MQTT one-way SSL authentication

About MQTT:

Introduction:

Using the MQTT (Message Queuing Telemetry Transport) broker, the user should be able to create an MQTT connection using one-way authentication (only MQTT server authenticates via the certificate). This article details the steps on creating the MQTT one-way connection alias and publish and subscribe messages using the webMethods Integration server.

Prerequisites:

  • Download “mosquitto-1.6.9-install-windows- x64” from Index of /files/binary/win64/ site on your Windows machine and run the installer file as Administrator
  • To monitor and administer the “Mosquitto Broker” you can download and install client tools “mqtt-1.7.1-windows-x64.exe” from Download you can then connect to MQTT server
  • Using below openssl commands, generate Client certificate, Server certificate, Server key and truststore file
    • a) openssl genrsa -des3 -out ca.key 2048
    • b) openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
    • c)openssl genrsa -out server.key 2048
    • d)openssl req -new -out server.csr -key server.key
    • e)openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out
      server.crt -days 360
    • f)Import Client cert to truststore file in /common/conf location by using below command:
      keytool -import -alias teiid -file ca.crt -storetype JKS -keystore platform_truststore.jks
  • Copy ca.crt, server.crt and server.key files to mosquito installation folder (C:\Program
    Files\mosquitto)
  • Replace the existing truststore file with updated file platform_truststore.jks in location
    /common/conf.
  • Edit mosquitto. Conf file in mosquitto installation directory with the below changes in default
    listener section
    • a) port 8883
    • b) cafile C:\Program Files\mosquitto\ca.crt
    • c) keyfile C:\Program Files\mosquitto\server.key
    • d) certfile C:\Program Files\mosquitto\server.crt
    • e) tls_version tlsv1.1
  • Go to windows services and start “Mosquitto Broker” service if already “Running” then
    “Restart” the service
  • Check if the Mosquitto broker is running on port 8883 by command
    netstat -an or netstat - an|find “8883”

image

  • Also check the connectivity by launching mqttfx client tools (mqttfx-1.7.1-windows-x64.exe)
    and connect to “Mosquitto Broker”, publish message on the selected topic and subscribe to
    the messages on the same topic as shown below:

    image


image


image


image

Creating MQTT one-way SSL connection alias in IS:

In one-way SSL authentication, the MQTT server authenticates the client via a certificate. Here we are using the truststore file (platform_truststore.jks) generated using the ca.crt in the pre-requisites step.
Below steps details on the creation of truststore alias and creation of MQTT connection alias in IS
Update the truststore alias by providing the proper passphrase

image

Create MQTT connection with SSL enabled and Truststore key:
image

Verifying publish and Subscribe of messages to the topic on MQTT broker using Integration Server

  • Launch designer and connect to integration sever.
  • Create package and folder MQTTDemov10_5 in designer
  • Create publish flow service in MQTTDemov10_5 folder using the built-in
    service pub.mqtt:publish.

image


image

  • Create another flow service subscribe to check the server log in integration server if the message is successfully subscribed from MQTT Server Topic

image


image


image

  • Integration Server can subscribe to topics by creating an MQTT trigger. The MQTT trigger receives messages published to the topic on the MQTT server and then invokes a trigger service to process the messages.
  • Integration Server uses an MQTT connection alias to create a connection to the MQTT server. An invocation of the pub.mqtt:publish service requires the MQTT connection alias to publish the message to the MQTT server. Similarly, an MQTT trigger specifies the MQTT connection alias that it uses to identify the MQTT server from which it retrieves messages and on which the trigger creates subscriptions.

image

  • Run the Publisher service

image

Verify message in server log of webMethods Integration Server

image

Messages in mqttfx client:
image