li><a href="#securing-connections-between-routers-qdr">8.1. Securing connections between routers</a></li>
 <li><a href="#securing-incoming-client-connections-qdr">8.2. Securing incoming client connections</a>
 <ul class="sectlevel3">
 <li><a href="#enabling-ssl-tls-encryption-qdr">8.2.1. Enabling SSL/TLS encryption</a></li>
 <li><a href="#enabling-ssl-tls-client-authentication-qdr">8.2.2. Enabling SSL/TLS client authentication</a></li>
 <li><a href="#enabling-username-password-authentication-qdr">8.2.3. Enabling user name and password authentication</a></li>
 <li><a href="#integrating-with-kerberos-qdr">8.2.4. Integrating with Kerberos</a></li>
 </ul>
 </li>
 <li><a href="#securing-outgoing-connections-qdr">8.3. Securing outgoing connections</a>
 <ul class="sectlevel3">
 <li><a href="#connecting-using-one-way-ssl-tls-authentication-qdr">8.3.1. Connecting using one-way SSL/TLS authentication</a></li>
 <li><a href="#connecting-using-mutual-ssl-tls-authentication-qdr">8.3.2. Connecting using mutual SSL/TLS authentication</a></li>
 <li><a href="#connecting-using-username-password-authentication-qdr">8.3.3. Connecting using user name and password authentication</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#configuring-authorization-qdr">9. Configuring authorization</a>
 <ul class="sectlevel2">
 <li><a href="#types-policies-qdr">9.1. Types of policies</a></li>
 <li><a href="#how-policies-enforce-connection-resource-limits-qdr">9.2. How policies enforce connection and resource limits</a></li>
 <li><a href="#setting-global-connection-limits-qdr">9.3. Setting global limits</a></li>
 <li><a href="#setting-connection-resource-limits-messaging-endpoints-qdr">9.4. Setting connection and resource limits for messaging endpoints</a>
 <ul class="sectlevel3">
 <li><a href="#enabling-vhost-policies-qdr">9.4.1. Enabling vhost policies</a></li>
 <li><a href="#creating-vhost-policies-qdr">9.4.2. Creating vhost policies</a></li>
 <li><a href="#creating-vhost-policies-json-qdr">9.4.3. Creating vhost policies as JSON files</a></li>
 <li><a href="#setting-resource-limits-outgoing-connections-qdr">9.4.4. Setting resource limits for outgoing connections</a></li>
 <li><a href="#methods-specifying-vhost-policy-source-target-addresses-qdr">9.4.5. Methods for specifying vhost policy source and target addresses</a></li>
 <li><a href="#vhost-policy-hostname-pattern-matching-rules-qdr">9.4.6. Vhost policy hostname pattern matching rules</a></li>
 <li><a href="#vhost-policy-examples-qdr">9.4.7. Vhost policy examples</a></li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#configuring-logging-qdr">10. Configuring logging</a>
 <ul class="sectlevel2">
 <li><a href="#logging-modules-qdr">10.1. Logging modules</a></li>
 <li><a href="#configuring-default-logging-qdr">10.2. Configuring default logging</a></li>
 </ul>
 </li>
 <li><a href="#configuring-routing-qdr">11. Configuring routing</a>
 <ul class="sectlevel2">
 <li><a href="#configuring-message-routing-qdr">11.1. Configuring message routing</a>
 <ul class="sectlevel3">
 <li><a href="#understanding-message-routing-qdr">11.1.1. Understanding message routing</a></li>
 <li><a href="#configuring-address-semantics-qdr">11.1.2. Configuring address semantics</a></li>
 <li><a href="#configuring-addresses-prioritized-message-delivery-qdr">11.1.3. Configuring addresses for prioritized message delivery</a></li>
 <li><a href="#configuring-brokered-messaging-qdr">11.1.4. Configuring brokered messaging</a></li>
 <li><a href="#address-pattern-matching-qdr">11.1.5. Address pattern matching</a></li>
 </ul>
 </li>
 <li><a href="#creating-link-routes-qdr">11.2. Creating link routes</a>
 <ul class="sectlevel3">
 <li><a href="#understanding-link-routing-qdr">11.2.1. Understanding link routing</a></li>
 <li><a href="#creating-link-route-qdr">11.2.2. Creating a link route</a></li>
 <li><a href="#link-route-example-qdr">11.2.3. Link route example: Connecting clients and brokers on different networks</a></li>
 </ul>
 </li>
 </ul>
 </li>
 </ul>
 </li>
 <li><a href="#management">Manage</a>
 <ul class="sectlevel1">
 <li><a href="#monitoring-using-web-console">12. Monitoring using Apache Qpid Dispatch Router Console</a>
 <ul class="sectlevel2">
 <li><a href="#setting-up-access-web-console">12.1. Setting up access to Apache Qpid Dispatch Router Console</a></li>
 <li><a href="#accessing-web-console">12.2. Accessing Apache Qpid Dispatch Router Console</a></li>
 <li><a href="#monitoring-router-network-web-console">12.3. Monitoring the router network using Apache Qpid Dispatch Router Console</a></li>
 </ul>
 </li>
 <li><a href="#monitoring-using-qdstat-qdr">13. Monitoring using <code>qdstat</code></a>
 <ul class="sectlevel2">
 <li><a href="#syntax-using-qdstat-qdr">13.1. Syntax for using <code>qdstat</code></a></li>
 <li><a href="#commands-monitoring-router-network-qdr">13.2. Commands for monitoring the router network</a></li>
 </ul>
 </li>
 <li><a href="#managing-using-qdmanage-qdr">14. Managing using <code>qdmanage</code></a></li>
 <li><a href="#troubleshooting-qdr">15. Troubleshooting Dispatch Router</a>
 <ul class="sectlevel2">
 <li><a href="#viewing-log-entries-qdr">15.1. Viewing log entries</a></li>
 <li><a href="#troubleshooting-using-logs-qdr">15.2. Troubleshooting using logs</a></li>
 </ul>
 </li>
 <li><a href="#amqp-mapping-qdr">Appendix A: AMQP mapping</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <h1 id="overview" class="sect0">Overview</h1>
 <div class="sect1">
 <h2 id="overview-router-qdr">1. Overview of Dispatch Router</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Dispatch Router is a lightweight AMQP message router for building scalable, available, and performant messaging networks.</p>
 </div>
 <div class="sect2">
 <h3 id="key-features-qdr">1.1. Key features</h3>
 <div class="paragraph">
 <p>You can use Dispatch Router to flexibly route messages between any AMQP-enabled endpoints, including clients, servers, and message brokers. Dispatch Router provides the following benefits:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Connects clients and message brokers into an internet-scale messaging network with uniform addressing</p>
 </li>
 <li>
 <p>Supports high-performance direct messaging</p>
 </li>
 <li>
 <p>Uses redundant network paths to route around failures</p>
 </li>
 <li>
 <p>Streamlines the management of large deployments</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="supported-standards-protocols-qdr">1.2. Supported standards and protocols</h3>
 <div class="paragraph">
 <p>Dispatch Router supports the following industry-recognized standards and network protocols:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Version 1.0 of the Advanced Message Queueing Protocol (AMQP)</p>
 </li>
 <li>
 <p>Modern TCP with IPv6</p>
 </li>
 <li>
 <p>Client compatibility</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>Dispatch Router should, in theory, work with any client that is compatible with AMQP 1.0. The following clients have been tested:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">qpid::messaging</dt>
 <dd>
 <p>The Qpid messaging clients work with Dispatch Router as long as they are configured to use the 1.0 version of the protocol. To enable AMQP 1.0 in the C++ client, use the <code>\{protocol:amqp1.0}</code> connection option.</p>
 </dd>
 <dt class="hdlist1">Proton Reactor</dt>
 <dd>
 <p>The Proton Reactor API is compatible with Dispatch Router.</p>
 </dd>
 <dt class="hdlist1">Proton Messenger</dt>
 <dd>
 <p>Messenger works with Dispatch Router.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>The details of distributed transactions (XA) within AMQP are not provided in the 1.0 version of the specification. AMQ Interconnect does not support XA transactions.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p><a href="http://www.amqp.org/resources/download">OASIS AMQP 1.0 Specification</a>.</p>
 </li>
 <li>
 <p>For more information about how Dispatch Router applies AMQP, see <a href="#amqp-mapping-qdr">AMQP mapping</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="document-conventions-qdr">1.3. Document conventions</h3>
 <div class="paragraph">
 <p>In this document, <code>sudo</code> is used for any command that requires root privileges. You should always exercise caution when using <code>sudo</code>, as any changes can affect the entire system.</p>
 </div>
 </div>
 </div>
 </div>
 <h1 id="learn" class="sect0">Learn</h1>
 <div class="sect1">
 <h2 id="important-terms-concepts-qdr">2. Important terms and concepts</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Before using Dispatch Router, you should be familiar with AMQP and understand some key concepts about Dispatch Router.</p>
 </div>
 <div class="sect2">
 <h3 id="overview-of-amqp-qdr">2.1. Overview of AMQP</h3>
 <div class="paragraph">
 <p>Dispatch Router implements version 1.0 of the Advanced Message Queueing Protocol (AMQP) specification. Therefore, you should understand several key AMQP terms and concepts before deploying or configuring Dispatch Router.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Containers</dt>
 <dd>
 <p>AMQP is a wire-level messaging protocol for transferring messages between applications called <em>containers</em>. In AMQP, a container is any application that sends or receives messages, such as a client application or message broker.</p>
 <div class="paragraph">
 <p>Containers connect to each other over <em>connections</em>, which are channels for communication.</p>
 </div>
 </dd>
 <dt class="hdlist1">Nodes</dt>
 <dd>
 <p>Containers contain addressable entities called <em>nodes</em> that are responsible for storing or delivering messages. For example, a queue on a message broker is a node.</p>
 </dd>
 <dt class="hdlist1">Links</dt>
 <dd>
 <p>Messages are transferred between connected containers over <em>links</em>. A link is a unidirectional route between nodes. Essentially, a link is a channel for sending or receiving messages.</p>
 <div class="paragraph">
 <p>Links are established over <em>sesssions</em>, which are contexts for sending and receiving messages. Sessions are established over connections.</p>
 </div>
 </dd>
 </dl>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p><a href="http://www.amqp.org/resources/download">OASIS AMQP 1.0 Specification</a></p>
 </li>
 <li>
 <p><a href="https://dzone.com/refcardz/amqp-essentials?chapter=1">AMQP Essentials Refcard</a></p>
 </li>
 <li>
 <p><a href="https://channel9.msdn.com/Blogs/Subscribe/The-AMQP-10-Protocol-16-Overview">Video series introducing AMQP 1.0</a></p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="what-routers-are-qdr">2.2. What routers are</h3>
 <div class="paragraph">
 <p>Dispatch Router is an application layer program running as a normal user program or as a daemon. A running instance of Dispatch Router is called a <em>router</em>.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Routers do not take responsibility for messages</dt>
 <dd>
 <p>Routers transfer messages between producers and consumers, but unlike message brokers, they do not take responsibility for messages. Instead, routers propagate message settlement and disposition across a network such that delivery guarantees are met. That is, the router network will deliver the message &ndash; possibly through several intermediate routers &ndash; and then route the consumer&#8217;s acknowledgement of that message back across the same path. The responsibility for the message is transfered from the producer to the consumer as if they were directly connected.</p>
 </dd>
 <dt class="hdlist1">Routers are combined to form router networks</dt>
 <dd>
 <p>Routers are often deployed in topologies of multiple routers called a router network. Routers use link-state routing protocols and algorithms similar to the Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS) protocols to calculate the best path from every message source to every message destination, and to recover quickly from failures. A router network relies on redundant network paths to provide continued connectivity in case of system or network failure.</p>
 </dd>
 <dt class="hdlist1">Routers enhance both direct and indirect messaging patterns</dt>
 <dd>
 <p>A messaging client can make a single AMQP connection into a router network and, over that connection, exchange messages with one or more message brokers connected to any router in the network. At the same time, the client can exchange messages directly with other endpoints without involving a broker at all.</p>
 <div class="exampleblock">
 <div class="title">Example 1. Enhancing the use of message brokers</div>
 <div class="content">
 <div class="paragraph">
 <p>Routers can enhance a cluster of message brokers that provide a scalable, distributed work queue.</p>
 </div>
 <div class="paragraph">
 <p>The router network makes the broker cluster appear as a single queue, with producers publishing to a single address, and consumers subscribing to a single address. The router network can distribute work to any broker in the cluster, and collect work from any broker for any consumer.</p>
 </div>
 <div class="paragraph">
 <p>The routers improve the scalability of the broker cluster, because brokers can be added or removed from the cluster without affecting the clients.</p>
 </div>
 <div class="paragraph">
 <p>The routers also solve the common difficulty of "stuck messages". Without the router network, if a consumer is connected to a broker that does not have any messages (but other brokers in the cluster do have messages), you must either transfer the messages or leave them "stuck". The routers solve this issue, however, because all of the consumers are connected to all of the brokers through the router network. A message on any broker can be delivered to any of the consumers.</p>
 </div>
 </div>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 <div class="sect2">
 <h3 id="how-routers-route-messages-qdr">2.3. How routers route messages</h3>
 <div class="paragraph">
 <p>In a router network, <em>routing</em> is the process by which messages are delivered to their destinations. To accomplish this, Dispatch Router offers two different routing mechanisms:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Message routing</dt>
 <dd>
 <p>Message routing enables you to distribute messages in anycast and multicast patterns. These patterns can be used for both direct routing, in which the router distributes messages between clients without a message broker, and indirect routing, in which the router enables clients to exchange messages through a message broker.</p>
 <div class="paragraph">
 <p>Message routing is useful for the following types of requirements:</p>
 </div>
 <div class="openblock">
 <div class="content">
 <div class="ulist">
 <ul>
 <li>
 <p>Default, basic message routing</p>
 <div class="paragraph">
 <p>Dispatch Router automatically routes messages by default, so manual configuration is only required if you want routing behavior that is different than the default.</p>
 </div>
 </li>
 <li>
 <p>Message-based routing patterns</p>
 <div class="paragraph">
 <p>Message routing supports both anycast and multicast routing patterns. You can load-balance individual messages across multiple consumers, and multicast (or fan-out) messages to multiple subscribers.</p>
 </div>
 </li>
 <li>
 <p>Sharding messages across multiple message brokers when message delivery order is not important</p>
 <div class="paragraph">
 <p>Sharding messages from one producer might cause that producer&#8217;s messages to be received in a different order than the order in which they were sent.</p>
 </div>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </dd>
 <dt class="hdlist1">Link routing</dt>
 <dd>
 <p>Link routing enables you to establish a dedicated, virtual "path" between a sender and receiver that travels through the router network. Link routes are typically used to connect clients to message brokers in scenarios in which a direct connection is unfeasible. Therefore, link routes enable messaging capabilities that are not possible with message routing, such as:</p>
 <div class="openblock">
 <div class="content">
 <div class="ulist">
 <ul>
 <li>
 <p>Transactional messaging</p>
 <div class="paragraph">
 <p>Link routing supports local transactions to a single broker. Distributed transactions are not supported.</p>
 </div>
 </li>
 <li>
 <p>Guaranteed message delivery order</p>
 <div class="paragraph">
 <p>Link routing to a sharded queue preserves the delivery order of the producer&#8217;s messages by causing all messages on that link to go to the same broker instance.</p>
 </div>
 </li>
 <li>
 <p>End-to-end flow control</p>
 <div class="paragraph">
 <p>Flow control is "real" in that credits flow across the link route from the receiver to the sender.</p>
 </div>
 </li>
 <li>
 <p>Server-side selectors</p>
 <div class="paragraph">
 <p>With a link route, consumers can provide server-side selectors for broker subscriptions.</p>
 </div>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </dd>
 </dl>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p><a href="#configuring-message-routing-qdr">Configuring message routing</a></p>
 </li>
 <li>
 <p><a href="#creating-link-routes-qdr">Creating link routes</a></p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="router-security-qdr">2.4. Router security</h3>
 <div class="paragraph">
 <p>Dispatch Router provides authentication and authorization mechanisms so that you can control who can access the router network, and what they can do with the messaging resources.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Authentication</dt>
 <dd>
 <p>Dispatch Router supports both SSL/TLS and SASL for encrypting and authenticating remote peers. Using these mechanisms, you can secure the router network in the following ways:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Authenticate incoming connections from remote peers (such as clients and message brokers)</p>
 </li>
 <li>
 <p>Provide authentication credentials for outgoing connections to remote peers (such as clients and message brokers)</p>
 </li>
 <li>
 <p>Secure the inter-router connections between the routers in the router network</p>
 </li>
 </ul>
 </div>
 </dd>
 <dt class="hdlist1">Authorization</dt>
 <dd>
 <p>Dispatch Router provides a <code>policy</code> mechanism that you can use to enforce user connection restrictions and AMQP resource access control.</p>
 </dd>
 </dl>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p><a href="#securing-network-connections-qdr">Securing network connections</a></p>
 </li>
 <li>
 <p><a href="#configuring-authorization-qdr">Configuring authorization</a></p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="router-management-qdr">2.5. Router management</h3>
 <div class="paragraph">
 <p>Dispatch Router provides both graphical and CLI tools for monitoring and managing a router network.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Apache Qpid Dispatch Router Console</dt>
 <dd>
 <p>A web console for monitoring the layout and health of the router network.</p>
 </dd>
 <dt class="hdlist1">qdstat</dt>
 <dd>
 <p>A command-line tool for monitoring the status of a router in the router network. Using this tool, you can view the following information about a router:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Incoming and outgoing connections</p>
 </li>
 <li>
 <p>Incoming and outgoing links</p>
 </li>
 <li>
 <p>Router network topology from the perspective of this router</p>
 </li>
 <li>
 <p>Addresses known to this router</p>
 </li>
 <li>
 <p>Link routes and autolinks</p>
 </li>
 <li>
 <p>Memory consumption information</p>
 </li>
 </ul>
 </div>
 </dd>
 <dt class="hdlist1">qdmanage</dt>
 <dd>
 <p>A command-line tool for viewing and updating the configuration of a router at runtime.</p>
 </dd>
 </dl>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p><a href="#management">Management</a></p>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </div>
 <h1 id="get_started" class="sect0">Get started</h1>
 <div class="sect1">
 <h2 id="getting-started-qdr">3. Getting started</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>This section provides a quick introduction to Dispatch Router by showing you how to install Dispatch Router, start the router with the default configuration settings, and distribute messages between two clients.</p>
 </div>
 <div class="sect2">
 <h3 id="installing-router-linux-getting-started">3.1. Installing Dispatch Router on Linux</h3>
 <div class="paragraph">
 <p>Dispatch Router is distributed as a set of RPM packages, which are available for <code>yum</code>/<code>dnf</code>-based Linux distributions. Alternatively, you can build the Dispatch Router from source.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Dispatch Router will not build on Windows.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>Do one of the following:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Download and build the Dispatch Router source.</p>
 <div class="paragraph">
 <p>To download the source, see the <a href="https://qpid.apache.org/download.html" target="_blank" rel="noopener">Download page</a>. For instructions on building the source, see the <a href="https://gitbox.apache.org/repos/asf?p=qpid-dispatch.git;a=blob_plain;f=README;hb=1.14.0" target="_blank" rel="noopener">Qpid Dispatch README</a>.</p>
 </div>
 </li>
 <li>
 <p>Install the Dispatch Router packages.</p>
 <div class="paragraph">
 <p>Packages are available for <code>yum</code>/<code>dnf</code>-based Linux distributions. For more information, see the <a href="https://qpid.apache.org/packages.html" target="_blank" rel="noopener">Packages page</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="exploring-default-router-configuration-file-qdr">3.2. Exploring the default router configuration file</h3>
 <div class="paragraph">
 <p>The router&#8217;s configuration file (<code>qdrouterd.conf</code>) controls the way in which the router functions. The default configuration file contains the minimum number of settings required for the router to run. As you become more familiar with the router, you can add to or change these settings, or create your own configuration files.</p>
 </div>
 <div class="paragraph">
 <p>By default, the router configuration file defines the following settings for the router:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Operating mode</p>
 </li>
 <li>
 <p>How it listens for incoming connections</p>
 </li>
 <li>
 <p>Routing patterns for the message routing mechanism</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the following file: <code>/etc/qpid-dispatch/qdrouterd.conf</code>.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>When Dispatch Router is installed, <code>qdrouterd.conf</code> is installed in this directory. When the router is started, it runs with the settings defined in this file.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Review the default settings in <code>qdrouterd.conf</code>.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="title">Default configuration file</div>
 <div class="content">
 <pre class="nowrap">router {
     mode: standalone // <b class="conum">(1)</b>
     id: Router.A // <b class="conum">(2)</b>
 }

 listener { // <b class="conum">(3)</b>
     host: 0.0.0.0
     port: amqp
     authenticatePeer: no
 }

 address { // <b class="conum">(4)</b>
     prefix: closest
     distribution: closest
 }

 address {
     prefix: multicast
     distribution: multicast
 }

 address {
     prefix: unicast
     distribution: closest
 }

 address {
     prefix: exclusive
     distribution: closest
 }

 address {
     prefix: broadcast
     distribution: multicast
 }</pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p>By default, the router operates in <em>standalone</em> mode. This means that it can only communicate with endpoints that are directly connected to it. It cannot connect to other routers, or participate in a router network.</p>
 </li>
 <li>
 <p>The unique identifier of the router. This ID is used as the <code>container-id</code> (container name) at the AMQP protocol level. If it is not specified, the router shall generate a random identifier at startup.</p>
 </li>
 <li>
 <p>The <code>listener</code> entity handles incoming connections from client endpoints. By default, the router listens on all network interfaces on the default AMQP port (5672).</p>
 </li>
 <li>
 <p>By default, the router is configured to use the message routing mechanism. Each <code>address</code> entity defines how messages that are received with a particular address <code>prefix</code> should be distributed. For example, all messages with addresses that start with <code>closest</code> will be distributed using the <code>closest</code> distribution pattern.</p>
 </li>
 </ol>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If a client requests a message with an address that is not defined in the router&#8217;s configuration file, the <code>balanced</code> distribution pattern will be used automatically.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about the router configuration file (including available entities and attributes), see the <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.html" target="_blank" rel="noopener">qdrouterd man page</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="starting-router-getting-started-qdr">3.3. Starting the router</h3>
 <div class="paragraph">
 <p>After installing Dispatch Router, you start the router by using the <code>qdrouterd</code> command.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Start the router:</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ qdrouterd</code></pre>
 </div>
 </div>
 <div class="paragraph">
 <p>The router starts, using the default configuration file stored at <code>/etc/qpid-dispatch/qdrouterd.conf</code>.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Review the <code>qdrouterd</code> command output to verify the router status.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example shows that the router was correctly installed, is running, and is ready to route traffic between clients:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdrouterd
 Fri May 20 09:38:03 2017 SERVER (info) Container Name: Router.A
 Fri May 20 09:38:03 2017 ROUTER (info) Router started in Standalone mode
 Fri May 20 09:38:03 2017 ROUTER (info) Router Core thread running. 0/Router.A
 Fri May 20 09:38:03 2017 ROUTER (info) In-process subscription M/$management
 Fri May 20 09:38:03 2017 AGENT (info) Activating management agent on $_management_internal
 Fri May 20 09:38:03 2017 ROUTER (info) In-process subscription L/$management
 Fri May 20 09:38:03 2017 ROUTER (info) In-process subscription L/$_management_internal
 Fri May 20 09:38:03 2017 DISPLAYNAME (info) Activating DisplayNameService on $displayname
 Fri May 20 09:38:03 2017 ROUTER (info) In-process subscription L/$displayname
 Fri May 20 09:38:03 2017 CONN_MGR (info) Configured Listener: 0.0.0.0:amqp proto=any role=normal
 Fri May 20 09:38:03 2017 POLICY (info) Policy configured maximumConnections: 0, policyFolder: '', access rules enabled: 'false'
 Fri May 20 09:38:03 2017 POLICY (info) Policy fallback defaultApplication is disabled
 Fri May 20 09:38:03 2017 SERVER (info) Operational, 4 Threads Running</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>The <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.html" target="_blank" rel="noopener">qdrouterd man page</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="sending-test-messages-qdr">3.4. Sending test messages</h3>
 <div class="paragraph">
 <p>After starting the router, send some test messages to see how the router can connect two endpoints by distributing messages between them.</p>
 </div>
 <div class="paragraph">
 <p>This procedure demonstrates a simple configuration consisting of a single router with two clients connected to it: a sender and a receiver. The receiver wants to receive messages on a specific address, and the sender sends
 messages to that address.</p>
 </div>
 <div class="paragraph">
 <p>A broker is not used in this procedure, so there is no <em>"store and forward"</em> mechanism in the middle. Instead, the messages flow from the sender, through the router, to the receiver only if the receiver is online, and the sender can confirm that the messages have arrived at their destination.</p>
 </div>
 <div class="paragraph">
 <div class="title">Prerequisites</div>
 <p>Apache Qpid Proton Python must be installed. For more information, see <a href="https://qpid.apache.org/proton/" class="bare">https://qpid.apache.org/proton/</a>.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Navigate to the Apache Qpid Proton Python examples directory.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ cd <em>&lt;install-dir&gt;</em>/examples/python/</code></pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">&lt;install-dir&gt;</dt>
 <dd>
 <p>The directory where you installed Apache Qpid Proton Python.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Start the <code>simple_recv.py</code> receiver client.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ python simple_recv.py -a 127.0.0.1:5672/examples -m 5</code></pre>
 </div>
 </div>
 <div class="paragraph">
 <p>This command starts the receiver and listens on the <code>examples</code> address (<code>127.0.0.1:5672/examples</code>). The receiver is also set to receive a maximum of five messages.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>In practice, the order in which you start senders and receivers does not matter. In both cases, messages will be sent as soon as the receiver comes online.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>In a new terminal window, navigate to the Python examples directory and run the <code>simple_send.py</code> example:</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ cd <em>&lt;install-dir&gt;</em>/examples/python/
 $ python simple_send.py -a 127.0.0.1:5672/examples -m 5</code></pre>
 </div>
 </div>
 <div class="paragraph">
 <p>This command sends five auto-generated messages to the <code>examples</code> address (<code>127.0.0.1:5672/examples</code>) and then confirms that they were delivered and acknowledged by the receiver:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">all messages confirmed</code></pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Verify that the receiver client received the messages.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>The receiver client should display the contents of the five messages:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">{u'sequence': 1L}
 {u'sequence': 2L}
 {u'sequence': 3L}
 {u'sequence': 4L}
 {u'sequence': 5L}</code></pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect2">
 <h3 id="next-steps-qdr">3.5. Next steps</h3>
 <div class="paragraph">
 <p>After using Dispatch Router to distribute messages between two clients, you can use the following sections to learn more about Dispatch Router configuration, deployment, and management.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><a href="#configuration">Change the router&#8217;s configuration</a></dt>
 <dd>
 <p>Dispatch Router ships with default settings that are suitable for many basic use cases. You can further experiment with the standalone router that you used in the <em>Getting started</em> example by changing the router&#8217;s essential properties, network connections, security settings, logging, and routing mechanisms.</p>
 </dd>
 <dt class="hdlist1"><a href="#installing-router-qdr">Install and configure Dispatch Router</a></dt>
 <dd>
 <p>Dispatch Router is typically deployed in router networks. You can design a router network of any arbitrary topology to interconnect the endpoints in your messaging network.</p>
 </dd>
 <dt class="hdlist1"><a href="#management">Monitor and manage Dispatch Router</a></dt>
 <dd>
 <p>You can use the web console and command-line management tools to monitor the status and performance of the routers in your router network.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </div>
 <h1 id="install" class="sect0">Install</h1>
 <div class="sect1">
 <h2 id="router-deployment-guidelines-qdr">4. Dispatch Router deployment guidelines</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>To plan your router network and design the network topology, you must first understand the different router modes and how you can use them to create different types of networks.</p>
 </div>
 <div class="sect2">
 <h3 id="router-operating-modes-qdr">4.1. Router operating modes</h3>
 <div class="paragraph">
 <p>In Dispatch Router, each router can operate in <em>standalone</em>, <em>interior</em>, or <em>edge</em> mode. In a router network, you deploy multiple interior routers or a combination of interior and edge routers to create the desired network topology.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Standalone</dt>
 <dd>
 <p>The router operates as a single, standalone network node. A standalone router cannot be used in a router network - it does not establish connections with other routers, and only routes messages between directly-connected endpoints.</p>
 </dd>
 <dt class="hdlist1">Interior</dt>
 <dd>
 <p>The router is part of the interior of the router network. Interior routers establish connections with each other and automatically compute the lowest cost paths across the network. You can have up to 128 interior routers in the router network.</p>
 </dd>
 <dt class="hdlist1">Edge</dt>
 <dd>
 <p>The router maintains a single uplink connection to one or more interior routers. Edge routers do not participate in the routing protocol or route computation, but they enable you to efficiently scale the routing network. There are no limits to the number of edge routers you can deploy in a router network.</p>
 </dd>
 </dl>
 </div>
 </div>
 <div class="sect2">
 <h3 id="security-guidelines-qdr">4.2. Security guidelines</h3>
 <div class="paragraph">
 <p>In the router network, the interior routers should be secured with a strong authentication mechanism in which they identify themselves to each other. You should choose and plan this authentication mechanism before creating the router network.</p>
 </div>
 <div class="admonitionblock warning">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Warning</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If the interior routers are not properly secured, unauthorized routers (or endpoints pretending to be routers) could join the router network, compromising its integrity and availability.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="paragraph">
 <p>You can choose a security mechanism that best fits your requirements. However, you should consider the following recommendations:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Create an X.509 Certificate Authority (CA) to oversee the interior portion of the router network.</p>
 </li>
 <li>
 <p>Generate an individual certificate for each interior router.</p>
 <div class="paragraph">
 <p>Each interior router can be configured to use the CA to authenticate connections from any other interior routers.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Connections from edge routers and clients can use different levels of security, depending on your requirements.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>By using these recommendations, a new interior router cannot join the network until the owner of the CA issues a new certificate for the new router. In addition, an intruder wishing to spoof an interior router cannot do so because it would not have a valid X.509 certificate issued by the network&#8217;s CA.</p>
 </div>
 </div>
 <div class="sect2">
 <h3 id="router-connection-guidelines-qdr">4.3. Router connection guidelines</h3>
 <div class="paragraph">
 <p>Before creating a router network, you should understand how routers connect to each other, and the factors that affect the direction in which an inter-router connection should be established.</p>
 </div>
 <h4 id="inter_router_connections_are_bidirectional" class="discrete">Inter-router connections are bidirectional</h4>
 <div class="paragraph">
 <p>When a connection is established between routers, message traffic flows in both directions across that connection. Each connection has a client side (a <em>connector</em>) and a server side (a <em>listener</em>) for the purposes of connection establishment. Once the connection is established, the two sides become equal participants in a bidirectional connection. For the purposes of routing AMQP traffic across the network, the direction of connection establishment is not relevant.</p>
 </div>
 <h4 id="factors_that_affect_the_direction_of_connection_establishment" class="discrete">Factors that affect the direction of connection establishment</h4>
 <div class="paragraph">
 <p>When establishing inter-router connections, you must choose which router will be the "listener" and which will be the "connector". There should be only one connection between any pair of routers.</p>
 </div>
 <div class="paragraph">
 <p>When determining the direction of inter-router connections in the network topology, consider the following factors:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">IP network boundaries and firewalls</dt>
 <dd>
 <p>Generally, inter-router connections should always be established from more private to more public. For example, to connect a router in a private IP network to another router in a public location (such as a public cloud provider), the router in the private network must have the connector and the router in the public location must have the listener. This is because the public location cannot reach the private location by TCP/IP without the use of VPNs or other firewall features designed to allow public-to-private access.</p>
 </dd>
 <dt class="hdlist1">Network topology</dt>
 <dd>
 <p>The topology of the router network may affect the direction in which connections should be established between the routers. For example, a star-topology that has a series of routers connected to one or two central "hub" routers should have listeners on the hub and connectors on the spokes. That way, new spoke routers may be added without changing the configuration of the hub.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="installing-router-qdr">5. Installing Dispatch Router</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>You can deploy Dispatch Router as a single standalone router, or as multiple routers connected together in a router network. Router networks may represent any arbitrary topology, enabling you to design the network to best fit your requirements.</p>
 </div>
 <div class="paragraph">
 <p>With Dispatch Router, the router network topology is independent from the message routing. This means that messaging clients always experience the same message routing behavior regardless of the underlying network topology. Even in a multi-site or hybrid cloud router network, the connected endpoints behave as if they were connected to a single, logical router.</p>
 </div>
 <div class="paragraph">
 <p>To create the router network topology, complete the following:</p>
 </div>
 <div class="olist arabic">
 <ol class="arabic">
 <li>
 <p><a href="#router-deployment-guidelines-qdr">Review the deployment guidelines</a>.</p>
 <div class="paragraph">
 <p>You should understand the different router operating modes you can deploy in your topology, and be aware of security requirements for the interior portion of the router network.</p>
 </div>
 </li>
 <li>
 <p><a href="#installing-router-linux-qdr">Install Dispatch Router on the host</a>.</p>
 <div class="paragraph">
 <p>If you are creating a router network with multiple routers, repeat this step on each host.</p>
 </div>
 </li>
 <li>
 <p><a href="#preparing-router-configurations-qdr">Prepare the router configurations</a>.</p>
 <div class="paragraph">
 <p>After installing Dispatch Router, configure it to define how it should connect to other routers and endpoints, and how it should operate.</p>
 </div>
 </li>
 <li>
 <p><a href="#starting-router-qdr">Start the routers</a>.</p>
 <div class="paragraph">
 <p>After the routers are configured, start them so that they can connect to each other and begin routing messages.</p>
 </div>
 </li>
 </ol>
 </div>
 <div class="sect2">
 <h3 id="installing-router-linux-qdr">5.1. Installing Dispatch Router on Linux</h3>
 <div class="paragraph">
 <p>Dispatch Router is distributed as a set of RPM packages, which are available for <code>yum</code>/<code>dnf</code>-based Linux distributions. Alternatively, you can build the Dispatch Router from source.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Dispatch Router will not build on Windows.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>Do one of the following:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Download and build the Dispatch Router source.</p>
 <div class="paragraph">
 <p>To download the source, see the <a href="https://qpid.apache.org/download.html" target="_blank" rel="noopener">Download page</a>. For instructions on building the source, see the <a href="https://gitbox.apache.org/repos/asf?p=qpid-dispatch.git;a=blob_plain;f=README;hb=1.14.0" target="_blank" rel="noopener">Qpid Dispatch README</a>.</p>
 </div>
 </li>
 <li>
 <p>Install the Dispatch Router packages.</p>
 <div class="paragraph">
 <p>Packages are available for <code>yum</code>/<code>dnf</code>-based Linux distributions. For more information, see the <a href="https://qpid.apache.org/packages.html" target="_blank" rel="noopener">Packages page</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="preparing-router-configurations-qdr">5.2. Preparing router configurations</h3>
 <div class="paragraph">
 <p>After installing Dispatch Router, configure it to define how it should connect to other routers and endpoints, and how it should operate. If you are creating a router network, complete this workflow for each router in the network.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>Dispatch Router is installed on the host.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p><a href="#configuring-router-properties-qdr">Configure essential router properties</a>.</p>
 <div class="paragraph">
 <p>To participate in a router network, a router must be configured with a unique ID and an operating mode.</p>
 </div>
 </li>
 <li>
 <p><a href="#configuring-network-connections-qdr">Configure network connections</a>.</p>
 <div class="olist loweralpha">
 <ol class="loweralpha" type="a">
 <li>
 <p>Connect the router to any other routers in the router network.</p>
 <div class="paragraph">
 <p>Repeat this step for each additional router to which you want to connect this router.</p>
 </div>
 </li>
 <li>
 <p>If the router should connect with an AMQP client, configure a client connection.</p>
 </li>
 <li>
 <p>If the router should connect to an external AMQP container (such as a message broker), configure the connection.</p>
 </li>
 </ol>
 </div>
 </li>
 <li>
 <p><a href="#securing-network-connections-qdr">Secure each of the connections that you configured in the previous step</a>.</p>
 </li>
 <li>
 <p>(Optional) Configure any additional properties.</p>
 <div class="paragraph">
 <p>These properties should be configured the same way on each router. Therefore, you should only configure each one once, and then copy the configuration to each additional router in the router network.</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#configuring-authorization-qdr">Authorization</a></p>
 <div class="paragraph">
 <p>If necessary, configure policies to control which messaging resources clients are able to access on the router network.</p>
 </div>
 </li>
 <li>
 <p><a href="#configuring-routing-qdr">Routing</a></p>
 <div class="paragraph">
 <p>Dispatch Router automatically routes messages without any configuration: clients can send messages to the router network, and the router automatically routes them to their destinations. However, you can configure the routing to meet your exact requirements. You can configure the routing patterns to be used for certain addresses, create waypoints and autolinks to route messages through broker queues, and create link routes to connect clients to brokers.</p>
 </div>
 </li>
 <li>
 <p><a href="#configuring-logging-qdr">Logging</a></p>
 <div class="paragraph">
 <p>You can set the default logging configuration to ensure that events are logged at the correct level for your environment.</p>
 </div>
 </li>
 </ul>
 </div>
 </li>
 <li>
 <p>Repeat this workflow for each additional router that you want to add to the router network.</p>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect2">
 <h3 id="starting-router-qdr">5.3. Starting a router</h3>
 <div class="paragraph">
 <p>You use the <code>qdrouterd</code> command to start a router. You can start a router in the foreground, the background, or as a service.</p>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>Do one of the following:</p>
 <div class="openblock">
 <div class="content">
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 30%;">
 <col style="width: 70%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">To&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">Enter this command&#8230;&#8203;</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Start the router in the foreground</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ qdrouterd</code></pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Start the router in the background as a daemon</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ qdrouterd -d</code></pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Start the router as a service</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="bash" class="language-bash hljs">$ systemctl start qdrouterd.service</code></pre>
 </div>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If you start the router as a service, the <code>systemd</code> <code>LimitNOFILE</code> limit affects the number of connections that can be open for the router. If you reach the limit, the router is not able to accept any more connections, and an error message is logged indicating "Too many open files". To avoid reaching this limit, increase the <code>LimitNOFILE</code> value for the <code>systemd</code> process.</p>
 </div>
 <div class="paragraph">
 <p>For more information, see the <code>systemd.exec(5)</code> man page.</p>
 </div>
 </td>
 </tr>
 </table>
 </div></div></td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </div>
 <h1 id="configuration" class="sect0">Configure</h1>
 <div class="sect1">
 <h2 id="configuring-router-properties-qdr">6. Configuring router properties</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>By default, Dispatch Router operates in <code>standalone</code> mode with a randomly-generated ID. If you want to use this router in a router network, you must change these properties.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>In the <code>router</code> section, specify the mode and ID.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example shows a router configured to operate in <code>interior</code> mode:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">router {
     mode: interior
     id: Router.A
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>mode</code></dt>
 <dd>
 <p>Specify one of the following modes:</p>
 <div class="ulist">
 <ul>
 <li>
 <p><code>standalone</code> - Use this mode if the router does not communicate with
 other routers and is not part of a router network. When operating in
 this mode, the router only routes messages between directly connected
 endpoints.</p>
 </li>
 <li>
 <p><code>interior</code> - Use this mode if the router is part of a router network
 and needs to collaborate with other routers.</p>
 </li>
 <li>
 <p><code>edge</code> - Use this mode if the router is an edge router that will
 connect to a network of interior routers.</p>
 </li>
 </ul>
 </div>
 </dd>
 <dt class="hdlist1"><code>id</code></dt>
 <dd>
 <p>The unique
 identifier for the router. This ID will also be the container name at
 the AMQP protocol level.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If necessary, configure any additional properties for the router.</p>
 <div class="paragraph">
 <p>For information about additional attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_router">router</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="configuring-network-connections-qdr">7. Configuring network connections</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Dispatch Router connects clients, servers, AMQP services, and other routers through network connections. To connect the router to other messaging endpoints, you configure <em>listeners</em> to accept connections, and <em>connectors</em> to make outbound connections. However, connections are bidirectional - once the connection is established, message traffic flows in both directions.</p>
 </div>
 <div class="paragraph">
 <p>You can do the following:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#connecting-routers-qdr">Connect a router to another router</a></p>
 </li>
 <li>
 <p><a href="#listening-client-connections-qdr">Listen for client connections</a></p>
 </li>
 <li>
 <p><a href="#connecting-to-external-amqp-containers-qdr">Connect a router to an external AMQP container</a></p>
 </li>
 <li>
 <p><a href="#adding-metadata-to-connections-qdr">Add metadata to connections</a></p>
 </li>
 <li>
 <p><a href="#understanding-connection-failover-qdr">Understand connection failover</a></p>
 </li>
 </ul>
 </div>
 <div class="sect2">
 <h3 id="connecting-routers-qdr">7.1. Connecting routers</h3>
 <div class="paragraph">
 <p>To connect a router to another router in the router network, you configure a <code>connector</code> on one router to create the outbound connection, and a <code>listener</code> on the other router to accept the connection.</p>
 </div>
 <div class="paragraph">
 <p>Because connections are bidirectional, there should only be one connection between any pair of routers. Once the connection is established, message traffic flows in both directions.</p>
 </div>
 <div class="paragraph">
 <p>This procedure describes how to connect a router to another router in the router network.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Determine the direction of the connection.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>Decide which router should be the "connector", and which should be the "listener". The direction of the connection establishment is sometimes arbitrary, but consider the following factors:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">IP network boundaries and firewalls</dt>
 <dd>
 <p>Generally, inter-router connections should always be established from more private to more public. For example, to connect a router in a private IP network to another router in a public location (such as a public cloud provider), the router in the private network must be the "connector" and the router in the public location must be the "listener". This is because the public location cannot reach the private location by TCP/IP without the use of VPNs or other firewall features designed to allow public-to-private access.</p>
 </dd>
 <dt class="hdlist1">Network topology</dt>
 <dd>
 <p>The topology of the router network may affect the direction in which connections should be established between the routers. For example, a star-topology that has a series of routers connected to one or two central "hub" routers should have "listeners" on the hub and "connectors" on the spokes. That way, new spoke routers may be added without changing the configuration of the hub.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>On the router that should create the connection, open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file and add a <code>connector</code>.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example creates a <code>connector</code> for an inter-router connection between two interior routers:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     host: 192.0.2.1
     port: 5001
     role: inter-router
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>host</code></dt>
 <dd>
 <p>The IP address (IPv4 or IPv6) or hostname on which the router will connect.</p>
 </dd>
 <dt class="hdlist1"><code>port</code></dt>
 <dd>
 <p>The port number or symbolic service name on which the router will connect.</p>
 </dd>
 <dt class="hdlist1"><code>role</code></dt>
 <dd>
 <p>The role of the connection. If the connection is between two interior routers, specify <code>inter-router</code>. If the connection is between an interior router and an edge router, specify <code>edge</code>.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>On the router that should accept the connection establishment, open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file and verify that an inter-router <code>listener</code> is configured.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example creates a <code>listener</code> to accept the connection establishment configured in the previous step:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 5001
     role: inter-router
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>host</code></dt>
 <dd>
 <p>The IP address (IPv4 or IPv6) or hostname on which the router will listen.</p>
 </dd>
 <dt class="hdlist1"><code>port</code></dt>
 <dd>
 <p>The port number or symbolic service name on which the router will listen.</p>
 </dd>
 <dt class="hdlist1"><code>role</code></dt>
 <dd>
 <p>The role of the connection. If the connection is between two interior routers, specify <code>inter-router</code>. If the connection is between an interior router and an edge router, specify <code>edge</code>.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If the router should connect to any other routers, repeat this procedure.</p>
 <div class="paragraph">
 <p>Edge routers can only connect to interior routers. They cannot connect to other edge routers.</p>
 </div>
 </li>
 </ol>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>After connecting a router to another router, secure the connection.</p>
 <div class="paragraph">
 <p>For more information, see <a href="#securing-connections-between-routers-qdr">Securing connections between routers</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="listening-client-connections-qdr">7.2. Listening for client connections</h3>
 <div class="paragraph">
 <p>To enable a router to listen for and accept connections from AMQP clients, you configure a <code>listener</code>.</p>
 </div>
 <div class="paragraph">
 <p>Once the connection is enabled on the router, clients can connect to it using the same methods they use to connect to a broker. From the client&#8217;s perspective, the router connection and link establishment are identical to a broker connection and link establishment.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Instead of configuring a <code>listener</code> to listen for connections from the client, you can configure a <code>connector</code> to initiate connections to the client. In this case, the router will use the <code>connector</code> to initiate the connection, but it will not create any links. Links are only created by the peer that accepts the connection.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>Configure a <code>listener</code> with the <code>normal</code> role.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: primary.example.com
     port: 5672
     role: normal
     failoverUrls: secondary.example.com:20000, tertiary.example.com
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>host</code></dt>
 <dd>
 <p>The IP address (IPv4 or IPv6) or hostname on which the router will listen.</p>
 </dd>
 <dt class="hdlist1"><code>port</code></dt>
 <dd>
 <p>The port number or symbolic service name on which the router will listen.</p>
 </dd>
 <dt class="hdlist1"><code>role</code></dt>
 <dd>
 <p>The role of the connection. Specify <code>normal</code> to indicate that this connection is used for message delivery for AMQP clients.</p>
 </dd>
 <dt class="hdlist1"><code>failoverUrls</code> (optional)</dt>
 <dd>
 <p>A comma-separated list of backup URLs the client can use to reconnect if the established connection is lost. Each URL must use the following form:</p>
 <div class="paragraph">
 <p><code>[(amqp|amqps|ws|wss)://](<em>HOST</em>|<em>IP ADDRESS</em>)[:port]</code></p>
 </div>
 <div class="paragraph">
 <p>For more information, see <a href="#understanding-connection-failover-qdr">Understanding connection failover</a>.</p>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>After enabling a router to listen for client connections, secure the connection.</p>
 <div class="paragraph">
 <p>For more information, see <a href="#securing-incoming-client-connections-qdr">Securing incoming client connections</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="connecting-to-external-amqp-containers-qdr">7.3. Connecting to external AMQP containers</h3>
 <div class="paragraph">
 <p>To enable a router to establish a connection to an external AMQP container (such as a message broker), you configure a <code>connector</code>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Instead of configuring a <code>connector</code> to initiate connections to the AMQP container, you can configure a <code>listener</code> to listen for connections from the AMQP container. However, in this case, the addresses on the AMQP container are available for routing only after the AMQP container has created a connection.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>Configure a <code>connector</code> with the <code>route-container</code> role.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example creates a <code>connector</code> that initiates connections to a broker. The addresses on the broker will be available for routing once the router creates the connection and it is accepted by the broker.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     name: my-broker
     host: 192.0.2.10
     port: 5672
     role: route-container
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>name</code></dt>
 <dd>
 <p>The name of the <code>connector</code>. Specify a name that describes the entity to which the router will connect.</p>
 </dd>
 <dt class="hdlist1"><code>host</code></dt>
 <dd>
 <p>The IP address (IPv4 or IPv6) or hostname to which the router will connect.</p>
 </dd>
 <dt class="hdlist1"><code>port</code></dt>
 <dd>
 <p>The port number or symbolic service name to which the router will connect.</p>
 </dd>
 <dt class="hdlist1"><code>role</code></dt>
 <dd>
 <p>The role of the connection. Specify <code>route-container</code> to indicate that this connection is for an AMQP container that holds known addresses.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>After enabling a router to connect to an external AMQP container, configure any necessary security credentials.</p>
 <div class="paragraph">
 <p>For more information, see <a href="#securing-outgoing-connections-qdr">Securing outgoing connections</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="adding-metadata-to-connections-qdr">7.4. Adding metadata to connections</h3>
 <div class="paragraph">
 <p>In a complex topology, it can be useful to add metadata to connections so that messages can be handled programmatically.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>Add arbitrary JSON to the <code>connector</code> configuration using the 'openProperties' attribute.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example adds the property <code>label</code> with the value <code>green</code>.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
    name: broker
    role: route-container
    host: 127.0.0.1
    port: 22180
    saslMechanisms: ANONYMOUS
    openProperties: {
       "label": "green"
    }
 }</pre>
 </div>
 </div>
 <div class="paragraph">
 <p>Note the following restrictions on the JSON entries:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>ASCII characters only for keys</p>
 </li>
 <li>
 <p>The following keys are not allowed:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>product</p>
 </li>
 <li>
 <p>version</p>
 </li>
 <li>
 <p>failover-server-list</p>
 </li>
 <li>
 <p>network-host</p>
 </li>
 <li>
 <p>port</p>
 </li>
 <li>
 <p>scheme</p>
 </li>
 <li>
 <p>hostname</p>
 </li>
 <li>
 <p>any key starting with <code>qd.</code></p>
 </li>
 <li>
 <p>any key starting with <code>x-opt-qd.</code></p>
 </li>
 </ul>
 </div>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>The <code>openProperties</code> attribute can only be set for a connector with a <code>normal</code> or <code>route-container</code> role.
 You cannot set the attribute for connectors that have the following settings:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><code>role: inter-router</code></p>
 </li>
 <li>
 <p><code>role: edge</code></p>
 </li>
 <li>
 <p><code>http: true</code></p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>The JSON format supports lists, maps and multiple entries, for example:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre>connector {
    name: broker
    role: route-container
    host: 127.0.0.1
    port: 22180
    saslMechanisms: ANONYMOUS
    openProperties: {
       "foo": "bar",
       "integer": 7,
  "list":  ["a", 1, "b", -9, true],
  "map":  {"key1": null, "key2": [1, 2, 3]},
  }
    cost: 10
 }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect2">
 <h3 id="understanding-connection-failover-qdr">7.5. Understanding connection failover</h3>
 <div class="paragraph">
 <p>If a connection between a router and a remote host fails, connection failover enables the connection to be reestablished automatically on an alternate URL.</p>
 </div>
 <div class="paragraph">
 <p>A router can use connection failover for both incoming and outgoing connections.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Connection failover for outgoing connections</dt>
 <dd>
 <p>By default, when you configure a <code>connector</code> on a router, the router attempts to maintain an open network transport connection to the configured remote host and port. If the connection cannot be established, the router continually retries until the connection is established. If the connection is established and then fails, the router immediately attempts to reestablish the connection.</p>
 <div class="paragraph">
 <p>When the router establishes a connection to a remote host, the client may provide the router with alternate connection information (sometimes called failover lists) that it can use if the connection is lost. In these cases, rather than attempting to reestablish the connection on the same host, the router will also try the alternate hosts.</p>
 </div>
 <div class="paragraph">
 <p>Connection failover is particularly useful when the router establishes outgoing connections to a cluster of servers providing the same service.</p>
 </div>
 </dd>
 <dt class="hdlist1">Connection failover for incoming connections</dt>
 <dd>
 <p>You can configure a <code>listener</code> on a router to provide a list of failover URLs to be used as backups. If the connection is lost, the client can use these failover URLs to reestablish the connection to the router.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="securing-network-connections-qdr">8. Securing network connections</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>You can configure Dispatch Router to communicate with clients, routers, and brokers in a secure way by authenticating and encrypting the router&#8217;s connections. Dispatch Router supports the following security protocols:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>SSL/TLS for certificate-based encryption and mutual authentication</p>
 </li>
 <li>
 <p>SASL for authentication with mechanisms</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>You configure SSL/TLS, SASL (or a combination of both) to secure any of the following:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#securing-connections-between-routers-qdr">Secure connections between routers</a></p>
 </li>
 <li>
 <p><a href="#securing-incoming-client-connections-qdr">Secure incoming client connections</a></p>
 </li>
 <li>
 <p><a href="#securing-outgoing-connections-qdr">Secure outgoing connections</a></p>
 </li>
 </ul>
 </div>
 <div class="sect2">
 <h3 id="securing-connections-between-routers-qdr">8.1. Securing connections between routers</h3>
 <div class="paragraph">
 <p>Connections between interior routers should be secured with SSL/TLS encryption and authentication (also called mutual authentication) to prevent unauthorized routers (or endpoints pretending to be routers) from joining the network.</p>
 </div>
 <div class="paragraph">
 <p>SSL/TLS mutual authentication requires an X.509 Certificate Authority (CA) with individual certificates generated for each interior router. Connections between the interior routers are encrypted, and the CA authenticates each incoming inter-router connection.</p>
 </div>
 <div class="paragraph">
 <p>This procedure describes how to secure a connection between two interior routers using SSL/TLS mutual authentication.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>An X.509 Certificate Authority must exist for the interior routers.</p>
 </li>
 <li>
 <p>A security certificate must be generated for each router and be signed by the CA.</p>
 </li>
 <li>
 <p>An inter-router connection must exist between the routers.</p>
 <div class="paragraph">
 <p>For more information, see <a href="#connecting-routers-qdr">Connecting routers</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>On the router that establishes the connection, do the following:</p>
 <div class="olist loweralpha">
 <ol class="loweralpha" type="a">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code>.</p>
 </li>
 <li>
 <p>If the router does not contain an <code>sslProfile</code> that defines the private keys and certificates for the inter-router network, then add one.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This <code>sslProfile</code> contains the locations of the private key and certificates that the router uses to authenticate with its peer.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">sslProfile {
     name: inter-router-tls
     certFile: /etc/pki/tls/certs/tls.crt
     caCertFile: /etc/pki/tls/certs/ca.crt
     privateKeyFile: /etc/pki/tls/private/tls.key
     password: file:/etc/pki/tls/private/password.txt
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>name</code></dt>
 <dd>
 <p>A unique name that you can use to refer to this <code>sslProfile</code>.</p>
 </dd>
 <dt class="hdlist1"><code>certFile</code></dt>
 <dd>
 <p>The absolute path to the file containing the public certificate for this router.</p>
 </dd>
 <dt class="hdlist1"><code>caCertFile</code></dt>
 <dd>
 <p>The absolute path to the CA certificate that was used to sign the router&#8217;s certificate.</p>
 </dd>
 <dt class="hdlist1"><code>privateKeyFile</code></dt>
 <dd>
 <p>The absolute path to the file containing the private key for this router&#8217;s public certificate.</p>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Ensure that the <code>qdrouterd</code> or root user can access the private key. For example:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">chmod 0600 /etc/pki/tls/private/tls.key
 chown qdrouterd /etc/pki/tls/private/tls.key</pre>
 </div>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 </dl>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>password</code></dt>
 <dd>
 <p>The password to unlock the private key. You do not need to specify this if the private key does not have a password. By using different prefixes, you can specify the password several different ways depending on your security requirements:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Specify the absolute path to a file that contains the password. This is the most secure option, because you can set permissions on the file that contains the password. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: file:/etc/pki/tls/private/password.txt</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify an environment variable that stores the password. Use this option with caution, because the environment of other processes is visible on certain platforms. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: env:CERT_PASSWORD</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify the password in clear text. This option is insecure, so it should only be used if security is not a concern. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: pass:mycertpassword</pre>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Configure the inter-router <code>connector</code> for this connection to use the <code>sslProfile</code> that you created.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     host: 192.0.2.1
     port: 5001
     role: inter-router
     sslProfile: inter-router-tls
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>sslProfile</code></dt>
 <dd>
 <p>The name of the <code>sslProfile</code> that defines the SSL/TLS private keys and certificates for the inter-router network.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </li>
 <li>
 <p>On the router that listens for the connection, do the following:</p>
 <div class="olist loweralpha">
 <ol class="loweralpha" type="a">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code>.</p>
 </li>
 <li>
 <p>If the router does not contain an <code>sslProfile</code> that defines the private keys and certificates for the inter-router network, then add one.</p>
 </li>
 <li>
 <p>Configure the inter-router <code>listener</code> for this connection to use SSL/TLS to secure the connection.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 5001
     role: inter-router
     sslProfile: inter_router_tls
     authenticatePeer: yes
     requireSsl: yes
     saslMechanisms: EXTERNAL
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>sslProfile</code></dt>
 <dd>
 <p>The name of the <code>sslProfile</code> that defines the SSL/TLS private keys and certificates for the inter-router network.</p>
 </dd>
 <dt class="hdlist1"><code>authenticatePeer</code></dt>
 <dd>
 <p>Specify <code>yes</code> to authenticate the peer interior router&#8217;s identity.</p>
 </dd>
 <dt class="hdlist1"><code>requireSsl</code></dt>
 <dd>
 <p>Specify <code>yes</code> to encrypt the connection with SSL/TLS.</p>
 </dd>
 <dt class="hdlist1"><code>saslMechanisms</code></dt>
 <dd>
 <p>Specify <code>EXTERNAL</code> to enable X.509 client certificate authentication.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect2">
 <h3 id="securing-incoming-client-connections-qdr">8.2. Securing incoming client connections</h3>
 <div class="paragraph">
 <p>You can use SSL/TLS and SASL to provide the appropriate level of security for client traffic into the router network. You can use the following methods to secure incoming connections to a router from AMQP clients, external containers, or edge routers:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#enabling-ssl-tls-encryption-qdr">Enable SSL/TLS encryption</a></p>
 </li>
 <li>
 <p><a href="#enabling-ssl-tls-client-authentication-qdr">Enable SSL/TLS client authentication</a></p>
 </li>
 <li>
 <p><a href="#enabling-username-password-authentication-qdr">Enable user name and password authentication</a></p>
 </li>
 <li>
 <p><a href="#integrating-with-kerberos-qdr">Integrate with Kerberos</a></p>
 </li>
 </ul>
 </div>
 <div class="sect3">
 <h4 id="enabling-ssl-tls-encryption-qdr">8.2.1. Enabling SSL/TLS encryption</h4>
 <div class="paragraph">
 <p>You can use SSL/TLS to encrypt an incoming connection from a client.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>An X.509 Certificate Authority (CA) must exist for the client connections.</p>
 </li>
 <li>
 <p>A security certificate must be generated and signed by the CA.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>If the router does not contain an <code>sslProfile</code> that defines the private keys and certificates for client connections, then add one.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This <code>sslProfile</code> contains the locations of the private key and certificates that the router should use to encrypt connections from clients.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">sslProfile {
     name: service-tls
     certFile: /etc/pki/tls/certs/tls.crt
     caCertFile: /etc/pki/tls/certs/ca.crt
     privateKeyFile: /etc/pki/tls/private/tls.key
     password: file:/etc/pki/tls/private/password.txt
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>name</code></dt>
 <dd>
 <p>A unique name that you can use to refer to this <code>sslProfile</code>.</p>
 </dd>
 <dt class="hdlist1"><code>certFile</code></dt>
 <dd>
 <p>The absolute path to the file containing the public certificate for this router.</p>
 </dd>
 <dt class="hdlist1"><code>caCertFile</code></dt>
 <dd>
 <p>The absolute path to the CA certificate that was used to sign the router&#8217;s certificate.</p>
 </dd>
 <dt class="hdlist1"><code>privateKeyFile</code></dt>
 <dd>
 <p>The absolute path to the file containing the private key for this router&#8217;s public certificate.</p>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Ensure that the <code>qdrouterd</code> or root user can access the private key. For example:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">chmod 0600 /etc/pki/tls/private/tls.key
 chown qdrouterd /etc/pki/tls/private/tls.key</pre>
 </div>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 </dl>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>password</code></dt>
 <dd>
 <p>The password to unlock the private key. You do not need to specify this if the private key does not have a password. By using different prefixes, you can specify the password several different ways depending on your security requirements:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Specify the absolute path to a file that contains the password. This is the most secure option, because you can set permissions on the file that contains the password. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: file:/etc/pki/tls/private/password.txt</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify an environment variable that stores the password. Use this option with caution, because the environment of other processes is visible on certain platforms. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: env:CERT_PASSWORD</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify the password in clear text. This option is insecure, so it should only be used if security is not a concern. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: pass:mycertpassword</pre>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Configure the <code>listener</code> for this connection to use SSL/TLS to encrypt the connection.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example configures a <code>normal</code> listener to encrypt connections from clients.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 5672
     role: normal
     sslProfile: inter_router_tls
     requireSsl: yes
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>sslProfile</code></dt>
 <dd>
 <p>The name of the <code>sslProfile</code> that defines the SSL/TLS private keys and certificates for client connections.</p>
 </dd>
 <dt class="hdlist1"><code>requireSsl</code></dt>
 <dd>
 <p>Specify <code>true</code> to encrypt the connection with SSL/TLS.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="enabling-ssl-tls-client-authentication-qdr">8.2.2. Enabling SSL/TLS client authentication</h4>
 <div class="paragraph">
 <p>In addition to SSL/TLS encryption, you can also use SSL/TLS to authenticate an incoming connection from a client. With this method, a clients must present its own X.509 certificate to the router, which the router uses to verify the client&#8217;s identity.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>SSL/TLS encryption must be configured.</p>
 <div class="paragraph">
 <p>For more information, see <a href="#enabling-ssl-tls-encryption-qdr">Enabling SSL/TLS encryption</a>.</p>
 </div>
 </li>
 <li>
 <p>The client must have an X.509 certificate that it can use to authenticate to the router.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>Configure the <code>listener</code> for this connection to use SSL/TLS to authenticate the client.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example adds SSL/TLS authentication to a <code>normal</code> listener to authenticate incoming connections from a client. The client will only be able to connect to the router by presenting its own X.509 certificate to the router, which the router will use to verify the client&#8217;s identity.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 5672
     role: normal
     sslProfile: service-tls
     requireSsl: yes
     authenticatePeer: yes
     saslMechanisms: EXTERNAL
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>authenticatePeer</code></dt>
 <dd>
 <p>Specify <code>yes</code> to authenticate the client&#8217;s identity.</p>
 </dd>
 <dt class="hdlist1"><code>saslMechanisms</code></dt>
 <dd>
 <p>Specify <code>EXTERNAL</code> to enable X.509 client certificate authentication.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="enabling-username-password-authentication-qdr">8.2.3. Enabling user name and password authentication</h4>
 <div class="paragraph">
 <p>You can use the SASL PLAIN mechanism to authenticate incoming client connections against a set of user names and passwords. You can use this method by itself, or you can combine it with SSL/TLS encryption.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>The <code>cyrus-sasl-plain</code> plugin is installed.</p>
 <div class="paragraph">
 <p>Cyrus SASL uses plugins to support specific SASL mechanisms. Before you can use a particular SASL mechanism, the relevant plugin must be installed.</p>
 </div>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>To see a list of Cyrus SASL plugins in a <code>dnf</code>-based Linux system, use the <code>dnf search cyrus-sasl</code> command. To install a Cyrus SASL plugin, use the <code>dnf install <em>&lt;plugin&gt;</em></code> command.</p>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>If necessary, add the user names and passwords to the SASL database.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example adds a new user (user1@example.com) to the SASL database (qdrouterd.sasldb):</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ sudo saslpasswd2 -c -f qdrouterd.sasldb -u example.com user1</pre>
 </div>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>The full user name is the user name you entered plus the domain name (<code><em>&lt;user-name&gt;</em></code>@<code><em>&lt;domain-name&gt;</em></code>). Providing a domain name is not required when you add a user to the database, but if you do not provide one, a default domain will be added automatically (the hostname of the machine on which the tool is running).</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Ensure that the <code>qdrouterd</code> process can read the SASL database.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>If the <code>qdrouterd</code> process runs as an unprivileged user, you might need to adjust the permissions or ownership of the SASL database so that the router can read it.</p>
 </div>
 <div class="paragraph">
 <p>This example makes the qdrouterd user the owner of the SASL database:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ sudo chown qdrouterd /var/lib/qdrouterd/qdrouterd.sasldb</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Open the <code>/etc/sasl2/qdrouterd.conf</code> configuration file.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example shows a <code>/etc/sasl2/qdrouterd.conf</code> configuration file:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: qdrouterd.sasldb
 mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN GSSAPI</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Verify that the <code>mech_list</code> attribute contains the <code>PLAIN</code> mechanism.</p>
 </li>
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>In the <code>router</code> section, specify the path to the SASL configuration file.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">router {
     mode: interior
     id: Router.A
     saslConfigDir: /etc/sasl2/
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>saslConfigDir</code></dt>
 <dd>
 <p>The absolute path to the SASL configuration file that contains the path to the SASL database that stores the user names and passwords.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Configure the <code>listener</code> for this connection to authenticate clients using SASL PLAIN.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example configures basic user name and password authentication for a <code>listener</code>. In this case, no SSL/TLS encryption is being used.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 5672
     authenticatePeer: yes
     saslMechanisms: PLAIN
     }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="integrating-with-kerberos-qdr">8.2.4. Integrating with Kerberos</h4>
 <div class="paragraph">
 <p>If you have implemented Kerberos in your environment, you can use it with the <code>GSSAPI</code> SASL mechanism to authenticate incoming connections.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>A Kerberos infrastructure must be deployed in your environment.</p>
 </li>
 <li>
 <p>In the Kerberos environment, a service principal of <code>amqp/&lt;hostname&gt;@&lt;realm&gt;</code> must be configured.</p>
 <div class="paragraph">
 <p>This is the service principal that Dispatch Router uses.</p>
 </div>
 </li>
 <li>
 <p>The <code>cyrus-sasl-gssapi</code> package must be installed on each client and the router host machine.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>On the router&#8217;s host machine, open the <code>/etc/sasl2/qdrouterd.conf</code> configuration file.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example shows a <code>/etc/sasl2/qdrouterd.conf</code> configuration file:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">pwcheck_method: auxprop
 auxprop_plugin: sasldb
 sasldb_path: qdrouterd.sasldb
 keytab: /etc/krb5.keytab
 mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN GSSAPI</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Verify the following:</p>
 <div class="openblock">
 <div class="content">
 <div class="ulist">
 <ul>
 <li>
 <p>The <code>mech_list</code> attribute contains the <code>GSSAPI</code> mechanism.</p>
 </li>
 <li>
 <p>The <code>keytab</code> attribute points to the location of the keytab file.</p>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>In the <code>router</code> section, specify the path to the SASL configuration file.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">router {
     mode: interior
     id: Router.A
     saslConfigDir: /etc/sasl2/
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>saslConfigDir</code></dt>
 <dd>
 <p>The absolute path to the SASL configuration file that contains the path to the SASL database.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>For each incoming connection using Kerberos for authentication, set the <code>listener</code> to use the <code>GSSAPI</code> mechanism.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre>listener {
     host: 0.0.0.0
     port: 5672
     authenticatePeer: yes
     saslMechanisms: GSSAPI
     }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="sect2">
 <h3 id="securing-outgoing-connections-qdr">8.3. Securing outgoing connections</h3>
 <div class="paragraph">
 <p>If a router is configured to create connections to external AMQP containers (such as message brokers), you can use the following methods to secure the connection:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#connecting-using-one-way-ssl-tls-authentication-qdr">Connect using SSL/TLS encryption (one-way authentication)</a></p>
 </li>
 <li>
 <p><a href="#connecting-using-mutual-ssl-tls-authentication-qdr">Connect using SSL/TLS mutual authentication</a></p>
 </li>
 <li>
 <p><a href="#connecting-using-username-password-authentication-qdr">Connect using user name and password authentication (with or without SSL/TLS encryption)</a></p>
 </li>
 </ul>
 </div>
 <div class="sect3">
 <h4 id="connecting-using-one-way-ssl-tls-authentication-qdr">8.3.1. Connecting using one-way SSL/TLS authentication</h4>
 <div class="paragraph">
 <p>You can connect to an external AMQP container (such as a broker) using one-way SSL/TLS. With this method, the router validates the external AMQP container&#8217;s server certificate to verify its identity.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>If the router does not contain an <code>sslProfile</code> that defines a certificate that can be used to validate the external AMQP container&#8217;s identity, then add one.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">sslProfile {
     name: broker-tls
     caCertFile: /etc/qpid-dispatch-certs/ca.crt
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>name</code></dt>
 <dd>
 <p>A unique name that you can use to refer to this <code>sslProfile</code>.</p>
 </dd>
 <dt class="hdlist1"><code>caCertFile</code></dt>
 <dd>
 <p>The absolute path to the CA certificate used to verify the external AMQP container&#8217;s identity.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Configure the <code>connector</code> for this connection to use SSL/TLS to validate the server certificate received by the broker during the SSL handshake.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example configures a <code>connector</code> to a broker. When the router connects to the broker, it will use the CA certificate defined in the <code>broker-tls</code> <code>sslProfile</code> to validate the server certificate received from the broker.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     host: 192.0.2.1
     port: 5672
     role: route-container
     sslProfile: broker-tls
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>sslProfile</code></dt>
 <dd>
 <p>The name of the <code>sslProfile</code> that defines the certificate to use to validate the external AMQP container&#8217;s identity.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="connecting-using-mutual-ssl-tls-authentication-qdr">8.3.2. Connecting using mutual SSL/TLS authentication</h4>
 <div class="paragraph">
 <p>You can connect to an external AMQP container (such as a broker) using mutual SSL/TLS authentication. With this method, the router, acting as a client, provides a certificate to the external AMQP container so that it can verify the router&#8217;s identity.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>An X.509 Certificate Authority (CA) must exist for the router.</p>
 </li>
 <li>
 <p>A security certificate must be generated for the router and be signed by the CA.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>If the router does not contain an <code>sslProfile</code> that defines the private keys and certificates to connect to the external AMQP container, then add one.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This <code>sslProfile</code> contains the locations of the private key and certificates that the router should use to authenticate with its peer.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">sslProfile {
     name: broker-tls
     certFile: /etc/pki/tls/certs/tls.crt
     caCertFile: /etc/pki/tls/certs/ca.crt
     privateKeyFile: /etc/pki/tls/private/tls.key
     password: file:/etc/pki/tls/private/password.txt
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>name</code></dt>
 <dd>
 <p>A unique name that you can use to refer to this <code>sslProfile</code>.</p>
 </dd>
 <dt class="hdlist1"><code>certFile</code></dt>
 <dd>
 <p>The absolute path to the file containing the public certificate for this router.</p>
 </dd>
 <dt class="hdlist1"><code>caCertFile</code></dt>
 <dd>
 <p>The absolute path to the CA certificate that was used to sign the router&#8217;s certificate.</p>
 </dd>
 <dt class="hdlist1"><code>privateKeyFile</code></dt>
 <dd>
 <p>The absolute path to the file containing the private key for this router&#8217;s public certificate.</p>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Ensure that the <code>qdrouterd</code> or root user can access the private key. For example:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">chmod 0600 /etc/pki/tls/private/tls.key
 chown qdrouterd /etc/pki/tls/private/tls.key</pre>
 </div>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 </dl>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>password</code></dt>
 <dd>
 <p>The password to unlock the private key. You do not need to specify this if the private key does not have a password. By using different prefixes, you can specify the password several different ways depending on your security requirements:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Specify the absolute path to a file that contains the password. This is the most secure option, because you can set permissions on the file that contains the password. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: file:/etc/pki/tls/private/password.txt</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify an environment variable that stores the password. Use this option with caution, because the environment of other processes is visible on certain platforms. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: env:CERT_PASSWORD</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify the password in clear text. This option is insecure, so it should only be used if security is not a concern. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: pass:mycertpassword</pre>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Configure the <code>connector</code> for this connection to use the <code>sslProfile</code> that you created.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     host: 192.0.2.1
     port: 5672
     role: route-container
     sslProfile: broker-tls
     saslMechanisms: EXTERNAL
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>sslProfile</code></dt>
 <dd>
 <p>The name of the <code>sslProfile</code> that defines the SSL/TLS private keys and certificates for the inter-router network.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="connecting-using-username-password-authentication-qdr">8.3.3. Connecting using user name and password authentication</h4>
 <div class="paragraph">
 <p>You can use the SASL PLAIN mechanism to connect to an external AMQP container that requires a user name and password. You can use this method by itself, or you can combine it with SSL/TLS encryption.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>The <code>cyrus-sasl-plain</code> plugin is installed.</p>
 <div class="paragraph">
 <p>Cyrus SASL uses plugins to support specific SASL mechanisms. Before you can use a particular SASL mechanism, the relevant plugin must be installed.</p>
 </div>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>To see a list of Cyrus SASL plugins in a <code>dnf</code>-based Linux system, use the <code>dnf search cyrus-sasl</code> command. To install a Cyrus SASL plugin, use the <code>dnf install <em>&lt;plugin&gt;</em></code> command.</p>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>Configure the <code>connector</code> for this connection to provide user name and password credentials to the external AMQP container.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     host: 192.0.2.1
     port: 5672
     role: route-container
     saslMechanisms: PLAIN
     saslUsername: user
     saslPassword: file:/path/to/file/password.txt
     }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>saslPassword</code></dt>
 <dd>
 <p>The password to connect to the peer. By using different prefixes, you can specify the password several different ways depending on your security requirements:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Specify the absolute path to a file that contains the password. This is the most secure option, because you can set permissions on the file that contains the password. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: file:/path/to/file/password.txt</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify an environment variable that stores the password. Use this option with caution, because the environment of other processes is visible on certain platforms. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: env:PASSWORD</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Specify the password in clear text. This option is insecure, so it should only be used if security is not a concern. For example:</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">password: pass:mypassword</pre>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="configuring-authorization-qdr">9. Configuring authorization</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>You can configure <em>policies</em> to secure messaging resources in your messaging environment. Policies ensure that only authorized users can access messaging endpoints through the router network, and that the resources on those endpoints are used in an authorized way.</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#types-policies-qdr">Types of policies</a></p>
 </li>
 <li>
 <p><a href="#how-policies-enforce-connection-resource-limits-qdr">How policies enforce connection and resource limits</a></p>
 </li>
 <li>
 <p><a href="#setting-global-connection-limits-qdr">Setting global limits</a></p>
 </li>
 <li>
 <p><a href="#setting-connection-resource-limits-messaging-endpoints-qdr">Setting connection and resource limits for messaging endpoints</a></p>
 </li>
 </ul>
 </div>
 <div class="sect2">
 <h3 id="types-policies-qdr">9.1. Types of policies</h3>
 <div class="paragraph">
 <p>Dispatch Router provides the following types of policies to control connection and resource limits:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Global policies</dt>
 <dd>
 <p>Settings for the router. A global policy defines the maximum number of incoming user connections for the router (across all messaging endpoints), and defines how the router should use vhost policies.</p>
 </dd>
 <dt class="hdlist1">Vhost policies</dt>
 <dd>
 <p>Connection and AMQP resource limits for a router ingress port (called an AMQP virtual host, or vhost). A vhost policy defines what a client using a particular connection can access on any messaging endpoint in the router network.</p>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>The resource limits defined in global and vhost policies are applied to user connections only. The limits do not affect inter-router connections or router connections that are outbound to waypoints.</p>
 </div>
 <div class="paragraph">
 <p>Access to an AMQP resource allowed by policy for a given user connection to a given vhost is granted across the entire router network. Access restrictions are applied only at the router port to which a client is connected and only to resource requests originated by the client.</p>
 </div>
 </div>
 <div class="sect2">
 <h3 id="how-policies-enforce-connection-resource-limits-qdr">9.2. How policies enforce connection and resource limits</h3>
 <div class="paragraph">
 <p>Dispatch Router uses policies to determine whether to permit a connection, and if it is permitted, to apply the appropriate resource limits.</p>
 </div>
 <div class="paragraph">
 <p>When a client creates a connection to a router, the router first determines whether to allow or deny the connection. This decision is based on the following criteria:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Whether the connection will exceed the router&#8217;s global connection limit (defined in the global policy)</p>
 </li>
 <li>
 <p>Whether the connection will exceed the vhost&#8217;s connection limits (defined in the vhost policy that matches the host to which the connection is directed)</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>If the connection is allowed, the router assigns the user (the authenticated user name from the connection) to a user group, and enforces the user group&#8217;s resource limits for the lifetime of the connection.</p>
 </div>
 </div>
 <div class="sect2">
 <h3 id="setting-global-connection-limits-qdr">9.3. Setting global limits</h3>
 <div class="paragraph">
 <p>You can create a global policy to set the incoming connection and message size limits for a router.</p>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add a <code>policy</code> section and set the limits.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example sets the incoming connection limit and message size:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">policy {
     maxConnections: 10000
     maxMessageSize: 2000000
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>maxConnections</code></dt>
 <dd>
 <p>The total number of concurrent client connections that can be open for this router. This limit is always enforced, even if no other policy settings have been defined. The limit is applied to all incoming connections regardless of remote host, authenticated user, or targeted vhost. The default (and the maximum) value is <code>65535</code>.</p>
 </dd>
 <dt class="hdlist1"><code>maxMessageSize</code></dt>
 <dd>
 <p>The maximum size in bytes of AMQP message transfers allowed for this router as messages enter the router network. This limit is applied to transfers over user connections and to transfers to interior routers from edge routers. This limit is not applied to interior-to-interior router connections. This limit may be overridden by vhost or by vhost user group settings. A value of <code>0</code> disables this limit. Administrators are advised not set interior router maximum message sizes so low that edge router management requests or responses are blocked. Administrators are also advised to set edge router maximum message sizes lower than the attached interior router maximum message size.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="setting-connection-resource-limits-messaging-endpoints-qdr">9.4. Setting connection and resource limits for messaging endpoints</h3>
 <div class="paragraph">
 <p>You can define the connection limit and AMQP resource limits for a messaging endpoint by configuring a <em>vhost policy</em>. Vhost policies define what resources clients are permitted to access on a messaging endpoint over a particular connection.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>A vhost is typically the name of the host to which the client connection is directed. For example, if a client application opens a connection to the <code>amqp://mybroker.example.com:5672/queue01</code> URL, the vhost would be <code>mybroker.example.com</code>.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#enabling-vhost-policies-qdr">Enabling vhost policies</a></p>
 </li>
 <li>
 <p><a href="#creating-vhost-policies-qdr">Creating vhost policies</a></p>
 </li>
 <li>
 <p><a href="#creating-vhost-policies-json-qdr">Creating vhost policies as JSON files</a></p>
 </li>
 <li>
 <p><a href="#setting-resource-limits-outgoing-connections-qdr">Setting resource limits for outgoing connections</a></p>
 </li>
 <li>
 <p><a href="#methods-specifying-vhost-policy-source-target-addresses-qdr">Methods for specifying vhost policy source and target addresses</a></p>
 </li>
 <li>
 <p><a href="#vhost-policy-hostname-pattern-matching-rules-qdr">Vhost policy hostname pattern matching rules</a></p>
 </li>
 <li>
 <p><a href="#vhost-policy-examples-qdr">Vhost policy examples</a></p>
 </li>
 </ul>
 </div>
 <div class="sect3">
 <h4 id="enabling-vhost-policies-qdr">9.4.1. Enabling vhost policies</h4>
 <div class="paragraph">
 <p>You must enable the router to use vhost policies before you can create the policies.</p>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add a <code>policy</code> section if one does not exist, and enable vhost policies for the router.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">policy {
     ...
     enableVhostPolicy: true
     enableVhostNamePatterns: true
     defaultVhost: $default
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>enableVhostPolicy</code></dt>
 <dd>
 <p>Enables the router to enforce the connection denials and resource limits defined in the configured vhost policies. The default is <code>false</code>, which means that the router will not enforce any vhost policies.</p>
 </dd>
 <dt class="hdlist1"><code>enableVhostNamePatterns</code></dt>
 <dd>
 <p>Enables pattern matching for vhost hostnames. If set to <code>true</code>, you can use wildcards to specify a range of hostnames for a vhost. If set to <code>false</code>, vhost hostnames are treated as literal strings. This means that you must specify the exact hostname for each vhost. The default is <code>false</code>.</p>
 </dd>
 <dt class="hdlist1"><code>defaultVhost</code></dt>
 <dd>
 <p>The name of the default vhost policy, which is applied to any connection for which a vhost policy has not been configured. The default is <code>$default</code>. If <code>defaultVhost</code> is not defined, then default vhost processing is disabled.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect3">
 <h4 id="creating-vhost-policies-qdr">9.4.2. Creating vhost policies</h4>
 <div class="paragraph">
 <p>A vhost policy defines the connection limits and resource limits for users connecting to the router from a remote host. You must create one vhost policy for each remote host.</p>
 </div>
 <div class="paragraph">
 <div class="title">Prerequisites</div>
 <p>Vhost policies must be enabled for the router. For more information, see <a href="#enabling-vhost-policies-qdr">Enabling vhost policies</a>.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Add a <code>vhost</code> section and define the connection and message size limits for the messaging endpoint.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>The connection limits apply to all users that are connected to the vhost. These limits control the number of users that can be connected simultaneously to the vhost.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">vhost {
     hostname: example.com
     aliases: example.org, example.net
     maxConnections: 10000
     maxMessageSize: 500000
     maxConnectionsPerUser: 100
     maxConnectionsPerHost: 100
     allowUnknownUser: true
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>hostname</code></dt>
 <dd>
 <p>The literal hostname of the vhost (the messaging endpoint) or a pattern that matches the vhost hostname. This vhost policy will be applied to any client connection that is directed to the hostname that you specify. This name must be unique; you can only have one vhost policy per hostname.</p>
 <div class="paragraph">
 <p>If <code>enableVhostNamePatterns</code> is set to <code>true</code>, you can use wildcards to specify a pattern that matches a range of hostnames. For more information, see <a href="#vhost-policy-hostname-pattern-matching-rules-qdr">Vhost policy hostname pattern matching rules</a>.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>aliases</code></dt>
 <dd>
 <p>Alternative literal hostnames or patterns that direct the router to use the settings in this vhost.
 Alias hostnames that match an incoming connection use the settings defined in the vhost section.
 In a multi-tenant configuration, a connection to a vhost alias uses the base vhost hostname for the tenant namespace.
 In this example if a connection is directed to vhost <code>example.org</code> then the settings from the base vhost hostname <code>example.com</code> apply and <code>example.com</code> becomes the tenant namespace.
 Vhost <code>hostname</code> and <code>aliases</code> settings from all vhosts must be unique.</p>
 <div class="paragraph">
 <p>If <code>enableVhostNamePatterns</code> is set to <code>true</code>, you can use wildcards to specify a pattern that matches a range of hostname aliases. For more information, see <a href="#vhost-policy-hostname-pattern-matching-rules-qdr">Vhost policy hostname pattern matching rules</a>.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>maxConnections</code></dt>
 <dd>
 <p>The global maximum number of concurrent client connections allowed for this vhost. The default is 65535.</p>
 </dd>
 <dt class="hdlist1"><code>maxMessageSize</code></dt>
 <dd>
 <p>The maximum size in bytes of AMQP message transfers allowed for connections to this vhost. This limit overrides the policy <code>maxMessageSize</code> value and may be overridden by vhost user group settings. A value of <code>0</code> disables this limit.</p>
 </dd>
 <dt class="hdlist1"><code>maxConnectionsPerUser</code></dt>
 <dd>
 <p>The maximum number of concurrent client connections allowed for any user. The default is 65535.</p>
 </dd>
 <dt class="hdlist1"><code>maxConnectionsPerHost</code></dt>
 <dd>
 <p>The maximum number of concurrent client connections allowed for any remote host (the host from which the client is connecting). The default is 65535.</p>
 </dd>
 <dt class="hdlist1"><code>allowUnknownUser</code></dt>
 <dd>
 <p>Whether unknown users (users who are not members of a defined user group) are allowed to connect to the vhost. Unknown users are assigned to the <code>$default</code> user group and receive <code>$default</code> settings. The default is <code>false</code>, which means that unknown users are not allowed.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>In the <code>vhost</code> section, beneath the connection settings that you added, add a <code>groups</code> entity to define the resource limits.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>You define resource limits by user group. A user group specifies the messaging resources the members of the group are allowed to access.</p>
 </div>
 <div class="paragraph">
 <p>This example shows three user groups: admin, developers, and $default:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">vhost {
     ...
     groups: {
         admin: {
             users: admin1, admin2
             remoteHosts: 127.0.0.1, ::1
             sources: *
             targets: *
         }
         developers: {
             users: dev1, dev2, dev3
             remoteHosts: *
             sources: myqueue1, myqueue2
             targets: myqueue1, myqueue2
         }
         $default: {
             remoteHosts: *
             allowDynamicSource: true,
             allowAdminStatusUpdate: true,
             sources: myqueue1, myqueue2
             targets: myqueue1, myqueue2
         }
     }
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>users</code></dt>
 <dd>
 <p>A list of authenticated users for this user group. Use commas to separate multiple users. A user may belong to only one vhost user group.</p>
 </dd>
 <dt class="hdlist1"><code>remoteHosts</code></dt>
 <dd>
 <p>A list of remote hosts from which the users may connect. A host can be a hostname, IP address, or IP address range. Use commas to separate multiple hosts. To allow access from all remote hosts, specify a wildcard <code>*</code>. To deny access from all remote hosts, leave this attribute blank.</p>
 </dd>
 <dt class="hdlist1"><code>maxConnectionsPerUser</code></dt>
 <dd>
 <p>The maximum number of connections that may be created by users in this user group. This value, if specified, overrides the vhost <code>maxConnectionsPerUser</code> value.</p>
 </dd>
 <dt class="hdlist1"><code>maxConnectionsPerHost</code></dt>
 <dd>
 <p>The maximum number of concurrent connections that may be created by users in this user group from any of the permitted remote hosts. This value, if specified, overrides the vhost <code>maxConnectionsPerUser</code> value.</p>
 </dd>
 <dt class="hdlist1"><code>maxMessageSize</code></dt>
 <dd>
 <p>The maximum size in bytes of AMQP message transfers allowed for connections created by users in this group. This limit overrides the policy and vhost <code>maxMessageSize</code> values. A value of <code>0</code> disables this limit.</p>
 </dd>
 <dt class="hdlist1"><code>allowDynamicSource</code></dt>
 <dd>
 <p>If <code>true</code>, connections from users in this group are permitted to attach receivers to dynamic sources. This permits creation of listeners to temporary addresses or temporary queues. If <code>false</code>, use of dynamic sources is not permitted.</p>
 </dd>
 <dt class="hdlist1"><code>allowAdminStatusUpdate</code></dt>
 <dd>
 <p>If <code>true</code>, connections from users in this group are permitted to modify the <code>adminStatus</code> of connections. This permits termination of sender or receiver connections.  If <code>false</code>, the users of this group are prohibited from terminating any connections. Inter-router connections can never be terminated by any usee. The default is <code>true</code>, even if the policy is not configured.</p>
 </dd>
 <dt class="hdlist1"><code>allowWaypointLinks</code></dt>
 <dd>
 <p>If <code>true</code>, connections from users in this group are permitted to attach links using waypoint capabilities. This allows endpoints to act as waypoints (that is, brokers) without the need for configuring auto-links. If <code>false</code>, use of waypoint capabilities is not permitted.</p>
 </dd>
 <dt class="hdlist1"><code>allowDynamicLinkRoutes</code></dt>
 <dd>
 <p>If <code>true</code>, connections from users in this group may dynamically create connection-scoped link route destinations. This allows endpoints to act as link route destinations (that is, brokers) without the need for configuring link routes. If <code>false</code>, creation of dynamic link route destinations is not permitted.</p>
 </dd>
 <dt class="hdlist1"><code>allowFallbackLinks</code></dt>
 <dd>
 <p>If <code>true</code>, connections from users in this group are permitted to attach links using fallback-link capabilities. This allows endpoints to act as fallback destinations (and sources) for addresses that have fallback enabled. If <code>false</code>, use of fallback-link capabilities is not permitted.</p>
 </dd>
 <dt class="hdlist1"><code>sources</code> | <code>sourcePattern</code></dt>
 <dd>
 <p>A list of AMQP source addresses from which users in this group may receive messages.</p>
 <div class="paragraph">
 <p>Use <code>sources</code> to specify one or more literal addresses. To specify multiple addresses, use a comma-separated list. To prevent users in this group from receiving messages from any addresses, leave this attribute blank. To allow access to an address specific to a particular user, specify the <code>${user}</code> token. For more information, see <a href="#methods-specifying-vhost-policy-source-target-addresses-qdr">Methods for specifying vhost policy source and target addresses</a>.</p>
 </div>
 <div class="paragraph">
 <p>Alternatively, you can use <code>sourcePattern</code> to match one or more addresses that correspond to a pattern. A pattern is a sequence of words delimited by either a <code>.</code> or <code>/</code> character. You can use wildcard characters to represent a word. The  <code>*</code> character matches exactly one word, and the <code>#</code> character matches any sequence of zero or more words.</p>
 </div>
 <div class="paragraph">
 <p>To specify multiple address ranges, use a comma-separated list of address patterns. For more information, see <a href="#address-pattern-matching-qdr">Address pattern matching</a>. To allow access to address ranges that are specific to a particular user, specify the <code>${user}</code> token. For more information, see <a href="#methods-specifying-vhost-policy-source-target-addresses-qdr">Methods for specifying vhost policy source and target addresses</a>.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>targets</code> | <code>targetPattern</code></dt>
 <dd>
 <p>A list of AMQP target addresses from which users in this group may send messages. You can specify multiple AMQP addresses and use user name substitution and address patterns the same way as with source addresses.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If necessary, add any advanced user group settings to the vhost user groups.</p>
 <div class="paragraph">
 <p>The advanced user group settings enable you to define resource limits based on the AMQP connection open, session begin, and link attach phases of the connection. For more information, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_vhost" target="_blank" rel="noopener">vhost</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="creating-vhost-policies-json-qdr">9.4.3. Creating vhost policies as JSON files</h4>
 <div class="paragraph">
 <p>As an alternative to using the router configuration file, you can configure vhost policies in JSON files. If you have multiple routers that need to share the same vhost configuration, you can put the vhost configuration JSON files in a location accessible to each router, and then configure the routers to apply the vhost policies defined in these JSON files.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>Vhost policies must be enabled for the router. For more information, see <a href="#enabling-vhost-policies-qdr">Enabling vhost policies</a>.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, specify the directory where you want to store the vhost policy definition JSON files.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">policy {
     ...
     policyDir: /etc/qpid-dispatch-policies
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>policyDir</code></dt>
 <dd>
 <p>The absolute path to the directory that holds vhost policy definition files in JSON format. The router processes all of the vhost policies in each JSON file that is in this directory.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>In the vhost policy definition directory, create a JSON file for each vhost policy.</p>
 <div class="openblock">
 <div class="content">
 <div class="exampleblock">
 <div class="title">Example 2. Vhost Policy Definition JSON File</div>
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="json" class="language-json hljs">[
     ["vhost", {
         "hostname": "example.com",
         "maxConnections": 10000,
         "maxConnectionsPerUser": 100,
         "maxConnectionsPerHost": 100,
         "allowUnknownUser": true,
         "groups": {
             "admin": {
                 "users": ["admin1", "admin2"],
                 "remoteHosts": ["127.0.0.1", "::1"],
                 "sources": "*",
                 "targets": "*"
             },
             "developers": {
                 "users": ["dev1", "dev2", "dev3"],
                 "remoteHosts": "*",
                 "sources": ["myqueue1", "myqueue2"],
                 "targets": ["myqueue1", "myqueue2"]
             },
             "$default": {
                 "remoteHosts": "*",
                 "allowDynamicSource": true,
                 "sources": ["myqueue1", "myqueue2"],
                 "targets": ["myqueue1", "myqueue2"]
             }
         }
     }]
 ]</code></pre>
 </div>
 </div>
 <div class="paragraph">
 <p>For more information about these attributes, see <a href="#creating-vhost-policies-qdr">Creating vhost policies</a>.</p>
 </div>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="setting-resource-limits-outgoing-connections-qdr">9.4.4. Setting resource limits for outgoing connections</h4>
 <div class="paragraph">
 <p>If a router establishes an outgoing connection to an external AMQP container (such as a client or broker), you can restrict the resources that the external container can access on the router by configuring a connector vhost policy.</p>
 </div>
 <div class="paragraph">
 <p>The resource limits that are defined in a connector vhost policy are applied to links that are initiated by the external AMQP container. The connector vhost policy does not restrict links that the router creates.</p>
 </div>
 <div class="paragraph">
 <p>A connector vhost policy can only be applied to a connector with a <code>normal</code> or <code>route-container</code> role. You cannot apply connector vhost policies to connectors that have <code>inter-router</code> or <code>edge</code> roles.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>Vhost policies are enabled for the router. For more information, see <a href="#enabling-vhost-policies-qdr">Enabling vhost policies</a>.</p>
 </li>
 </ul>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add a <code>vhost</code> section with a <code>$connector</code> user group.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">vhost {
     hostname: my-connector-policy
     groups: {
         $connector: {
             sources: *
             targets: *
             maxSenders: 5
             maxReceivers: 10
             allowAnonymousSender: true
             allowWaypointLinks: true
         }
     }
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>hostname</code></dt>
 <dd>
 <p>A unique name to identify the connector vhost policy. This name does not represent an actual hostname; therefore, choose a name that will not conflict with an actual vhost hostname.</p>
 </dd>
 <dt class="hdlist1"><code>$connector</code></dt>
 <dd>
 <p>Identifies this vhost policy as a connector vhost policy. For more information about the resource limits you can apply, see <a href="#creating-vhost-policies-qdr">Creating vhost policies</a>.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Apply the connector vhost policy to the connector that establishes the connection to the external AMQP container.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>The following example applies the connector vhost policy that was configured in the previous step:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {
     host: 192.0.2.10
     port: 5672
     role: normal
     policyVhost: my-connector-policy
 }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="methods-specifying-vhost-policy-source-target-addresses-qdr">9.4.5. Methods for specifying vhost policy source and target addresses</h4>
 <div class="paragraph">
 <p>If you want to allow or deny access to multiple addresses on a vhost, there are several methods you can use to match multiple addresses without having to specify each address individually.</p>
 </div>
 <div class="paragraph">
 <p>The following table describes the methods a vhost policy can use to specify multiple source and target addresses:</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 33%;">
 <col style="width: 67%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">To&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">Do this&#8230;&#8203;</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Allow all users in the user group to access all source or target addresses</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p>Use a <code>*</code> wildcard character.</p>
 </div>
 <div class="exampleblock">
 <div class="title">Example 3. Receive from any address</div>
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code class="language-none hljs">sources: *</code></pre>
 </div>
 </div>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Prevent all users in the user group from accessing all source or target addresses</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p>Do not specify a value.</p>
 </div>
 <div class="exampleblock">
 <div class="title">Example 4. Prohibit message transfers to all addresses</div>
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code class="language-none hljs">targets:</code></pre>
 </div>
 </div>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Allow access to some resources specific to each user</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p>Use the <code>${user}</code> username substitution token. You can use this token with <code>source</code>, <code>target</code>, <code>sourcePattern</code>, and <code>targetPattern</code>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>You can only specify the <code>${user}</code> token once in an AMQP address name or pattern. If there are multiple tokens in an address, only the leftmost token will be substituted.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="exampleblock">
 <div class="title">Example 5. Receive from a user-specific address</div>
 <div class="content">
 <div class="paragraph">
 <p>This definition allows the users in the user group to receive messages from any address that meets any of the following rules:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Starts with the prefix <code>tmp_</code> and ends with the user name</p>
 </li>
 <li>
 <p>Starts with the prefix <code>temp</code> followed by any additional characters</p>
 </li>
 <li>
 <p>Starts with the user name, is followed by <code>-home-</code>, and ends with any additional characters</p>
 </li>
 </ul>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre>sources: tmp_${user}, temp*, ${user}-home-*</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 6. User-specific address patterns</div>
 <div class="content">
 <div class="paragraph">
 <p>This definition allows the users in the user group to receive messages from any address that meets any of the following rules:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Starts with the prefix <code>tmp</code> and ends with the user name</p>
 </li>
 <li>
 <p>Starts with the prefix <code>temp</code> followed by zero or more additional characters</p>
 </li>
 <li>
 <p>Starts with the user name, is followed by <code>home</code>, and ends with one or more additional characters</p>
 </li>
 </ul>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre>sourcePattern: tmp.${user}, temp/#, ${user}.home/*</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>In an address pattern (<code>sourcePattern</code> or <code>targetPattern</code>), the username substitution token must be either the first or last token in the pattern. The token must also be alone within its delimited field, which means that it cannot be concatenated with literal text prefixes or suffixes.</p>
 </div>
 </td>
 </tr>
 </table>
 </div></div></td>
 </tr>
 </tbody>
 </table>
 </div>
 <div class="sect3">
 <h4 id="vhost-policy-hostname-pattern-matching-rules-qdr">9.4.6. Vhost policy hostname pattern matching rules</h4>
 <div class="paragraph">
 <p>In a vhost policy, vhost hostnames can be either literal hostnames or patterns that cover a range of hostnames.</p>
 </div>
 <div class="paragraph">
 <p>A hostname pattern is a sequence of words with one or more of the following wildcard characters:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><code>*</code> represents exactly one word</p>
 </li>
 <li>
 <p><code>#</code> represents zero or more words</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>The following table shows some examples of hostname patterns:</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 33.3333%;">
 <col style="width: 33.3333%;">
 <col style="width: 33.3334%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">This pattern&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">Matches&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">But not&#8230;&#8203;</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>*.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>www.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>example.com</code>
 <code>srv2.www.example.com</code></p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>#.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>example.com</code>
 <code>www.example.com</code>
 <code>a.b.c.d.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>myhost.com</code></p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>www.*.test.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>www.a.test.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>www.test.example.com</code>
 <code>www.a.b.c.test.example.com</code></p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>www.#.test.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>www.test.example.com</code>
 <code>www.a.test.example.com</code>
 <code>www.a.b.c.test.example.com</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>test.example.com</code></p>
 </div></div></td>
 </tr>
 </tbody>
 </table>
 <div class="paragraph">
 <p>Vhost hostname pattern matching applies the following precedence rules:</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 50%;">
 <col style="width: 50%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">Policy pattern</th>
 <th class="tableblock halign-left valign-top">Precedence</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Exact match</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">High</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">*</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Medium</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">#</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Low</p></td>
 </tr>
 </tbody>
 </table>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Dispatch Router does not permit you to create vhost hostname patterns that conflict with existing patterns. This includes patterns that can be reduced to be the same as an existing pattern. For example, you would not be able to create the <code>#.#.#.#.com</code> pattern if <code>#.com</code> already exists.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 <div class="sect3">
 <h4 id="vhost-policy-examples-qdr">9.4.7. Vhost policy examples</h4>
 <div class="paragraph">
 <p>These examples demonstrate how to use vhost policies to authorize access to messaging resources.</p>
 </div>
 <div class="exampleblock">
 <div class="title">Example 7. Defining basic resource limits for a messaging endpoint</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, a vhost policy defines resource limits for clients connecting to the <code>example.com</code> host.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="json" class="language-json hljs">[
     ["vhost", {
         "hostname": "example.com",  // <b class="conum">(1)</b>
         "maxConnectionsPerUser": 10,  // <b class="conum">(2)</b>
         "allowUnknownUser": true,  // <b class="conum">(3)</b>
         "groups": {
             "admin": {
                 "users": ["admin1", "admin2"],  // <b class="conum">(4)</b>
                 "remoteHosts": ["127.0.0.1", "::1"],  // <b class="conum">(5)</b>
                 "sources": "*",  // <b class="conum">(6)</b>
                 "targets": "*"  // <b class="conum">(7)</b>
             },
             "$default": {
                 "remoteHosts": "*",  // <b class="conum">(8)</b>
                 "sources": ["news*", "sports*" "chat*"],  // <b class="conum">(9)</b>
                 "targets": "chat*"  // <b class="conum">(10)</b>
             }
         }
     }]
 ]</code></pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p>The rules defined in this vhost policy will be applied to any user connecting to <code>example.com</code>.</p>
 </li>
 <li>
 <p>Each user can open up to 10 connections to the vhost.</p>
 </li>
 <li>
 <p>Any user can connect to this vhost. Users that are not part of the <code>admin</code> group are assigned to the <code>$default</code> group.</p>
 </li>
 <li>
 <p>If the <code>admin1</code> or <code>admin2</code> user connects to the vhost, they are assigned to the <code>admin</code> user group.</p>
 </li>
 <li>
 <p>Users in the <code>admin</code> user group must connect from localhost. If the admin user attempts to connect from any other host, the connection will be denied.</p>
 </li>
 <li>
 <p>Users in the admin user group can receive from any address.</p>
 </li>
 <li>
 <p>Users in the admin user group can send to any address.</p>
 </li>
 <li>
 <p>Any non-admin user is permitted to connect from any host.</p>
 </li>
 <li>
 <p>Non-admin users are permitted to receive messages from any addresses that start with the <code>news</code>, <code>sports</code>, or <code>chat</code> prefixes.</p>
 </li>
 <li>
 <p>Non-admin users are permitted to send messages to any addresses that start with the <code>chat</code> prefix.</p>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 8. Limiting memory consumption</div>
 <div class="content">
 <div class="paragraph">
 <p>By using the advanced vhost policy attributes, you can control how much system buffer memory a user connection can potentially consume.</p>
 </div>
 <div class="paragraph">
 <p>In this example, a stock trading site provides services for stock traders. However, the site must also accept high-capacity, automated data feeds from stock exchanges. To prevent trading activity from consuming memory needed for the feeds, a larger amount of system buffer memory is allotted to the feeds than to the traders.</p>
 </div>
 <div class="paragraph">
 <p>This example uses the <code>maxSessions</code> and <code>maxSessionWindow</code> attributes to set the buffer memory consumption limits for each AMQP session. These settings are passed directly to the AMQP connection and session negotiations, and do not require any processing cycles on the router.</p>
 </div>
 <div class="paragraph">
 <p>This example does not show the vhost policy settings that are unrelated to buffer allocation.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="highlightjs highlight nowrap"><code data-lang="json" class="language-json hljs">[
     ["vhost", {
         "hostname": "traders.com",  // <b class="conum">(1)</b>
         "groups": {
             "traders": {
                 "users": ["trader1", "trader2"],  // <b class="conum">(2)</b>
                 "maxFrameSize": 10000,
                 "maxSessionWindow": 5000000,  // <b class="conum">(3)</b>
                 "maxSessions": 1  // <b class="conum">(4)</b>
             },
             "feeds": {
                 "users": ["nyse-feed", "nasdaq-feed"],  // <b class="conum">(5)</b>
                 "maxFrameSize": 60000,
                 "maxSessionWindow": 1200000000,  // <b class="conum">(6)</b>
                 "maxSessions": 3  // <b class="conum">(7)</b>
             }
         }
     }]
 ]</code></pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p>The rules defined in this vhost policy will be applied to any user connecting to <code>traders.com</code>.</p>
 </li>
 <li>
 <p>The <code>traders</code> group includes <code>trader1</code>, <code>trader2</code>, and any other user defined in the list.</p>
 </li>
 <li>
 <p>At most, 5,000,000 bytes of data can be in flight on each session.</p>
 </li>
 <li>
 <p>Only one session per connection is allowed.</p>
 </li>
 <li>
 <p>The <code>feeds</code> group includes two users.</p>
 </li>
 <li>
 <p>At most, 1,200,000,000 bytes of data can be in flight on each session.</p>
 </li>
 <li>
 <p>Up to three sessions per connection are allowed.</p>
 </li>
 </ol>
 </div>
 </div>
 </div>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="configuring-logging-qdr">10. Configuring logging</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Dispatch Router contains internal logging modules that provide important information about each router. For each module, you can configure the logging level, the format of the log file, and the location to which the logs should be written.</p>
 </div>
 <div class="sect2">
 <h3 id="logging-modules-qdr">10.1. Logging modules</h3>
 <div class="paragraph">
 <p>Dispatch Router logs are broken into different categories called <em>logging modules</em>. Each module provides important information about a particular aspect of Dispatch Router.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>DEFAULT</code></dt>
 <dd>
 <p>The default module. This module applies defaults to all of the other logging modules.</p>
 </dd>
 <dt class="hdlist1"><code>ROUTER</code></dt>
 <dd>
 <p>This module provides information and statistics about the local router. This includes how the router connects to other routers in the network, and information about the remote destinations that are directly reachable from the router (link routes, waypoints, autolinks, and so on).</p>
 </dd>
 <dt class="hdlist1"><code>ROUTER_HELLO</code></dt>
 <dd>
 <p>This module provides information about the <em>Hello</em> protocol used by interior routers to exchange Hello messages, which include information about the router&#8217;s ID and a list of its reachable neighbors (the other routers with which this router has bidirectional connectivity).</p>
 </dd>
 <dt class="hdlist1"><code>ROUTER_LS</code></dt>
 <dd>
 <p>This module provides information about link-state data between routers, including Router Advertisement (RA), Link State Request (LSR), and Link State Update (LSU) messages.</p>
 <div class="paragraph">
 <p>Periodically, each router sends an LSR to the other routers and receives an LSU with the requested information. Exchanging the above information, each router can compute the next hops in the topology, and the related costs.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>ROUTER_MA</code></dt>
 <dd>
 <p>This module provides information about the exchange of mobile address information between routers, including Mobile Address Request (MAR) and Mobile Address Update (MAU) messages exchanged between routers. You can use this log to monitor the state of mobile addresses attached to each router.</p>
 </dd>
 <dt class="hdlist1"><code>MESSAGE</code></dt>
 <dd>
 <p>This module provides information about AMQP messages sent and received by the router, including information about the address, body, and link. You can use this log to find high-level information about messages on a particular router.</p>
 </dd>
 <dt class="hdlist1"><code>SERVER</code></dt>
 <dd>
 <p>This module provides information about how the router is listening for and connecting to other containers in the network (such as clients, routers, and brokers). This information includes the state of AMQP messages sent and received by the broker (open, begin, attach, transfer, flow, and so on), and the related content of those messages.</p>
 </dd>
 <dt class="hdlist1"><code>AGENT</code></dt>
 <dd>
 <p>This module provides information about configuration changes made to the router from either editing the router&#8217;s configuration file or using <code>qdmanage</code>.</p>
 </dd>
 <dt class="hdlist1"><code>CONTAINER</code></dt>
 <dd>
 <p>This module provides information about the nodes related to the router. This includes only the AMQP relay node.</p>
 </dd>
 <dt class="hdlist1"><code>ERROR</code></dt>
 <dd>
 <p>This module provides detailed information about error conditions encountered during execution.</p>
 </dd>
 <dt class="hdlist1"><code>POLICY</code></dt>
 <dd>
 <p>This module provides information about policies that have been configured for the router.</p>
 </dd>
 </dl>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For examples of these logging modules, see <a href="#troubleshooting-using-logs-qdr">Troubleshooting using logs</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="configuring-default-logging-qdr">10.2. Configuring default logging</h3>
 <div class="paragraph">
 <p>You can specify the types of events that should be logged, the format of the log entries, and where those entries should be sent.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add a <code>log</code> section to set the default logging properties:</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example configures all logging modules to log events starting at the <code>info</code> level:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">log {
     module: DEFAULT
     enable: info+
     includeTimestamp: yes
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>module</code></dt>
 <dd>
 <p>Specify <code>DEFAULT</code>.</p>
 </dd>
 <dt class="hdlist1"><code>enable</code></dt>
 <dd>
 <p>The logging level. You can specify any of the following levels (from lowest to highest):</p>
 <div class="ulist">
 <ul>
 <li>
 <p><code>trace</code> - provides the most information, but significantly affects system performance</p>
 </li>
 <li>
 <p><code>debug</code> - useful for debugging, but affects system performance</p>
 </li>
 <li>
 <p><code>info</code> - provides general information without affecting system performance</p>
 </li>
 <li>
 <p><code>notice</code> - provides general information, but is less verbose than <code>info</code></p>
 </li>
 <li>
 <p><code>warning</code> - provides information about issues you should be aware of, but which are not errors</p>
 </li>
 <li>
 <p><code>error</code> - error conditions that you should address</p>
 </li>
 <li>
 <p><code>critical</code> - critical system issues that you must address immediately</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>To specify multiple levels, use a comma-separated list. You can also use <code>+</code> to specify a level and all levels above it. For example, <code>trace,debug,warning+</code> enables trace, debug, warning, error, and critical levels. For default logging, you should typically use the <code>info+</code> or <code>notice+</code> level. These levels will provide general information, warnings, and errors for all modules without affecting the performance of Dispatch Router.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>includeTimestamp</code></dt>
 <dd>
 <p>Set this to <code>yes</code> to include the timestamp in all logs.</p>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>For information about additional log attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_log">log</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want to configure non-default logging for any of the logging modules, add an additional <code>log</code> section for each module that should not follow the default.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example configures the <code>ROUTER</code> logging module to log <code>debug</code> events:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">log {
     module: ROUTER
     enable: debug
     includeTimestamp: yes
 }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about viewing and using logs, see <a href="#troubleshooting-qdr">Troubleshooting Dispatch Router</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="configuring-routing-qdr">11. Configuring routing</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Routing is the process by which messages are delivered to their destinations. To accomplish this, Dispatch Router provides two routing mechanisms: <em>message routing</em> and <em>link routing</em>.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><a href="#configuring-message-routing-qdr">Message routing</a></dt>
 <dd>
 <p>Message routing is the default routing mechanism. You can use it to route messages on a per-message basis between clients directly (direct-routed messaging), or to and from broker queues (brokered messaging).</p>
 </dd>
 <dt class="hdlist1"><a href="#creating-link-routes-qdr">Link routing</a></dt>
 <dd>
 <p>A link route represents a private messaging path between a sender and a receiver in which the router passes the messages between end points. You can use it to connect a client to a service (such as a broker queue).</p>
 </dd>
 </dl>
 </div>
 <div class="sect2">
 <h3 id="configuring-message-routing-qdr">11.1. Configuring message routing</h3>
 <div class="paragraph">
 <p>Message routing is the default routing mechanism. You can use it to route messages on a per-message basis between clients directly (direct-routed messaging), or to and from broker queues (brokered messaging).</p>
 </div>
 <div class="paragraph">
 <p>With message routing, you can do the following:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#understanding-message-routing-qdr">Understand message routing concepts</a></p>
 </li>
 <li>
 <p><a href="#configuring-address-semantics-qdr">Configure address semantics (route messages between clients)</a></p>
 </li>
 <li>
 <p><a href="#configuring-addresses-prioritized-message-delivery-qdr">Configure addresses for prioritized message delivery</a></p>
 </li>
 <li>
 <p><a href="#configuring-brokered-messaging-qdr">Configure brokered messaging</a></p>
 </li>
 <li>
 <p><a href="#address-pattern-matching-qdr">Understand address pattern matching</a></p>
 </li>
 </ul>
 </div>
 <div class="sect3">
 <h4 id="understanding-message-routing-qdr">11.1.1. Understanding message routing</h4>
 <div class="paragraph">
 <p>With message routing, routing is performed on messages as producers send them to a router. When a message arrives on a router, the router routes the message and its <em>settlement</em> based on the message&#8217;s <em>address</em> and <em>routing pattern</em>.</p>
 </div>
 <div class="sect4">
 <h5 id="message-routing-flow-control-qdr">Message routing flow control</h5>
 <div class="paragraph">
 <p>Dispatch Router uses a <em>credit-based</em> flow control mechanism to ensure that producers can only send messages to a router if at least one consumer is available to receive them. Because Dispatch Router does not store messages, this credit-based flow control prevents producers from sending messages when there are no consumers present.</p>
 </div>
 <div class="paragraph">
 <p>A client wishing to send a message to the router must wait until the router has provided it with credit. Attempting to publish a message without credit available will cause the client to block. Once credit is made available, the client will unblock, and the message will be sent to the router.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 Most AMQP client libraries enable you to determine the amount of credit available to a producer. For more information, consult your client&#8217;s documentation.
 </td>
 </tr>
 </table>
 </div>
 </div>
 <div class="sect4">
 <h5 id="addresses-message-routing-qdr">Addresses</h5>
 <div class="paragraph">
 <p>Addresses determine how messages flow through your router network. An address designates an endpoint in your messaging network, such as:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Endpoint processes that consume data or offer a service</p>
 </li>
 <li>
 <p>Topics that match multiple consumers to multiple producers</p>
 </li>
 <li>
 <p>Entities within a messaging broker:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>Queues</p>
 </li>
 <li>
 <p>Durable Topics</p>
 </li>
 <li>
 <p>Exchanges</p>
 </li>
 </ul>
 </div>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>When a router receives a message, it uses the message&#8217;s address to determine where to send the message (either its destination or one step closer to its destination).</p>
 </div>
 <div class="paragraph">
 <p>Dispatch Router considers addresses to be <em>mobile</em> in that any user of an address may be directly connected to any router in the router network and may even
 move around the topology. In cases where messages are broadcast to or
 balanced across multiple consumers, the users of the address may be connected to multiple routers in the network.</p>
 </div>
 <div class="paragraph">
 <p>Mobile addresses may be discovered during normal router operation or
 configured through management settings.</p>
 </div>
 </div>
 <div class="sect4">
 <h5 id="routing-patterns-message-routing-qdr">Routing patterns</h5>
 <div class="paragraph">
 <p>Routing patterns define the paths that a message with a mobile address
 can take across a network. These routing patterns can be used for both
 direct routing, in which the router distributes messages between
 clients without a broker, and indirect routing, in which the router
 enables clients to exchange messages through a broker.</p>
 </div>
 <div class="paragraph">
 <p>Routing patterns fall into two categories: Anycast
 (Balanced and Closest) and Multicast. There is no concept of
 "unicast" in which there is only one consumer for an address.</p>
 </div>
 <div class="paragraph">
 <p>Anycast distribution delivers each message to one consumer whereas
 multicast distribution delivers each message to all consumers.</p>
 </div>
 <div class="paragraph">
 <p>Each address has one of the following routing patterns, which define the path that a message with the address can take across the messaging network:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Balanced</dt>
 <dd>
 <p>An anycast method that allows multiple consumers to use the same address. Each message is delivered to a single consumer only, and Dispatch Router attempts to balance the traffic load across the router network.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>If multiple consumers are attached to the same address, each router determines which outbound path should receive a message by considering each path&#8217;s current number of unsettled deliveries. This means that more messages will be delivered along paths where deliveries are settled at higher rates.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Dispatch Router neither measures nor uses message settlement time to determine which outbound path to use.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="paragraph">
 <p>In this scenario, the messages are spread across both receivers regardless of path length:</p>
 </div>
 <div class="imageblock text-center">
 <div class="content">
 <img src="images/balanced-routing.png" alt="Balanced Message Routing">
 </div>
 <div class="title">Figure 1. Balanced Message Routing</div>
 </div>
 </div>
 </div>
 </dd>
 <dt class="hdlist1">Closest</dt>
 <dd>
 <p>An anycast method in which every message is sent along the shortest path to reach the destination, even if there are other consumers for the same address.</p>
 <div class="paragraph">
 <p>Dispatch Router determines the shortest path based on the topology cost to reach each of the consumers. If there are multiple consumers with the same lowest cost, messages will be spread evenly among those consumers.</p>
 </div>
 <div class="paragraph">
 <p>In this scenario, all messages sent by <code>Sender</code> will be delivered to <code>Receiver 1</code>:</p>
 </div>
 <div class="imageblock text-center">
 <div class="content">
 <img src="images/closest-routing.png" alt="Closest Message Routing">
 </div>
 <div class="title">Figure 2. Closest Message Routing</div>
 </div>
 </dd>
 <dt class="hdlist1">Multicast</dt>
 <dd>
 <p>Messages are sent to all consumers attached to the address. Each consumer will receive one copy of the message.</p>
 <div class="paragraph">
 <p>In this scenario, all messages are sent to all receivers:</p>
 </div>
 <div class="imageblock text-center">
 <div class="content">
 <img src="images/multicast-routing.png" alt="Multicast Message Routing">
 </div>
 <div class="title">Figure 3. Multicast Message Routing</div>
 </div>
 </dd>
 </dl>
 </div>
 </div>
 <div class="sect4">
 <h5 id="message-settlement-reliability-message-routing-qdr">Message settlement and reliability</h5>
 <div class="paragraph">
 <p>Dispatch Router can deliver messages with the following degrees of reliability:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>At most once</p>
 </li>
 <li>
 <p>At least once</p>
 </li>
 <li>
 <p>Exactly once</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>The level of reliability is negotiated between the producer and the router when the producer establishes a link to the router. To achieve the negotiated level of reliability, Dispatch Router treats all messages as either <em>pre-settled</em> or <em>unsettled</em>.</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1">Pre-settled</dt>
 <dd>
 <p>Sometimes called <em>fire and forget</em>, the router settles the incoming and outgoing deliveries and propagates the settlement to the message&#8217;s destination. However, it does not guarantee delivery.</p>
 </dd>
 <dt class="hdlist1">Unsettled</dt>
 <dd>
 <p>Dispatch Router propagates the settlement between the producer and consumer. For an anycast address, the router associates the incoming delivery with the resulting outgoing delivery. Based on this association, the router propagates changes in delivery state from the consumer to the producer.</p>
 <div class="paragraph">
 <p>For a multicast address, the router associates the incoming delivery with all outbound deliveries. The router waits for each consumer to set their delivery&#8217;s final state. After all outgoing deliveries have reached their final state, the router sets a final delivery state for the original inbound delivery and passes it to the producer.</p>
 </div>
 <div class="paragraph">
 <p>The following table describes the reliability guarantees for unsettled messages sent to an anycast or multicast address:</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 20%;">
 <col style="width: 40%;">
 <col style="width: 40%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">Final disposition</th>
 <th class="tableblock halign-left valign-top">Anycast</th>
 <th class="tableblock halign-left valign-top">Multicast</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>accepted</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The consumer accepted the message.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">At least one consumer accepted the message, but no consumers rejected it.</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>released</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The message did not reach its destination.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The message did not reach any of the consumers.</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>modified</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The message may or may not have reached its destination. The delivery is considered to be "in-doubt" and should be re-sent if "at least once" delivery is required.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The message may or may not have reached any of the consumers. However, no consumers rejected or accepted it.</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>rejected</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The consumer rejected the message.</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">At least one consumer rejected the message.</p></td>
 </tr>
 </tbody>
 </table>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 <div class="sect3">
 <h4 id="configuring-address-semantics-qdr">11.1.2. Configuring address semantics</h4>
 <div class="paragraph">
 <p>You can route messages between clients without using a broker. In a brokerless scenario (sometimes called <em>direct-routed messaging</em>), Dispatch Router routes messages between clients directly.</p>
 </div>
 <div class="paragraph">
 <p>To route messages between clients, you configure an address with a routing distribution pattern. When a router receives a message with this address, the message is routed to its destination or destinations based on the address&#8217;s routing distribution pattern.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add an <code>address</code> section.</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">address {
     prefix: my_address
     distribution: multicast
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>prefix</code> | <code>pattern</code></dt>
 <dd>
 <p>The address or group of addresses to which the address settings should be applied. You can specify a prefix to match an exact address or beginning segment of an address. Alternatively, you can specify a pattern to match an address using wildcards.</p>
 <div class="paragraph">
 <p>A <em>prefix</em> matches either an exact address or the beginning segment within an address that is delimited by either a <code>.</code> or <code>/</code> character. For example, the prefix <code>my_address</code> would match the address <code>my_address</code> as well as <code>my_address.1</code> and <code>my_address/1</code>. However, it would not match <code>my_address1</code>.</p>
 </div>
 <div class="paragraph">
 <p>A <em>pattern</em> matches an address that corresponds to a pattern. A pattern is a sequence of words delimited by either a <code>.</code> or <code>/</code> character. You can use wildcard characters to represent a word. The  <code>*</code> character matches exactly one word, and the <code>#</code> character matches any sequence of zero or more words.</p>
 </div>
 <div class="paragraph">
 <p>The <code>*</code> and <code>#</code> characters are reserved as wildcards. Therefore, you should not use them in the message address.</p>
 </div>
 <div class="paragraph">
 <p>For more information about creating address patterns, see <a href="#address-pattern-matching-qdr">Address pattern matching</a>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>You can convert a <code>prefix</code> value to a <code>pattern</code> by appending <code>/#</code> to it. For example, the prefix <code>a/b/c</code> is equivalent to the pattern <code>a/b/c/#</code>.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 <dt class="hdlist1"><code>distribution</code></dt>
 <dd>
 <p>The message distribution pattern. The default is <code>balanced</code>, but you can specify any of the following options:</p>
 <div class="ulist">
 <ul>
 <li>
 <p><code>balanced</code> - Messages sent to the address will be routed to one of the receivers, and the routing network will attempt to balance the traffic load based on the rate of settlement.</p>
 </li>
 <li>
 <p><code>closest</code> - Messages sent to the address are sent on the shortest path to reach the destination. It means that if there are multiple receivers for the same address, only the closest one will receive the message.</p>
 </li>
 <li>
 <p><code>multicast</code> - Messages are sent to all receivers that are attached to the address in a <em>publish/subscribe</em> model.</p>
 <div class="paragraph">
 <p>For more information about message distribution patterns, see <a href="#routing-patterns-message-routing-qdr">Routing patterns</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>For information about additional attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_address">address</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Add the same <code>address</code> section to any other routers that need to use the address.</p>
 <div class="paragraph">
 <p>The <code>address</code> that you added to this router configuration file only controls how this router distributes messages sent to the address. If you have additional routers in your router network that should distribute messages for this address, then you must add the same <code>address</code> section to each of their configuration files.</p>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="configuring-addresses-prioritized-message-delivery-qdr">11.1.3. Configuring addresses for prioritized message delivery</h4>
 <div class="paragraph">
 <p>You can set the priority level of an address to control how Dispatch Router processes messages sent to that address. Within the scope of a connection, Dispatch Router attempts to process messages based on their priority. For a connection with a large volume of messages in flight, this lowers the latency for higher-priority messages.</p>
 </div>
 <div class="paragraph">
 <p>Assigning a high priority level to an address does not guarantee that messages sent to the address will be delivered before messages sent to lower-priority addresses. However, higher-priority messages will travel more quickly through the router network than they otherwise would.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>You can also control the priority level of individual messages by setting the priority level in the message header. However, the address priority takes precedence: if you send a prioritized message to an address with a different priority level, the router will use the address priority level.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add or edit an address and assign a priority level.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example adds an address with the highest priority level. The router will attempt to deliver messages sent to this address before messages with lower priority levels.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">address {
     prefix: my-high-priority-address
     priority: 9
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>priority</code></dt>
 <dd>
 <p>The priority level to assign to all messages sent to this address. The range of valid priority levels is 0-9, in which the higher the number, the higher the priority. The default is 4.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about setting the priority level in a message, see the <a href="http://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-overview-v1.0-os.html" target="_blank" rel="noopener">AMQP 1.0 specification</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect3">
 <h4 id="configuring-brokered-messaging-qdr">11.1.4. Configuring brokered messaging</h4>
 <div class="paragraph">
 <p>If you require "store and forward" capabilities, you can configure Dispatch Router to use brokered messaging. In this scenario, clients connect to a router to send and receive messages, and the router routes the messages to or from queues on a message broker.</p>
 </div>
 <div class="paragraph">
 <p>You can configure the following:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><a href="#routing-messages-through-broker-queues-qdr">Route messages through broker queues</a></p>
 <div class="paragraph">
 <p>You can route messages to a queue hosted on a single broker, or route messages to a <em>sharded queue</em> distributed across multiple brokers.</p>
 </div>
 </li>
 <li>
 <p><a href="#handling-undeliverable-messages-qdr">Store and retrieve undeliverable messages on a broker queue</a></p>
 </li>
 </ul>
 </div>
 <div class="sect4">
 <h5 id="how-router-enables-brokered-messaging-qdr">How Dispatch Router enables brokered messaging</h5>
 <div class="paragraph">
 <p>Brokered messaging enables Dispatch Router to store messages on a broker queue. This requires a connection to the broker, a <em>waypoint</em> address to represent the broker queue, and <em>autolinks</em> to attach to the waypoint address.</p>
 </div>
 <div class="paragraph">
 <p>An autolink is a link that is automatically created by the router to attach to a waypoint address. With autolinks, client traffic is handled on the router, not the broker. Clients attach their links to the router, and then the router uses internal autolinks to connect to the queue on the broker. Therefore, the queue will always have a single producer and a single consumer regardless of how many clients are attached to the router.</p>
 </div>
 <div class="imageblock text-center">
 <div class="content">
 <img src="images/brokered-messaging.png" alt="Brokered Messaging">
 </div>
 <div class="title">Figure 4. Brokered messaging</div>
 </div>
 <div class="paragraph">
 <p>In this diagram, the sender connects to the router and sends messages to my_queue. The router attaches an outgoing link to the broker, and then sends the messages to my_queue. Later, the receiver connects to the router and requests messages from my_queue. The router attaches an incoming link to the broker to receive the messages from my_queue, and then delivers them to the receiver.</p>
 </div>
 <div class="paragraph">
 <p>You can also route messages to a <em>sharded queue</em>, which is a single, logical queue comprised of multiple, underlying physical queues. Using queue sharding, it is possible to distribute a single queue over multiple brokers. Clients can connect to any of the brokers that hold a shard to send and receive messages.</p>
 </div>
 <div class="imageblock text-center">
 <div class="content">
 <img src="images/sharded-queue-02.png" alt="Brokered Messaging with Sharded Queue">
 </div>
 <div class="title">Figure 5. Brokered messaging with sharded queue</div>
 </div>
 <div class="paragraph">
 <p>In this diagram, a sharded queue (my_queue) is distributed across two brokers. The router is connected to the clients and to both brokers. The sender connects to the router and sends messages to my_queue. The router attaches an outgoing link to each broker, and then sends messages to each shard (by default, the routing distribution is <code>balanced</code>). Later, the receiver connects to the router and requests all of the messages from my_queue. The router attaches an incoming link to one of the brokers to receive the messages from my_queue, and then delivers them to the receiver.</p>
 </div>
 </div>
 <div class="sect4">
 <h5 id="routing-messages-through-broker-queues-qdr">Routing messages through broker queues</h5>
 <div class="paragraph">
 <p>You can route messages to and from a broker queue to provide clients with access to the queue through a router. In this scenario, clients connect to a router to send and receive messages, and the router routes the messages to or from the broker queue.</p>
 </div>
 <div class="paragraph">
 <p>You can route messages to a queue hosted on a single broker, or route messages to a <em>sharded queue</em> distributed across multiple brokers.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, add a waypoint address for the broker queue.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>A waypoint address identifies a queue on a broker to which you want to route messages. This example adds a waypoint address for the <code>my_queue</code> queue:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">address {
     prefix: my_queue
     waypoint: yes
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>prefix</code> | <code>pattern</code></dt>
 <dd>
 <p>The address prefix or pattern that matches the broker queue to which you want to send messages. You can specify a prefix to match an exact address or beginning segment of an address. Alternatively, you can specify a pattern to match an address using wildcards.</p>
 <div class="paragraph">
 <p>A <em>prefix</em> matches either an exact address or the beginning segment within an address that is delimited by either a <code>.</code> or <code>/</code> character. For example, the prefix <code>my_address</code> would match the address <code>my_address</code> as well as <code>my_address.1</code> and <code>my_address/1</code>. However, it would not match <code>my_address1</code>.</p>
 </div>
 <div class="paragraph">
 <p>A <em>pattern</em> matches an address that corresponds to a pattern. A pattern is a sequence of words delimited by either a <code>.</code> or <code>/</code> character. You can use wildcard characters to represent a word. The  <code>*</code> character matches exactly one word, and the <code>#</code> character matches any sequence of zero or more words.</p>
 </div>
 <div class="paragraph">
 <p>The <code>*</code> and <code>#</code> characters are reserved as wildcards. Therefore, you should not use them in the message address.</p>
 </div>
 <div class="paragraph">
 <p>For more information about creating address patterns, see <a href="#address-pattern-matching-qdr">Address pattern matching</a>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>You can convert a <code>prefix</code> value to a <code>pattern</code> by appending <code>/#</code> to it. For example, the prefix <code>a/b/c</code> is equivalent to the pattern <code>a/b/c/#</code>.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 <dt class="hdlist1"><code>waypoint</code></dt>
 <dd>
 <p>Set this attribute to <code>yes</code> so that the router handles messages sent to this address as a waypoint.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>Connect the router to the broker.</p>
 <div class="olist loweralpha">
 <ol class="loweralpha" type="a">
 <li>
 <p>Add an outgoing connection to the broker if one does not exist.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>If the queue is sharded across multiple brokers, you must add a connection for each broker. For more information, see <a href="#connecting-to-external-amqp-containers-qdr">Connecting to external AMQP containers</a>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If the connection to the broker fails, Dispatch Router automatically attempts to reestablish the connection and reroute message deliveries to any available alternate destinations. However, some deliveries could be returned to the sender with a <code>RELEASED</code> or <code>MODIFIED</code> disposition. Therefore, you should ensure that your clients can handle these deliveries appropriately (generally by resending them).</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want to send messages to the broker queue, add an <em>outgoing</em> autolink to the broker queue.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>If the queue is sharded across multiple brokers, you must add an outgoing autolink for each broker.</p>
 </div>
 <div class="paragraph">
 <p>This example configures an outgoing auto link to send messages to a broker queue:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">autoLink {
     address: my_queue
     connection: my_broker
     direction: out
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>address</code></dt>
 <dd>
 <p>The address of the broker queue. When the autolink is created, it will be attached to this address.</p>
 </dd>
 <dt class="hdlist1"><code>externalAddress</code></dt>
 <dd>
 <p>An optional alternate address for the broker queue. You use an external address if the broker queue should have a different address than that which the sender uses. In this scenario, senders send messages to the <code>address</code> address, and then the router routes them to the broker queue represented by the <code>externalAddress</code> address.</p>
 </dd>
 <dt class="hdlist1"><code>connection</code> | <code>containerID</code></dt>
 <dd>
 <p>How the router should connect to the broker. You can specify either an outgoing connection (<code>connection</code>) or the container ID of the broker (<code>containerID</code>).</p>
 </dd>
 <dt class="hdlist1"><code>direction</code></dt>
 <dd>
 <p>Set this attribute to <code>out</code> to specify that this autolink can send messages from the router to the broker.</p>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>For information about additional attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_autolink">autoLink</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </li>
 <li>
 <p>If you want to receive messages from the broker queue, add an <em>incoming</em> autolink from the broker queue:</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>If the queue is sharded across multiple brokers, you must add an outgoing autolink for each broker.</p>
 </div>
 <div class="paragraph">
 <p>This example configures an incoming auto link to receive messages from a broker queue:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">autoLink {
     address: my_queue
     connection: my_broker
     direction: in
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>address</code></dt>
 <dd>
 <p>The address of the broker queue. When the autolink is created, it will be attached to this address.</p>
 </dd>
 <dt class="hdlist1"><code>externalAddress</code></dt>
 <dd>
 <p>An optional alternate address for the broker queue. You use an external address if the broker queue should have a different address than that which the receiver uses. In this scenario, receivers receive messages from the <code>address</code> address, and the router retrieves them from the broker queue represented by the <code>externalAddress</code> address.</p>
 </dd>
 <dt class="hdlist1"><code>connection</code> | <code>containerID</code></dt>
 <dd>
 <p>How the router should connect to the broker. You can specify either an outgoing connection (<code>connection</code>) or the container ID of the broker (<code>containerID</code>).</p>
 </dd>
 <dt class="hdlist1"><code>direction</code></dt>
 <dd>
 <p>Set this attribute to <code>in</code> to specify that this autolink can receive messages from the broker to the router.</p>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>For information about additional attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_autolink">autoLink</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect4">
 <h5 id="handling-undeliverable-messages-qdr">Handling undeliverable messages</h5>
 <div class="paragraph">
 <p>You handle undeliverable messages for an address by configuring autolinks that point to <em>fallback destinations</em>. A fallback destination (such as a queue on a broker) stores messages that are not directly routable to any consumers.</p>
 </div>
 <div class="paragraph">
 <p>During normal message delivery, Dispatch Router delivers messages to the consumers that are attached to the router network. However, if no consumers are reachable, the messages are diverted to any fallback destinations that were configured for the address (if the autolinks that point to the fallback destinations are active). When a consumer reconnects and becomes reachable again, it receives the messages stored at the fallback destination.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>Dispatch Router preserves the original delivery order for messages stored at a fallback destination. However, when a consumer reconnects, any new messages produced while the queue is draining will be interleaved with the messages stored at the fallback destination.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>The router is connected to a broker.</p>
 <div class="paragraph">
 <p>For more information, see <a href="#connecting-to-external-amqp-containers-qdr">Connecting to external AMQP containers</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <div class="title">Procedure</div>
 <p>This procedure enables fallback for an address and configures autolinks to connect to the broker queue that provides the fallback destination for the address.</p>
 </div>
 <div class="olist arabic">
 <ol class="arabic">
 <li>
 <p>In the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file, enable fallback destinations for the address.</p>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">address {
     prefix: my_address
     enableFallback: yes
 }</pre>
 </div>
 </div>
 </li>
 <li>
 <p>Add an <em>outgoing</em> autolink to a queue on the broker.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>For the address for which you enabled fallback, if messages are not routable to any consumers, the router will use this autolink to send the messages to a queue on the broker.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">autoLink {
     address: my_address.2
     direction: out
     connection: my_broker
     fallback: yes
 }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want the router to send queued messages to attached consumers as soon as they connect to the router network, add an <em>incoming</em> autolink.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>As soon as a consumer attaches to the router, it will receive the messages stored in the broker queue, along with any new messages sent by the producer. The original delivery order of the queued messages is preserved; however, the queued messages will be interleaved with the new messages.</p>
 </div>
 <div class="paragraph">
 <p>If you do not add the incoming autolink, the messages will be stored on the broker, but will not be sent to consumers when they attach to the router.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">autoLink {
     address: my_address.2
     direction: in
     connection: my_broker
     fallback: yes
 }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="sect3">
 <h4 id="address-pattern-matching-qdr">11.1.5. Address pattern matching</h4>
 <div class="paragraph">
 <p>In some router configuration scenarios, you might need to use pattern matching to match a range of addresses rather than a single, literal address. Address patterns match any address that corresponds to the pattern.</p>
 </div>
 <div class="paragraph">
 <p>An address pattern is a sequence of tokens (typically words) that are delimited by either <code>.</code> or <code>/</code> characters. They also can contain special wildcard characters that represent words:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p><code>*</code> represents exactly one word</p>
 </li>
 <li>
 <p><code>#</code> represents zero or more words</p>
 </li>
 </ul>
 </div>
 <div class="exampleblock">
 <div class="title">Example 9. Address pattern</div>
 <div class="content">
 <div class="paragraph">
 <p>This address contains two tokens, separated by the <code>/</code> delimiter:</p>
 </div>
 <div class="paragraph">
 <p><code>my/address</code></p>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 10. Address pattern with wildcard</div>
 <div class="content">
 <div class="paragraph">
 <p>This address contains three tokens. The <code>*</code> is a wildcard, representing any single word that might be between <code>my</code> and <code>address</code>:</p>
 </div>
 <div class="paragraph">
 <p><code>my/*/address</code></p>
 </div>
 </div>
 </div>
 <div class="paragraph">
 <p>The following table shows some address patterns and examples of the addresses that would match them:</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 33.3333%;">
 <col style="width: 33.3333%;">
 <col style="width: 33.3334%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">This pattern&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">Matches&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">But not&#8230;&#8203;</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/*</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/europe</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/usa</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/usa/sports</code></p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/#</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/europe</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/usa/sports</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>europe</code></p>
 </div>
 <div class="paragraph">
 <p><code>usa</code></p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/europe/#</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/europe</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/europe/sports</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/europe/politics/fr</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/usa</code></p>
 </div>
 <div class="paragraph">
 <p><code>europe</code></p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/*/sports</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news/europe/sports</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/usa/sports</code></p>
 </div></div></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p><code>news</code></p>
 </div>
 <div class="paragraph">
 <p><code>news/europe/fr/sports</code></p>
 </div></div></td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
 <div class="sect2">
 <h3 id="creating-link-routes-qdr">11.2. Creating link routes</h3>
 <div class="paragraph">
 <p>A link route represents a private messaging path between a sender and a receiver in which the router passes the messages between end points. You can use it to connect a client to a service (such as a broker queue).</p>
 </div>
 <div class="sect3">
 <h4 id="understanding-link-routing-qdr">11.2.1. Understanding link routing</h4>
 <div class="paragraph">
 <p>Link routing provides an alternative strategy for brokered messaging. A link route represents a private messaging path between a sender and a receiver in which the router passes the messages between end points. You can think of a link route as a "virtual connection" or "tunnel" that travels from a sender, through the router network, to a receiver.</p>
 </div>
 <div class="paragraph">
 <p>With link routing, routing is performed on link-attach frames, which are chained together to form a virtual messaging path that directly connects a sender and receiver. Once a link route is established, the transfer of message deliveries, flow frames, and dispositions is performed across the link route.</p>
 </div>
 <div class="sect4">
 <h5 id="link-routing-flow-control-qdr">Link routing flow control</h5>
 <div class="paragraph">
 <p>Unlike message routing, with link routing, the sender and receiver handle flow control directly: the receiver grants link credits, which is the number of messages it is able to receive. The router sends them directly to the sender, and then the sender sends the messages based on the credits that the receiver granted.</p>
 </div>
 </div>
 <div class="sect4">
 <h5 id="link-route-addresses-qdr">Link route addresses</h5>
 <div class="paragraph">
 <p>A link route address represents a broker queue, topic, or other service. When a client attaches a link route address to a router, the router propagates a link attachment to the broker resource identified by the address.</p>
 </div>
 <div class="paragraph">
 <p>Using link route addresses, the router network does not participate in
 aggregated message distribution. The router simply passes message
 delivery and settlement between the two end points.</p>
 </div>
 </div>
 <div class="sect4">
 <h5 id="routing-patterns-link-routing-qdr">Routing patterns for link routing</h5>
 <div class="paragraph">
 <p>Routing patterns are not used with link routing, because there is a direct link between the sender and receiver. The router only makes a routing decision when it receives the initial link-attach request frame. Once the link is established, the router passes the messages along the link in a balanced distribution.</p>
 </div>
 </div>
 </div>
 <div class="sect3">
 <h4 id="creating-link-route-qdr">11.2.2. Creating a link route</h4>
 <div class="paragraph">
 <p>Link routes establish a link between a sender and a receiver that travels through a router. You can configure inward and outward link routes to enable the router to receive link-attaches from clients and to send them to a particular destination.</p>
 </div>
 <div class="paragraph">
 <p>With link routing, client traffic is handled on the broker, not the router. Clients have a direct link through the router to a broker&#8217;s queue. Therefore, each client is a separate producer or consumer.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If the connection to the broker fails, the routed links are detached, and the router will attempt to reconnect to the broker (or its backup). Once the connection is reestablished, the link route to the broker will become reachable again.</p>
 </div>
 <div class="paragraph">
 <p>From the client&#8217;s perspective, the client will see the detached links (that is, the senders or receivers), but not the failed connection. Therefore, if you want the client to reattach dropped links in the event of a broker connection failure, you must configure this functionality on the client. Alternatively, you can use message routing with autolinks instead of link routing. For more information, see <a href="#routing-messages-through-broker-queues-qdr">Routing messages through broker queues</a>.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>Add an outgoing connection to the broker if one does not exist.</p>
 <div class="paragraph">
 <p>If the queue is sharded across multiple brokers, you must add a connection for each broker. For more information, see <a href="#connecting-to-external-amqp-containers-qdr">Connecting to external AMQP containers</a>.</p>
 </div>
 </li>
 <li>
 <p>If you want clients to send local transactions to the broker, create a link route for the transaction coordinator:</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">linkRoute {
     prefix: $coordinator  <b class="conum">(1)</b>
     connection: my_broker
     direction: in
 }</pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p>The <code>$coordinator</code> prefix designates this link route as a transaction coordinator. When the client opens a transacted session, the requests to start and end the transaction are propagated along this link route to the broker.</p>
 </li>
 </ol>
 </div>
 <div class="paragraph">
 <p>Dispatch Router does not support routing transactions to multiple brokers. If you have multiple brokers in your environment, choose a single broker and route all transactions to it.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want clients to send messages on this link route, create an incoming link route:</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">linkRoute {
     prefix: my_queue
     connection: my_broker
     direction: in
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>prefix</code> | <code>pattern</code></dt>
 <dd>
 <p>The address prefix or pattern that matches the broker queue that should be the destination for routed link-attaches. All messages that match this prefix or pattern will be distributed along the link route. You can specify a prefix to match an exact address or beginning segment of an address. Alternatively, you can specify a pattern to match an address using wildcards.</p>
 <div class="paragraph">
 <p>A <em>prefix</em> matches either an exact address or the beginning segment within an address that is delimited by either a <code>.</code> or <code>/</code> character. For example, the prefix <code>my_address</code> would match the address <code>my_address</code> as well as <code>my_address.1</code> and <code>my_address/1</code>. However, it would not match <code>my_address1</code>.</p>
 </div>
 <div class="paragraph">
 <p>A <em>pattern</em> matches an address that corresponds to a pattern. A pattern is a sequence of words delimited by either a <code>.</code> or <code>/</code> character. You can use wildcard characters to represent a word. The  <code>*</code> character matches exactly one word, and the <code>#</code> character matches any sequence of zero or more words.</p>
 </div>
 <div class="paragraph">
 <p>The <code>*</code> and <code>#</code> characters are reserved as wildcards. Therefore, you should not use them in the message address.</p>
 </div>
 <div class="paragraph">
 <p>For more information about creating address patterns, see <a href="#address-pattern-matching-qdr">Address pattern matching</a>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>You can convert a <code>prefix</code> value to a <code>pattern</code> by appending <code>/#</code> to it. For example, the prefix <code>a/b/c</code> is equivalent to the pattern <code>a/b/c/#</code>.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 <dt class="hdlist1"><code>connection</code> | <code>containerID</code></dt>
 <dd>
 <p>How the router should connect to the broker. You can specify either an outgoing connection (<code>connection</code>) or the container ID of the broker (<code>containerID</code>).</p>
 <div class="paragraph">
 <p>If multiple brokers are connected to the router through this connection, requests for addresses matching the link route&#8217;s prefix or pattern are balanced across the brokers. Alternatively, if you want to specify a particular broker, use <code>containerID</code> and add the broker&#8217;s container ID.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>direction</code></dt>
 <dd>
 <p>Set this attribute to <code>in</code> to specify that clients can send messages into the router network on this link route.</p>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>For information about additional attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_linkroute">linkRoute</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want clients to receive messages on this link route, create an outgoing link route:</p>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">linkRoute {
     prefix: my_queue
     connection: my_broker
     direction: out
     ...
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>prefix</code> | <code>pattern</code></dt>
 <dd>
 <p>The address prefix or pattern that matches the broker queue from which you want to receive routed link-attaches. All messages that match this prefix or pattern will be distributed along the link route. You can specify a prefix to match an exact address or beginning segment of an address. Alternatively, you can specify a pattern to match an address using wildcards.</p>
 <div class="paragraph">
 <p>A <em>prefix</em> matches either an exact address or the beginning segment within an address that is delimited by either a <code>.</code> or <code>/</code> character. For example, the prefix <code>my_address</code> would match the address <code>my_address</code> as well as <code>my_address.1</code> and <code>my_address/1</code>. However, it would not match <code>my_address1</code>.</p>
 </div>
 <div class="paragraph">
 <p>A <em>pattern</em> matches an address that corresponds to a pattern. A pattern is a sequence of words delimited by either a <code>.</code> or <code>/</code> character. You can use wildcard characters to represent a word. The  <code>*</code> character matches exactly one word, and the <code>#</code> character matches any sequence of zero or more words.</p>
 </div>
 <div class="paragraph">
 <p>The <code>*</code> and <code>#</code> characters are reserved as wildcards. Therefore, you should not use them in the message address.</p>
 </div>
 <div class="paragraph">
 <p>For more information about creating address patterns, see <a href="#address-pattern-matching-qdr">Address pattern matching</a>.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>You can convert a <code>prefix</code> value to a <code>pattern</code> by appending <code>/#</code> to it. For example, the prefix <code>a/b/c</code> is equivalent to the pattern <code>a/b/c/#</code>.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </dd>
 <dt class="hdlist1"><code>connection</code> | <code>containerID</code></dt>
 <dd>
 <p>How the router should connect to the broker. You can specify either an outgoing connection (<code>connection</code>) or the container ID of the broker (<code>containerID</code>).</p>
 <div class="paragraph">
 <p>If multiple brokers are connected to the router through this connection, requests for addresses matching the link route&#8217;s prefix or pattern are balanced across the brokers. Alternatively, if you want to specify a particular broker, use <code>containerID</code> and add the broker&#8217;s container ID.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>direction</code></dt>
 <dd>
 <p>Set this attribute to <code>out</code> to specify that this link route is for receivers.</p>
 </dd>
 </dl>
 </div>
 <div class="paragraph">
 <p>For information about additional attributes, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdrouterd.conf.html#_linkroute">linkRoute</a> in the <code>qdrouterd.conf</code> man page.</p>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect3">
 <h4 id="link-route-example-qdr">11.2.3. Link route example: Connecting clients and brokers on different networks</h4>
 <div class="paragraph">
 <p>This example shows how a link route can connect a client to a message broker that is on a different private network.</p>
 </div>
 <div class="imageblock text-center">
 <div class="content">
 <img src="images/link-routing-02.png" alt="Network isolation with link routing">
 </div>
 <div class="title">Figure 6. Router network with isolated clients</div>
 </div>
 <div class="paragraph">
 <p>The client is constrained by firewall policy to connect to the router in its own network (<code>R3</code>). However, it can use a link route to access queues, topics, and any other AMQP services that are provided on message brokers <code>B1</code> and <code>B2</code>&#8201;&#8212;&#8201;even though they are on different networks.</p>
 </div>
 <div class="paragraph">
 <p>In this example, the client needs to receive messages from <code>b2.event-queue</code>, which is hosted on broker <code>B2</code> in <code>Private Network 1</code>. A link route connects the client and broker even though neither of them is aware that there is a router network between them.</p>
 </div>
 <h5 id="router_configuration" class="discrete">Router configuration</h5>
 <div class="paragraph">
 <p>To enable the client to receive messages from <code>b2.event-queue</code> on broker <code>B2</code>, router <code>R2</code> must be able to do the following:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Connect to broker <code>B2</code></p>
 </li>
 <li>
 <p>Route links to and from broker <code>B2</code></p>
 </li>
 <li>
 <p>Advertise itself to the router network as a valid destination for links that have a <code>b2.event-queue</code> address</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>The relevant part of the configuration file for router <code>R2</code> shows the following:</p>
 </div>
 <div class="openblock">
 <div class="content">
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">connector {  // <b class="conum">(1)</b>
     name: broker
     role: route-container
     host: 192.0.2.1
     port: 61617
     saslMechanisms: ANONYMOUS
 }

 linkRoute {  // <b class="conum">(2)</b>
     prefix: b2
     direction: in
     connection: broker
 }

 linkRoute {  // <b class="conum">(3)</b>
     prefix: b2
     direction: out
     connection: broker
 }</pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p>The outgoing connection from the router to broker <code>B2</code>. The <code>route-container</code> role enables the router to connect to an external AMQP container (in this case, a broker).</p>
 </li>
 <li>
 <p>The incoming link route for receiving links from client senders. Any sender with a target whose address begins with <code>b2</code> will be routed to broker <code>B2</code> using the <code>broker</code> connector.</p>
 </li>
 <li>
 <p>The outgoing link route for sending links to client receivers. Any receivers whose source address begins with <code>b2</code> will be routed to broker <code>B2</code> using the <code>broker</code> connector.</p>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="paragraph">
 <p>This configuration enables router <code>R2</code> to advertise itself as a valid destination for targets and sources starting with <code>b2</code>. It also enables the router to connect to broker <code>B2</code>, and to route links to and from queues starting with the <code>b2</code> prefix.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>While not required, routers <code>R1</code> and <code>R3</code> should also have the same configuration.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <h5 id="how_the_client_receives_messages" class="discrete">How the client receives messages</h5>
 <div class="paragraph">
 <p>By using the configured link route, the client can receive messages from broker <code>B2</code> even though they are on different networks.</p>
 </div>
 <div class="paragraph">
 <p>Router <code>R2</code> establishes a connection to broker <code>B2</code>. Once the connection is open, <code>R2</code> tells the other routers (<code>R1</code> and <code>R3</code>) that it is a valid destination for link routes to the <code>b2</code> prefix. This means that sender and receiver links attached to <code>R1</code> or <code>R3</code> will be routed along the shortest path to <code>R2</code>, which then routes them to broker <code>B2</code>.</p>
 </div>
 <div class="paragraph">
 <p>To receive messages from the <code>b2.event-queue</code> on broker <code>B2</code>, the client attaches a receiver link with a source address of <code>b2.event-queue</code> to its local router, <code>R3</code>. Because the address matches the <code>b2</code> prefix, <code>R3</code> routes the link to <code>R1</code>, which is the next hop in the route to its destination. <code>R1</code> routes the link to <code>R2</code>, which routes it to broker <code>B2</code>. The client now has a receiver established, and it can begin receiving messages.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If broker <code>B2</code> is unavailable for any reason, router <code>R2</code> will not advertise itself as a destination for <code>b2</code> addresses. In this case, routers <code>R1</code> and <code>R3</code> will reject link attaches that should be routed to broker <code>B2</code> with an error message indicating that there is no route available to the destination.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 </div>
 </div>
 </div>
 </div>
 <h1 id="management" class="sect0">Manage</h1>
 <div class="sect1">
 <h2 id="monitoring-using-web-console">12. Monitoring using Apache Qpid Dispatch Router Console</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Apache Qpid Dispatch Router Console is a web console for monitoring the status and performance of Dispatch Router router networks.</p>
 </div>
 <div class="ulist">
 <div class="title">Prerequisites</div>
 <ul>
 <li>
 <p>Apache Qpid Dispatch Router Console requires the <code>qpid-dispatch-console</code> package.</p>
 <div class="paragraph">
 <p>For more information about installing packages, see the <a href="https://qpid.apache.org/packages.html" target="_blank" rel="noopener">Packages page</a>.</p>
 </div>
 </li>
 </ul>
 </div>
 <div class="sect2">
 <h3 id="setting-up-access-web-console">12.1. Setting up access to Apache Qpid Dispatch Router Console</h3>
 <div class="paragraph">
 <p>Before you can access the web console, you must configure a <code>listener</code> to accept HTTP connections for the web console and serve the console files.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>On the router from which you want to access the web console, open the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </li>
 <li>
 <p>Add a <code>listener</code> to serve the console.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>This example creates a <code>listener</code> that clients can use to access the web console:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 8672
     role: normal
     http: true
     httpRootDir: /usr/share/qpid-dispatch/console
 }</pre>
 </div>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>host</code></dt>
 <dd>
 <p>The IP address (IPv4 or IPv6) or hostname on which the router will listen.</p>
 </dd>
 <dt class="hdlist1"><code>port</code></dt>
 <dd>
 <p>The port number or symbolic service name on which the router will listen.</p>
 </dd>
 <dt class="hdlist1"><code>role</code></dt>
 <dd>
 <p>The role of the connection. Specify <code>normal</code> to indicate that this connection is used for client traffic.</p>
 </dd>
 <dt class="hdlist1"><code>http</code></dt>
 <dd>
 <p>Set this attribute to <code>true</code> to specify that this <code>listener</code> should accept HTTP connections instead of plain AMQP connections.</p>
 </dd>
 <dt class="hdlist1"><code>httpRootDir</code></dt>
 <dd>
 <p>Specify the absolute path to the directory that contains the web console HTML files. The default directory is the stand-alone console installation directory, usually <code>/usr/share/qpid-dispatch/console</code>.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want to secure access to the console, secure the <code>listener</code>.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>For more information, see <a href="#securing-incoming-client-connections-qdr">Securing incoming client connections</a>. This example adds basic user name and password authentication using SASL PLAIN:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">listener {
     host: 0.0.0.0
     port: 8672
     role: normal
     http: true
     httpRootDir: /usr/share/qpid-dispatch/console
     authenticatePeer: yes
     saslMechanisms: PLAIN
 }</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If you want to set up access to the web console from any other router in the router network, repeat this procedure for each router.</p>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect2">
 <h3 id="accessing-web-console">12.2. Accessing Apache Qpid Dispatch Router Console</h3>
 <div class="paragraph">
 <p>You can access the web console from a web browser.</p>
 </div>
 <div class="olist arabic">
 <div class="title">Procedure</div>
 <ol class="arabic">
 <li>
 <p>In a web browser, navigate to the web console URL.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>The web console URL is the <em>&lt;host&gt;</em>:<em>&lt;port&gt;</em> from the <code>listener</code> that you created to serve the web console. For example: <code>localhost:8672</code>.</p>
 </div>
 <div class="paragraph">
 <p>The Apache Qpid Dispatch Router Console opens. If you set up user name and password authentication, the <strong>Connect</strong> tab is displayed.</p>
 </div>
 </div>
 </div>
 </li>
 <li>
 <p>If necessary, log in to the web console.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>If you set up user name and password authentication, enter your user name and password to access the web console.</p>
 </div>
 <div class="paragraph">
 <p>The syntax for the user name is &lt;<em>user</em>&gt;@&lt;<em>domain</em>&gt;. For example: <code>admin@my-domain</code>.</p>
 </div>
 </div>
 </div>
 </li>
 </ol>
 </div>
 </div>
 <div class="sect2">
 <h3 id="monitoring-router-network-web-console">12.3. Monitoring the router network using Apache Qpid Dispatch Router Console</h3>
 <div class="paragraph">
 <p>The web console provides several sections that you can use to monitor the router network.</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 25%;">
 <col style="width: 75%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">This section&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">Provides&#8230;&#8203;</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Overview</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p>Aggregated information about the router network. This information includes the following:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>Dashboard (shows router network statistics)</p>
 </li>
 <li>
 <p>Routers</p>
 </li>
 <li>
 <p>Addresses</p>
 </li>
 <li>
 <p>Links</p>
 </li>
 <li>
 <p>Connections</p>
 </li>
 <li>
 <p>Logs</p>
 </li>
 </ul>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Visualizations</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
 <p>Graphical view of the router network. You can see the following types of visualizations:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>Topology</code></dt>
 <dd>
 <p>Topology of the router network, including routers, clients, and brokers. This visualization also shows how messages are flowing through the network.</p>
 </dd>
 <dt class="hdlist1"><code>Message flow</code></dt>
 <dd>
 <p>A chord diagram showing the real-time message flow by address.</p>
 </dd>
 </dl>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Details</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Detailed configuration information about each AMQP management entity, for each router in the router network. You can view and change the configuration of any of the routers in the network.</p></td>
 </tr>
 </tbody>
 </table>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="monitoring-using-qdstat-qdr">13. Monitoring using <code>qdstat</code></h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>The <code>qdstat</code> tool is a command-line tool for monitoring the status and performance of Dispatch Router router networks.</p>
 </div>
 <div class="sect2">
 <h3 id="syntax-using-qdstat-qdr">13.1. Syntax for using <code>qdstat</code></h3>
 <div class="paragraph">
 <p>You can use <code>qdstat</code> with the following syntax:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat <em>&lt;option&gt;</em> [<em>&lt;connection-options&gt;</em>] [<em>&lt;secure-connection-options&gt;</em>]</pre>
 </div>
 </div>
 <div class="paragraph">
 <p>This specifies:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>An <em>option</em> for the type of information to view.</p>
 </li>
 <li>
 <p>One or more optional <em>connection options</em> to specify a router for which to view the information.</p>
 <div class="paragraph">
 <p>If you do not specify a connection option, <code>qdstat</code> connects to the router listening on localhost and the default AMQP port (5672).</p>
 </div>
 </li>
 <li>
 <p>The <em>secure connection options</em> if the router for which you want to view information only accepts secure connections.</p>
 </li>
 </ul>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about <code>qdstat</code>, see the <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdstat.html" target="_blank" rel="noopener">qdstat man page</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="commands-monitoring-router-network-qdr">13.2. Commands for monitoring the router network</h3>
 <div class="paragraph">
 <p>You can use <code>qdstat</code> to view the status of routers on your router network. For example, you can view information about the attached links and configured addresses, available connections, and nodes in the router network.</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 50%;">
 <col style="width: 50%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">To&#8230;&#8203;</th>
 <th class="tableblock halign-left valign-top">Use this command&#8230;&#8203;</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Create a state dump containing all statistics for all routers</p>
 <p class="tableblock">A state dump shows the current operational state of the router network.</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --all-routers --all-entities</pre>
 </div>
 </div>
 <div class="paragraph">
 <p>If you run this command on an interior router, it displays the statistics for all interior routers. If you run the command on an edge router, it displays the statistics for only that edge router.</p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Create a state dump containing a single statistic for all routers</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -l|-a|-c|--autolinks|--linkroutes|-g|-m --all-routers</pre>
 </div>
 </div>
 <div class="paragraph">
 <p>If you run this command on an interior router, it displays the statistic for all interior routers. If you run the command on an edge router, it displays the statistic for only that edge router.</p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">Create a state dump containing all statistics for a single router</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --all-entities</pre>
 </div>
 </div>
 <div class="paragraph">
 <p>This command shows the statistics for the local router only.</p>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View general statistics for a router</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -g [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a list of connections to a router</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -c [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View the AMQP links attached to a router</p>
 <p class="tableblock">You can view a list of AMQP links attached to the router from clients (sender/receiver), from or to other routers into the network, to other containers (for example, brokers), and from the tool itself.</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -l [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View known routers on the router network</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -n [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View the addresses known to a router</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -a [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a router&#8217;s autolinks</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --autolinks [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View the status of a router&#8217;s link routes</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --linkroutes [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a router&#8217;s policy global settings and statistics</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --policy [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a router&#8217;s policy vhost settings</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --vhosts [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a router&#8217;s policy vhost statistics</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --vhoststats [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a router&#8217;s vhostgroup settings</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --vhostgroups [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock">View a router&#8217;s memory consumption</p></td>
 <td class="tableblock halign-left valign-top"><div class="content"><div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat -m [all-routers|<em>&lt;connection-options&gt;</em>]</pre>
 </div>
 </div></div></td>
 </tr>
 </tbody>
 </table>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about the fields displayed by each <code>qdstat</code> command, see the <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdstat.html" target="_blank" rel="noopener">qdstat man page</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="managing-using-qdmanage-qdr">14. Managing using <code>qdmanage</code></h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>The <code>qdmanage</code> tool is a command-line tool for viewing and modifying the configuration of a running router at runtime.</p>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <div class="paragraph">
 <p>If you make a change to a router using <code>qdmanage</code>, the change takes effect immediately, but is lost if the router is stopped. If you want to make a permanent change to a router&#8217;s configuration, you must edit the router&#8217;s <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.</p>
 </div>
 </td>
 </tr>
 </table>
 </div>
 <div class="paragraph">
 <p>You can use <code>qdmanage</code> with the following syntax:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdmanage [<em>&lt;connection-options&gt;</em>] <em>&lt;operation&gt;</em> [<em>&lt;options&gt;</em>]</pre>
 </div>
 </div>
 <div class="paragraph">
 <p>This specifies:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>One or more optional <em>connection options</em> to specify the router on which to perform the operation, or to supply security credentials if the router only accepts secure connections.</p>
 <div class="paragraph">
 <p>If you do not specify any connection options, <code>qdmanage</code> connects to the router listening on localhost and the default AMQP port (5672).</p>
 </div>
 </li>
 <li>
 <p>The <em>operation</em> to perform on the router.</p>
 </li>
 <li>
 <p>One or more optional <em>options</em> to specify a configuration entity on which to perform the operation or how to format the command output.</p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p>When you enter a <code>qdmanage</code> command, it is executed as an AMQP management operation request, and then the response is returned as command output in JSON format.</p>
 </div>
 <div class="paragraph">
 <p>For example, the following command executes a query operation on a router, and then returns the response in JSON format:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdmanage query --type listener
 [
   {
     "stripAnnotations": "both",
     "addr": "127.0.0.1",
     "multiTenant": false,
     "requireSsl": false,
     "idleTimeoutSeconds": 16,
     "saslMechanisms": "ANONYMOUS",
     "maxFrameSize": 16384,
     "requireEncryption": false,
     "host": "0.0.0.0",
     "cost": 1,
     "role": "normal",
     "http": false,
     "maxSessions": 32768,
     "authenticatePeer": false,
     "type": "org.apache.qpid.dispatch.listener",
     "port": "amqp",
     "identity": "listener/0.0.0.0:amqp",
     "name": "listener/0.0.0.0:amqp"
   }
 ]</pre>
 </div>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about <code>qdmanage</code>, see the <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdmanage.html" target="_blank" rel="noopener">qdmanage man page</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="troubleshooting-qdr">15. Troubleshooting Dispatch Router</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>You can use the Dispatch Router logs to diagnose and troubleshoot error and performance issues with the routers in your router network.</p>
 </div>
 <div class="sect2">
 <h3 id="viewing-log-entries-qdr">15.1. Viewing log entries</h3>
 <div class="paragraph">
 <p>You may need to view log entries to diagnose errors, performance problems, and other important issues. A log entry consists of an optional timestamp, the logging module, the logging level, and the log message.</p>
 </div>
 <div class="ulist">
 <div class="title">Procedure</div>
 <ul>
 <li>
 <p>Do one of the following:</p>
 <div class="ulist">
 <ul>
 <li>
 <p>View log entries on the console.</p>
 <div class="paragraph">
 <p>By default, events are logged to the console, and you can view them there. However, if the <code>output</code> attribute is set for a particular logging module, then you can find those log entries in the specified location (<code>stderr</code>, <code>syslog</code>, or a file).</p>
 </div>
 </li>
 <li>
 <p>Use the <strong><code>qdstat --log</code></strong> command to view recent log entries.</p>
 <div class="openblock">
 <div class="content">
 <div class="paragraph">
 <p>You can use the <code>--limit</code> parameter to limit the number of log entries that are displayed. For more information about <code>qdstat</code>, see <a href="https://qpid.apache.org/releases/qpid-dispatch-1.14.0/man/qdstat.html" target="_blank" rel="noopener">qdstat man page</a>.</p>
 </div>
 <div class="paragraph">
 <p>This example displays the last three log entries for <code>Router.A</code>:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdstat --log --limit=3 -r ROUTER.A
 Wed Jun  7 17:49:32 2019 ROUTER (none) Core action 'link_deliver'
 Wed Jun  7 17:49:32 2019 ROUTER (none) Core action 'send_to'
 Wed Jun  7 17:49:32 2019 SERVER (none) [2]:0 -&gt; @flow(19) [next-incoming-id=1, incoming-window=61, next-outgoing-id=0, outgoing-window=2147483647, handle=0, delivery-count=1, link-credit=250, drain=false]</pre>
 </div>
 </div>
 </div>
 </div>
 </li>
 </ul>
 </div>
 </li>
 </ul>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 <code>vhost</code> entries are only populated if <code>multiTenant</code> is set to <code>true</code> in the <code>/etc/qpid-dispatch/qdrouterd.conf</code> configuration file.
 </td>
 </tr>
 </table>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about configuring logging modules, see <a href="#configuring-default-logging-qdr">Configuring default logging</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 <div class="sect2">
 <h3 id="troubleshooting-using-logs-qdr">15.2. Troubleshooting using logs</h3>
 <div class="paragraph">
 <p>You can use Dispatch Router log entries to help diagnose error and performance issues with the routers in your network.</p>
 </div>
 <div class="exampleblock">
 <div class="title">Example 11. Troubleshooting connections and links</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, <code>ROUTER</code> logs show the lifecycle of a connection and a link that is associated with it.</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">2019-04-05 14:54:38.037248 -0400 ROUTER (info) [C1] Connection Opened: dir=in host=127.0.0.1:55440 vhost= encrypted=no auth=no user=anonymous container_id=95e55424-6c0a-4a5c-8848-65a3ea5cc25a props= // <b class="conum">(1)</b>
 2019-04-05 14:54:38.038137 -0400 ROUTER (info) [C1][L6] Link attached: dir=in source={&lt;none&gt; expire:sess} target={$management expire:sess} // <b class="conum">(2)</b>
 2019-04-05 14:54:38.041103 -0400 ROUTER (info) [C1][L6] Link lost: del=1 presett=0 psdrop=0 acc=1 rej=0 rel=0 mod=0 delay1=0 delay10=0 // <b class="conum">(3)</b>
 2019-04-05 14:54:38.041154 -0400 ROUTER (info) [C1] Connection Closed // <b class="conum">(4)</b></pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p>The connection is opened. Each connection has a unique ID (<code>C1</code>). The log also shows some information about the connection.</p>
 </li>
 <li>
 <p>A link is attached over the connection. The link is identified with a unique ID (<code>L6</code>). The log also shows the direction of the link, and the source and target addresses.</p>
 </li>
 <li>
 <p>The link is detached. The log shows the link&#8217;s terminal statistics.</p>
 </li>
 <li>
 <p>The connection is closed.</p>
 </li>
 </ol>
 </div>
 <div class="admonitionblock note">
 <table>
 <tr>
 <td class="icon">
 <div class="title">Note</div>
 </td>
 <td class="content">
 If necessary, you can use <code>qdmanage</code> to enable protocol-level trace logging for a particular connection. You can use this to trace the AMQP frames. For example:
 </td>
 </tr>
 </table>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdmanage update --type=connection --id=C1 enableProtocolTrace=true</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 12. Troubleshooting the network topology</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, on <code>Router.A</code>, the <code>ROUTER_HELLO</code> logs show that it is connected to <code>Router.B</code>, and that <code>Router.B</code> is connected to <code>Router.A</code> and <code>Router.C</code>:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 13:50:21 2016 ROUTER_HELLO (trace) RCVD: HELLO(id=Router.B area=0 inst=1465307413 seen=['Router.A', 'Router.C']) // <b class="conum">(1)</b>
 Tue Jun  7 13:50:21 2016 ROUTER_HELLO (trace) SENT: HELLO(id=Router.A area=0 inst=1465307416 seen=['Router.B']) // <b class="conum">(2)</b>
 Tue Jun  7 13:50:22 2016 ROUTER_HELLO (trace) RCVD: HELLO(id=Router.B area=0 inst=1465307413 seen=['Router.A', 'Router.C'])
 Tue Jun  7 13:50:22 2016 ROUTER_HELLO (trace) SENT: HELLO(id=Router.A area=0 inst=1465307416 seen=['Router.B'])</pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p><code>Router.A</code> received a Hello message from <code>Router.B</code>, which can see <code>Router.A</code> and <code>Router.C</code>.</p>
 </li>
 <li>
 <p><code>Router.A</code> sent a Hello message to <code>Router.B</code>, which is the only router it can see.</p>
 </li>
 </ol>
 </div>
 <div class="paragraph">
 <p>On <code>Router.B</code>, the <code>ROUTER_HELLO</code> log shows the same router topology from a different perspective:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 13:50:18 2016 ROUTER_HELLO (trace) SENT: HELLO(id=Router.B area=0 inst=1465307413 seen=['Router.A', 'Router.C']) // <b class="conum">(1)</b>
 Tue Jun  7 13:50:18 2016 ROUTER_HELLO (trace) RCVD: HELLO(id=Router.A area=0 inst=1465307416 seen=['Router.B']) // <b class="conum">(2)</b>
 Tue Jun  7 13:50:19 2016 ROUTER_HELLO (trace) RCVD: HELLO(id=Router.C area=0 inst=1465307411 seen=['Router.B']) // <b class="conum">(3)</b></pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p><code>Router.B</code> sent a Hello message to <code>Router.A</code> and <code>Router.C</code>.</p>
 </li>
 <li>
 <p><code>Router.B</code> received a Hello message from <code>Router.A</code>, which can only see <code>Router.B</code>.</p>
 </li>
 <li>
 <p><code>Router.B</code> received a Hello message from <code>Router.C</code>, which can only see <code>Router.B</code>.</p>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 13. Tracing the link state between routers</div>
 <div class="content">
 <div class="paragraph">
 <p>Periodically, each router sends a Link State Request (LSR) to the other routers and receives a Link State Update (LSU) with the requested information. Exchanging the above information, each router can compute the next hops in the topology, and the related costs.</p>
 </div>
 <div class="paragraph">
 <p>In this example, the <code>ROUTER_LS</code> logs show the RA, LSR, and LSU messages sent between three routers:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) SENT: LSR(id=Router.A area=0) to: Router.C
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) SENT: LSR(id=Router.A area=0) to: Router.B
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) SENT: RA(id=Router.A area=0 inst=1465308600 ls_seq=1 mobile_seq=1) // <b class="conum">(1)</b>
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) RCVD: LSU(id=Router.B area=0 inst=1465308595 ls_seq=2 ls=LS(id=Router.B area=0 ls_seq=2 peers={'Router.A': 1L, 'Router.C': 1L})) // <b class="conum">(2)</b>
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) RCVD: LSR(id=Router.B area=0)
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) SENT: LSU(id=Router.A area=0 inst=1465308600 ls_seq=1 ls=LS(id=Router.A area=0 ls_seq=1 peers={'Router.B': 1}))
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) RCVD: RA(id=Router.C area=0 inst=1465308592 ls_seq=1 mobile_seq=0)
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) SENT: LSR(id=Router.A area=0) to: Router.C
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) RCVD: LSR(id=Router.C area=0) // <b class="conum">(3)</b>
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) SENT: LSU(id=Router.A area=0 inst=1465308600 ls_seq=1 ls=LS(id=Router.A area=0 ls_seq=1 peers={'Router.B': 1}))
 Tue Jun  7 14:10:02 2016 ROUTER_LS (trace) RCVD: LSU(id=Router.C area=0 inst=1465308592 ls_seq=1 ls=LS(id=Router.C area=0 ls_seq=1 peers={'Router.B': 1L})) // <b class="conum">(4)</b>
 Tue Jun  7 14:10:03 2016 ROUTER_LS (trace) Computed next hops: {'Router.C': 'Router.B', 'Router.B': 'Router.B'} // <b class="conum">(5)</b>
 Tue Jun  7 14:10:03 2016 ROUTER_LS (trace) Computed costs: {'Router.C': 2L, 'Router.B': 1}
 Tue Jun  7 14:10:03 2016 ROUTER_LS (trace) Computed valid origins: {'Router.C': [], 'Router.B': []}</pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p><code>Router.A</code> sent LSR requests and an RA advertisement to the other routers on the network.</p>
 </li>
 <li>
 <p><code>Router.A</code> received an LSU from <code>Router.B</code>, which has two peers: <code>Router.A</code>, and <code>Router.C</code> (with a cost of <code>1</code>).</p>
 </li>
 <li>
 <p><code>Router.A</code> received an LSR from both <code>Router.B</code> and <code>Router.C</code>, and  replied with an LSU.</p>
 </li>
 <li>
 <p><code>Router.A</code> received an LSU from <code>Router.C</code>, which only has one peer: <code>Router.B</code> (with a cost of <code>1</code>).</p>
 </li>
 <li>
 <p>After the LSR and LSU messages are exchanged, <code>Router.A</code> computed the router topology with the related costs.</p>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 14. Tracing the state of mobile addresses attached to a router</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, the <code>ROUTER_MA</code> logs show the Mobile Address Request (MAR) and Mobile Address Update (MAU) messages sent between three routers:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 14:27:20 2016 ROUTER_MA (trace) SENT: MAU(id=Router.A area=0 mobile_seq=1 add=['Cmy_queue', 'Dmy_queue', 'M0my_queue_wp'] del=[]) // <b class="conum">(1)</b>
 Tue Jun  7 14:27:21 2016 ROUTER_MA (trace) RCVD: MAR(id=Router.C area=0 have_seq=0) // <b class="conum">(2)</b>
 Tue Jun  7 14:27:21 2016 ROUTER_MA (trace) SENT: MAU(id=Router.A area=0 mobile_seq=1 add=['Cmy_queue', 'Dmy_queue', 'M0my_queue_wp'] del=[])
 Tue Jun  7 14:27:22 2016 ROUTER_MA (trace) RCVD: MAR(id=Router.B area=0 have_seq=0) // <b class="conum">(3)</b>
 Tue Jun  7 14:27:22 2016 ROUTER_MA (trace) SENT: MAU(id=Router.A area=0 mobile_seq=1 add=['Cmy_queue', 'Dmy_queue', 'M0my_queue_wp'] del=[])
 Tue Jun  7 14:27:39 2016 ROUTER_MA (trace) RCVD: MAU(id=Router.C area=0 mobile_seq=1 add=['M0my_test'] del=[]) // <b class="conum">(4)</b>
 Tue Jun  7 14:27:51 2016 ROUTER_MA (trace) RCVD: MAU(id=Router.C area=0 mobile_seq=2 add=[] del=['M0my_test']) // <b class="conum">(5)</b></pre>
 </div>
 </div>
 <div class="colist arabic">
 <ol>
 <li>
 <p><code>Router.A</code> sent MAU messages to the other routers in the network to notify them about the addresses added for <code>my_queue</code> and <code>my_queue_wp</code>.</p>
 </li>
 <li>
 <p><code>Router.A</code> received a MAR message in response from <code>Router.C</code>.</p>
 </li>
 <li>
 <p><code>Router.A</code> received another MAR message in response from <code>Router.B</code>.</p>
 </li>
 <li>
 <p><code>Router.C</code> sent a MAU message to notify the other routers that it added and address for <code>my_test</code>.</p>
 </li>
 <li>
 <p><code>Router.C</code> sent another MAU message to notify the other routers that it deleted the address for <code>my_test</code> (because the receiver is detached).</p>
 </li>
 </ol>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 15. Finding information about messages sent and received by a router</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, the <code>MESSAGE</code> logs show that <code>Router.A</code> has sent and received some messages related to the Hello protocol, and sent and received some other messages on a link for a mobile address:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 14:36:54 2016 MESSAGE (trace) Sending Message{to='amqp:/_topo/0/Router.B/qdrouter' body='\d1\00\00\00\1b\00\00\00\04\a1\02id\a1\08R'} on link qdlink.p9XmBm19uDqx50R
 Tue Jun  7 14:36:54 2016 MESSAGE (trace) Received Message{to='amqp:/_topo/0/Router.A/qdrouter' body='\d1\00\00\00\8e\00\00\00
 \a1\06ls_se'} on link qdlink.phMsJOq7YaFsGAG
 Tue Jun  7 14:36:54 2016 MESSAGE (trace) Received Message{ body='\d1\00\00\00\10\00\00\00\02\a1\08seque'} on link qdlink.FYHqBX+TtwXZHfV
 Tue Jun  7 14:36:54 2016 MESSAGE (trace) Sending Message{ body='\d1\00\00\00\10\00\00\00\02\a1\08seque'} on link qdlink.yU1tnPs5KbMlieM
 Tue Jun  7 14:36:54 2016 MESSAGE (trace) Sending Message{to='amqp:/_local/qdhello' body='\d1\00\00\00G\00\00\00\08\a1\04seen\d0'} on link qdlink.p9XmBm19uDqx50R
 Tue Jun  7 14:36:54 2016 MESSAGE (trace) Sending Message{to='amqp:/_topo/0/Router.C/qdrouter' body='\d1\00\00\00\1b\00\00\00\04\a1\02id\a1\08R'} on link qdlink.p9XmBm19uDqx50R</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 16. Tracking configuration changes to a router</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, the <code>AGENT</code> logs show that on <code>Router.A</code>, <code>address</code>, <code>linkRoute</code>, and <code>autoLink</code> entities were added to the router&#8217;s configuration file. When the router was started, the <code>AGENT</code> module applied these changes, and they are now viewable in the log:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: ConnectorEntity(addr=127.0.0.1, allowRedirect=True, cost=1, host=127.0.0.1, identity=connector/127.0.0.1:5672:BROKER, idleTimeoutSeconds=16, maxFrameSize=65536, name=BROKER, port=5672, role=route-container, stripAnnotations=both, type=org.apache.qpid.dispatch.connector, verifyHostname=True)
 Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: RouterConfigAddressEntity(distribution=closest, identity=router.config.address/0, name=router.config.address/0, prefix=my_address, type=org.apache.qpid.dispatch.router.config.address, waypoint=False)
 Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: RouterConfigAddressEntity(distribution=balanced, identity=router.config.address/1, name=router.config.address/1, prefix=my_queue_wp, type=org.apache.qpid.dispatch.router.config.address, waypoint=True)
 Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: RouterConfigLinkrouteEntity(connection=BROKER, direction=in, distribution=linkBalanced, identity=router.config.linkRoute/0, name=router.config.linkRoute/0, prefix=my_queue, type=org.apache.qpid.dispatch.router.config.linkRoute)
 Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: RouterConfigLinkrouteEntity(connection=BROKER, direction=out, distribution=linkBalanced, identity=router.config.linkRoute/1, name=router.config.linkRoute/1, prefix=my_queue, type=org.apache.qpid.dispatch.router.config.linkRoute)
 Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: RouterConfigAutolinkEntity(address=my_queue_wp, connection=BROKER, direction=in, identity=router.config.autoLink/0, name=router.config.autoLink/0, type=org.apache.qpid.dispatch.router.config.autoLink)
 Tue Jun  7 15:07:32 2016 AGENT (debug) Add entity: RouterConfigAutolinkEntity(address=my_queue_wp, connection=BROKER, direction=out, identity=router.config.autoLink/1, name=router.config.autoLink/1, type=org.apache.qpid.dispatch.router.config.autoLink)</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 17. Troubleshooting policy and vhost access rules</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, the <code>POLICY</code> logs show that this router has no limits on maximum connections, and the default application policy is disabled:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">Tue Jun  7 15:07:32 2016 POLICY (info) Policy configured maximumConnections: 0, policyFolder: '', access rules enabled: 'false'
 Tue Jun  7 15:07:32 2016 POLICY (info) Policy fallback defaultApplication is disabled</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="exampleblock">
 <div class="title">Example 18. Diagnosing errors</div>
 <div class="content">
 <div class="paragraph">
 <p>In this example, the <code>ERROR</code> logs show that the router failed to start when an incorrect path was specified for the router&#8217;s configuration file:</p>
 </div>
 <div class="listingblock">
 <div class="content">
 <pre class="nowrap">$ qdrouterd --conf my_config
 Wed Jun 15 09:53:28 2016 ERROR (error) Python: Exception: Cannot load configuration file my_config: [Errno 2] No such file or directory: 'my_config'
 Wed Jun 15 09:53:28 2016 ERROR (error) Traceback (most recent call last):
   File "/usr/lib/qpid-dispatch/python/qpid_dispatch_internal/management/config.py", line 155, in configure_dispatch
     config = Config(filename)
   File "/usr/lib/qpid-dispatch/python/qpid_dispatch_internal/management/config.py", line 41, in __init__
     self.load(filename, raw_json)
   File "/usr/lib/qpid-dispatch/python/qpid_dispatch_internal/management/config.py", line 123, in load
     with open(source) as f:
 Exception: Cannot load configuration file my_config: [Errno 2] No such file or directory: 'my_config'

 Wed Jun 15 09:53:28 2016 MAIN (critical) Router start-up failed: Python: Exception: Cannot load configuration file my_config: [Errno 2] No such file or directory: 'my_config'
 qdrouterd: Python: Exception: Cannot load configuration file my_config: [Errno 2] No such file or directory: 'my_config'</pre>
 </div>
 </div>
 </div>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p>For more information about logging modules, see <a href="#logging-modules-qdr">Logging modules</a>.</p>
 </li>
 </ul>
 </div>
 </div>
 </div>
 </div>
 <div class="sect1">
 <h2 id="amqp-mapping-qdr">Appendix A: AMQP mapping</h2>
 <div class="sectionbody">
 <div class="paragraph">
 <p>Dispatch Router is an AMQP router and as such, it provides extensions,
 code-points, and semantics for routing over AMQP. This section describes the
 details of Dispatch Router&#8217;s use of AMQP.</p>
 </div>
 <h3 id="message_annotations" class="discrete">Message annotations</h3>
 <div class="paragraph">
 <p>The following message annotation fields are defined by Dispatch Router:</p>
 </div>
 <table class="tableblock frame-all grid-all stretch">
 <colgroup>
 <col style="width: 33.3333%;">
 <col style="width: 33.3333%;">
 <col style="width: 33.3334%;">
 </colgroup>
 <thead>
 <tr>
 <th class="tableblock halign-left valign-top">Field</th>
 <th class="tableblock halign-left valign-top">Type</th>
 <th class="tableblock halign-left valign-top">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>x-opt-qd.ingress</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The identity of the ingress router for a
 message-routed message. The ingress router is the first router
 encountered by a transiting message. The router will, if this field is
 present, leave it unaltered. If the field is not present, the router
 will insert the field with its own identity.</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>x-opt-qd.trace</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">list of string</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The list of routers through which this
 message-routed message has transited. If this field is not present, the
 router will do nothing. If the field is present, the router will
 append its own identity to the end of the list.</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>x-opt-qd.to</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">To-override for message-routed messages. If this
 field is present, the address in this field will be used for routing instead of the <code>to</code> field in the message properties. A router may append,
 remove, or modify this annotation field depending on the policy in place
 for routing the message.</p></td>
 </tr>
 <tr>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><code>x-opt-qd.phase</code></p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">integer</p></td>
 <td class="tableblock halign-left valign-top"><p class="tableblock">The address-phase, if not zero, for messages
 flowing between routers.</p></td>
 </tr>
 </tbody>
 </table>
 <h3 id="source_and_target_capabilities" class="discrete">Source and target capabilities</h3>
 <div class="paragraph">
 <p>The following capability values are used in sources and targets:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>qd.router</code></dt>
 <dd>
 <p>This capability is added to sources and targets that are used for inter-router message exchange. This capability denotes a link used for router-control messages flowing between routers.</p>
 </dd>
 <dt class="hdlist1"><code>qd.router-data</code></dt>
 <dd>
 <p>This capability is added to sources and targets that are used for inter-router message exchange. This capability denotes a link used for user messages being message-routed across an inter-router connection.</p>
 </dd>
 </dl>
 </div>
 <h3 id="dynamic_node_properties" class="discrete">Dynamic node properties</h3>
 <div class="paragraph">
 <p>The following dynamic node properties are used by Dispatch Router in sources:</p>
 </div>
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>x-opt-qd.address</code></dt>
 <dd>
 <p>The node address describing the destination desired for a dynamic source. If this is absent, the router will terminate any dynamic receivers. If this address is present, the router will use the address to route the dynamic link attach to the proper destination container.</p>
 </dd>
 </dl>
 </div>
 <h3 id="addresses_and_address_formats" class="discrete">Addresses and address formats</h3>
 <div class="paragraph">
 <p>The following AMQP addresses and address patterns are used within
 Dispatch Router:</p>
 </div>
 <div class="openblock">
 <div class="title">Address patterns</div>
 <div class="content">
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>_local/&lt;addr&gt;</code></dt>
 <dd>
 <p>An address that references a locally-attached endpoint. Messages using this address pattern will not be routed over more than one link.</p>
 </dd>
 <dt class="hdlist1"><code>_topo/0/&lt;router&gt;/&lt;addr&gt;</code></dt>
 <dd>
 <p>An address that references an endpoint attached to a specific router node in the network topology. Messages with addresses that follow this pattern shall be routed along the shortest path to the specified router. Addresses of this form are always routable in that the address itself contains enough information to route the message to its destination.</p>
 <div class="paragraph">
 <p>The <code>0</code> component immediately preceding the router ID is a placeholder for an <em>area</em> which may be used in the future if area routing is implemented.</p>
 </div>
 </dd>
 <dt class="hdlist1"><code>&lt;addr&gt;</code></dt>
 <dd>
 <p>A mobile address. An address of this format represents an endpoint or a set of distinct endpoints that are attached to the network in arbitrary locations. It is the responsibility of the router network to determine which router nodes are valid destinations for mobile addresses.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 <div class="openblock">
 <div class="title">Supported addresses</div>
 <div class="content">
 <div class="dlist">
 <dl>
 <dt class="hdlist1"><code>$management</code></dt>
 <dd>
 <p>The management agent on the attached router/container. This address would be used by an endpoint that is a management client/console/tool wishing to access management data from the attached container.</p>
 </dd>
 <dt class="hdlist1"><code>_topo/0/Router.E/$management</code></dt>
 <dd>
 <p>The management agent at Router.E in area 0. This address would be used by a management client wishing to access management data from a specific container that is reachable within the network.</p>
 </dd>
 <dt class="hdlist1"><code>_local/qdhello</code></dt>
 <dd>
 <p>The router entity in each of the connected routers. This address is used to communicate with neighbor routers and is exclusively for the <code>HELLO</code> discovery protocol.</p>
 </dd>
 <dt class="hdlist1"><code>_local/qdrouter</code></dt>
 <dd>
 <p>The router entity in each of the connected routers. This address is used by a router to communicate with other routers in the network.</p>
 </dd>
 <dt class="hdlist1"><code>_topo/0/Router.E/qdrouter</code></dt>
 <dd>
 <p>The router entity at the specifically-indicated router. This address form is used by a router to communicate with a specific router that may or may not be a neighbor.</p>
 </dd>
 </dl>
 </div>
 </div>
 </div>
 <h3 id="implementation_of_the_amqp_management_specification" class="discrete">Implementation of the AMQP Management specification</h3>
 <div class="paragraph">
 <p>Dispatch Router is manageable remotely by AMQP. It is compliant with the emerging AMQP Management specification (draft 9) with the following differences:</p>
 </div>
 <div class="ulist">
 <ul>
 <li>
 <p>The <code>name</code> attribute is not required when an entity is created. If not supplied, it will be set to the same value as the system-generated <code>identity</code> attribute. Otherwise, it is treated as per the standard.</p>
 </li>
 <li>
 <p>The <code>REGISTER</code> and <code>DEREGISTER</code> operations are not implemented. The router automatically discovers peer routers through the router network and makes their management addresses available through the standard <code>GET-MGMT-NODES</code> operation.</p>
 </li>
 </ul>
 </div>
 <div class="ulist">
 <div class="title">Additional resources</div>
 <ul>
 <li>
 <p><a href="https://www.oasis-open.org/committees/download.php/54441/AMQP%20Management%20v1.0%20WD09">AMQP Management Version 1.0 (Draft 9)</a></p>
 </li>
 </ul>
 </div>
 <div class="paragraph">
 <p><em>Revised on 2020-09-16 15:27:01 -0400</em></p>
 </div>
 </div>
 </div>

           <hr/>

           <ul id="-apache-navigation">
             <li><a href="http://www.apache.org/">Apache</a></li>
             <li><a href="http://www.apache.org/licenses/">License</a></li>
             <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
             <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
             <li><a href="/security.html">Security</a></li>
             <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
           </ul>

           <p id="-legal">
             Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
             The Apache Software Foundation; Licensed under
             the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
             License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
             Proton, Apache, the Apache feather logo, and the Apache Qpid
             project logo are trademarks of The Apache Software
             Foundation; All other marks mentioned may be trademarks or
             registered trademarks of their respective owners
           </p>
         </div>
       </div>
     </div>
   </body>
 </html>