DEV Community

Mariela Dimitrova for Software AG Tech Community

Posted on • Originally published at tech.forums.softwareag.com on

MQTT one-way SSL authentication

About MQTT(Tech Community): Mqtt-support-and-configuring-integration-server-for-mqtt-messagin

Introduction:

Using the MQTT broker, user should be able to create MQTT connection using one-way authentication (only mqtt server authenticates via the certificate). This article details the steps on creating the MQTT one-way connection alias and publish and subscribe messages using Integration server.

Pre-Requisites:

• Download “mosquitto-1.6.9-install-windows-x64” from https://mosquitto.org/files/binary/win64 site on your Windows machine and run the installer file as Administrator

• To monitor and administer the “Mosquitto Broker” you can download and install client tools “mqtt-1.7.1-windows-x64.exe” from Download you can then connect to MQTT server

• Using below openssl commands, generate Client certificate, Server certificate, Server key and truststore file

a) openssl genrsa -des3 -out ca.key 2048

b) openssl req -new -x509 -days 1826 -key ca.key -out ca.crt

c) openssl genrsa -out server.key 2048

d) openssl req -new -out server.csr -key server.key

e) openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

f) Import Client cert to truststore file in /common/conf location by using below command:

keytool -import -alias teiid -file ca.crt -storetype JKS -keystore platform_truststore.jks

• Copy ca.crt, server.crt and server.key files to mosquito installation folder (C:\ProgramFiles\mosquitto)

• Replace the existing truststore file with updated file platform_truststore.jks in location /common/conf.

• Edit mosquitto. Conf file in mosquitto installation directory with the below changes in default listener section

a) port 8883

b) cafile C:\Program Files\mosquitto\ca.crt

c) keyfile C:\Program Files\mosquitto\server.key

d) certfile C:\Program Files\mosquitto\server.crt

e) tls_version tlsv1.1

• Go to windows services and start “Mosquitto Broker” service if already “Running” then “Restart” the service

• Check if the Mosquitto broker is running on port 8883 by command

netstat -an or netstat - an|find “8883”

image

• Also check the connectivity by launching mqttfx client tools (mqttfx-1.7.1-windows-x64.exe)and connect to “Mosquitto Broker”, publish message on the selected topic and subscribe to the messages on the same topic as shown below

image

image

image

image

Creating MQTT one-way SSL connection alias in IS:

In one- way SSL authentication, mqtt sever authenticates the client via certificate. Here we are using the truststore file (platform_truststore.jks) generated using the ca.crt in pre-requisites step.

Below steps details on creation of truststore alias and creation of MQTT connection alias in IS:

  1. Update the truststore alias by providing the proper passphrase image
  2. Create MQTT connection with SSL enabled and Truststore key image
  3. Verifying publish and Subscribe of messages to topic on MQTT broker using Integration Server • Launch designer and connect to integration sever. • Create package and folder MQTTDemov10_5 in designer • Create publish flow service in MQTTDemov10_5 folder using the built-in service pub.mqtt:publish. image image • Create another flow service subscribe to check the server log in integration server if the message is successfully subscribed from MQTT Server Topic image image image • Integration Server can subscribe to topics by creating an MQTT trigger. The MQTT trigger receives messages published to the topic on the MQTT server and then invokes a trigger service to process the messages. • Integration Server uses an MQTT connection alias to create a connection to the MQTT server. An invocation of the pub.mqtt:publish service requires the MQTT connection alias to publish the message to the MQTT server. Similarly, an MQTT trigger specifies the MQTT connection alias that it uses to identify the MQTT server from which it retrieves messages and on which the trigger creates subscriptions. image • Run the Publisher service image
  4. Verify message in server log of integration server image
  5. Messages in mqttfx client image

Read full topic

Top comments (0)