:. MQTT provides username/password authentication as part of the protocol. Use 'password_file' option on mosquitto.conf to define usernames/passwords. Be sure to use network encryption if you are using this option otherwise the username and password will be vulnerable to interception (1).
.: As a network encryption, SSL/TLS feature of Mosquitto should be used. There are two encryption models in Mosquitto; certificate based encryption and pre-shared key based encryption.
a) I used certificate based encryption with username/password authentication. First, I created username/password from command prompt by using mosquitto_passwd(2);
mosquitto_passwd -c /demo usernameset RANDFILE=c:\demo\.rnd
set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
c) I started OpenSSL by running start "openssl.exe" in directory of OpenSSL. Then, I created certificates by using OpenSSL. I followed instructions on (3). The root CA certificate (ca.crt) was created initially.
2) https://eclipse.org/mosquitto/man/mosquitto_passwd-1.php/
3) https://eclipse.org/mosquitto/man/mosquitto-tls-7.php/
4) http://stackoverflow.com/questions/34226717/how-to-provide-ssl-tls-based-communication-on-mosquitto/
5) https://www.eclipse.org/paho/
6) https://gist.github.com/sharonbn/4104301/
7) https://gist.github.com/rohanag12/07ab7eb22556244e9698/
8) http://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/
Related certificate information is shown above. I also entered "trialca" as PEM password for ca.crt. Then, I created server.key, server.csr and server crt;
client.key and client.crt was created like server.key and server.crt.
d) I made some configuration on mosquitto conf;
# Default listener;
listener 1883 127.0.0.1
# Certificate based SSL/TLS support(for default listener);
require_certificate false
use_identity_as_username false
# Extra listeners;
listener 8883
# Certificate based SSL/TLS support(for extra listeners);
cafile /demo/ca.crt
certfile /demo/server.crt
keyfile /server.key
require_certificate true
use_identity_as_username false
# Security;
allow_anonymous false
# Default authentication and topic access control
password_file /demo/mosquitto_passFile
(username and password is added by using mosquitto_passwd)
e) I loaded mosquitto.conf from command prompt on Mosquitto server running on PC.
c:\Program Files (x86)\mosquitto> mosquitto -c mosquitto.conf
f) To run these new configuration on Mosquitto, Mosquitto-service should be restarted from 'Services' on Windows.
Note: I had entered "trialsrv" as a password for server.key, but while Mosquitto was made restarted, it could not be started. It threw an error. About this problem, I wrote an question on stackoverflow.com (4) . I used the recommendation in this link and removed password for server.key. Then, I saw that Mosquitto could be restarted properly!
** Configuration of Mosquitto broker was finished!
g) For the client's side, first, I added ca.crt, client.key and client.crt in Mqtt Java client project.that is already developed by using Eclipse MQTT Paho Project (5). My client project is a kind of web application (used JSF framework), that's why I added certificates under the folder - WebContent/resources/certificates/.
h) Then, I googled for some Mqtt SSL/TLS java codes to give me an idea about how to bind my project with the broker. I found Sharonbn's SslUtil java class(6) and a new version of Sharonbn's class by Rohanag12(7). I used Rohanag12 solution, because it was newer and compatible with Mqtt and related other libraries.
i) I included path of certificates, that were added in the project in (g), in my codes.
ServletContext servletContext = (ServletContext) FacesContext.getCurrentInstance().getExternalContext().getContext();
conOpt.setSocketFactory(SslUtil.getSocketFactory(servletContext.getRealPath("/resources/certificates/ca.crt"), servletContext.getRealPath("/resources/certificates/client.crt"), servletContext.getRealPath("/resources/certificates/client.key"), "trialclt"));
Eureka! Setup of SSL/TLS based authentication and messaging is made successfully.
Note: Be careful! Firewall of antivirus programs and Windows firewall may prevent communication between Mosquitto broker and Mqtt java client.
References:
1) https://eclipse.org/mosquitto/man/mosquitto-conf-5.php/2) https://eclipse.org/mosquitto/man/mosquitto_passwd-1.php/
3) https://eclipse.org/mosquitto/man/mosquitto-tls-7.php/
4) http://stackoverflow.com/questions/34226717/how-to-provide-ssl-tls-based-communication-on-mosquitto/
5) https://www.eclipse.org/paho/
6) https://gist.github.com/sharonbn/4104301/
7) https://gist.github.com/rohanag12/07ab7eb22556244e9698/
8) http://blog.didierstevens.com/2015/03/30/howto-make-your-own-cert-with-openssl-on-windows/
Hiç yorum yok:
Yorum Gönder