-
Notifications
You must be signed in to change notification settings - Fork 1
Enabling Mosquitto SSL TLS
This section describes how to to enable SSL/TLS for a Mosquitto cluster. We walk through the steps involved in generating self-signed certificates, configuring Mosquitto brokers, and making SSL/TLS client connections to the cluster.
create_cluster -product mosquitto -cluster mosquitto_tls
switch_cluster mosquitto_tlsLet's create a directory where we will generate certificate authority, private keys, public certificates. The steps shown here are extracted from [1].
❗ As noted by [1], it is important that CN (Command Name) must be set to the host name for both broker and client private keys. In our example, we have it set to localhost.
mkdir tls && cd tls
- Generate CA ceritificate
mkdir ca && cd ca
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt -subj "/C=US/ST=NY/L=New York/O=MyCo/CN=myca"Output:
Generating a RSA private key
............+++++
......................+++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
------ Generate broker certificates
cd ..
mkdir broker && cd broker
openssl genrsa -out broker.key 2048
openssl req -out broker.csr -key broker.key -new -subj "/C=US/ST=NY/L=New York/O=MyCo/CN=localhost"
openssl x509 -req -in broker.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out broker.crt -days 3650
rm broker.csr- Generate client certificates
cd ..
mkdir client && cd client
openssl genrsa -out client.key 2048
openssl req -out client.csr -key client.key -new -subj "/C=US/ST=CT/L=CT/O=SELFSIGNED/CN=localhost"
openssl x509 -req -in client.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out client.crt -days 3650
rm client.csr
cd ..- View generated files
treeOutput:
.
├── broker
│ ├── broker.crt
│ └── broker.key
├── ca
│ ├── ca.crt
│ ├── ca.key
│ └── ca.srl
└── client
├── client.crt
└── client.keyWe now configure each broker with the generated certificates. Due to Mosquitto configuration limitations, we need to supply tailored configuration files for each broker. We do this by generating a TLS specific configuration file, tls.conf, for each broker. The following generates tls.conf in each broker's working directory.
# Change directory into the broker run directory
cd_cluster mosquitto_tls/run
# Generate tls.conf file for each broker.
port=8883
for i in *-0?; do
cat > $i/tls.conf << EOF
listener $port
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
EOF
let port=port+1
done
unset portView generated tls.conf files.
cat *-0?/tls.confOutput:
listener 8883
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
listener 8884
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate true
listener 8885
cafile ../../tls/ca/ca.crt
certfile ../../tls/broker/broker.crt
keyfile ../../tls/broker/broker.key
require_certificate truestart_clusterYou can check each broker's TLS status by executing openssl s_client as follows.
openssl s_client -connect localhost:8883 -showcerts
openssl s_client -connect localhost:8884 -showcerts
openssl s_client -connect localhost:8885 -showcerts-
Subscribers -
mosquitto_sub:cd_cluster mosquitto_sub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/# -h localhost -p 8883 mosquitto_sub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/# -h localhost -p 8884 mosquitto_sub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/# -h localhost -p 8885
-
Publishers -
mosquitto_pub:cd_cluster mosquitto_pub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/topic1 -m hello -h localhost -p 8883 mosquitto_pub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/topic1 -m hello -h localhost -p 8884 mosquitto_pub --cafile tls/ca/ca.crt --key tls/broker/broker.key --cert tls/broker/broker.crt -t test/topic1 -m hello -h localhost -p 8885
Create the perf_test app.
create_app -product mosquitto -app perf_test -name perf_test_mosquittoConfigure perf_test with TLS.
cd_app perf_test_mosquitto
vi etc/mqttv5-client.yamlAdd the following in etc/mqttv5-client.yaml.
clusters:
...
connections:
...
- tls:
...
# Path to a file containing trusted CA certificates to enable encrypted communication.
cafile: ../../../clusters/mosquitto_tls/tls/ca/ca.crt
# client certificate for authentication, if required by server.
certfile: ../../../tls/client/client.crt
# client private key for authentication, if required by server.
keyfile: ../../../tls/client/client.key
...
connection:
...
serverURIs: [ssl://localhost:8883-8885]
...-
Subscriber -
perf_test:cd_app perf_test_mosquitto/bin_sh ./subscribe_topic test/# -
Publisher -
perf_test:cd_app perf_test_mosquitto/bin_sh ./test_group -run
Create pubsub.yaml as follows.
cd_app perf_test_mosquitto
vi etc/pubsub.yamlAdd the following in the new file, pubsub.yaml. (The file paths must be absolute paths. Replace /... with the cluster directory path.)
✏️ The cluster directory path can be obtained by running echo $PADOGRID_WORKSPACE/clusters/$(pwd_cluster).
defaultCluster: mosquitto_tls
clusters:
- name: mosquitto_tls
connections:
- tls:
cafile: /.../tls/ca/ca.crt
certfile: /.../tls/client/client.crt
keyfile: /.../tls/client/client.key
connection:
serverURIs: [ssl://localhost:8883-8885]-
VC Subscriber -
vc_subscribe:cd_app perf_test_mosquitto vc_subscribe -config etc/pubsub.yaml -t test/# -
VC Publisher -
vc_publsh:cd_app perf_test_mosquitto vc_publish -config etc/pubsub.yaml -t test/topic1 -m hello
stop_cluster- MQTTS : How to use MQTT with TLS?, https://openest.io/en/services/mqtts-how-to-use-mqtt-with-tls/.
PadoGrid Manual
Overview
- Home
- PadoGrid in 5 Minutes
- Quick Start
- Introduction
- Bundle Catalogs
- Building PadoGrid
- Supported Data Grid Products and Downloads
- PadoGrid Components
- Installing PadoGrid
- Root Workspaces Environments (RWEs)
- Initializing PadoGrid
- Bash Auto-Completion
- Viewing PadoGrid Summaries
- Updating Products
- Upgrading PadoGrid
- Migrating Workspaces
- PadoGrid Pods
- Kubernetes
- Docker
- Apps
- Software List
Operations
- Workspace Lifecycle Management
- Creating RWE
- Creating Workspace and Starting Cluster
- Managing Workspaces
- Understanding Workspaces
- Understanding Clusters
- Running Clusters
- Default Port Numbers
- Running Clusters Independent of PadoGrid
- Running Apps
- Understanding Groups
- Running Groups
- Understanding Bundles
- User Bundle Repos
- Using Bundle Templates
- Bundle Repo Guidelines
- User Bundle Catalogs
- Private Bundle Repos
- Gitea Repos
- Running Bundles in Container
- PadoGrid Addon Jars
- Understanding PadoGrid Pods
- Tested Vagrant Boxes
- VM-Enabled Pods
- Multitenancy
- Multitenancy Best Practices
- PadoGrid Configuration Files
Tools
Platforms
Clouds
Pado
Geode/GemFire
- Geode CLASSPATH
- Geode Kubernetes
- Geode Minikube
- Geode Minikube on WSL
- Geode Docker Compose
- Geode Grafana App
- Geode
perf_testApp - Geode WAN Example
- Geode Workspaces on VMs
- Geode on AWS EC2
- Reactivating Geode Workspaces on AWS EC2
Hazelcast/Jet
- Hazelcast CLASSPATH
- Creating Jet Workspace
- Configuring Hazelcast Addon
- HQL Query
- Hazelcast Kubernetes
- Hazelcast GKE
- Hazelcast Minikube
- Hazelcast Minikube on WSL
- Hazelcast Minishift/CDK
- Hazelcast OpenShift
- Hazelcast Docker Compose
- Hazelcast Desktop App
- Hazelcast Grafana App
- Hazelcast
jet_demoApp - Hazelcast
perf_testApp - Hazelcast WAN Example
- Hazelcast Workspaces on VMs
- Hazelcast on AWS EC2
- Reactivating Hazelcast Workspaces on AWS EC2
ComputeDB/SnappyData
Coherence
Hadoop
Kafka/Confluent
Mosquitto
- Mosquitto CLASSPATH
- Mosquitto Overview
- Installing/Building Mosquitto
- Clustering MQTT
- Cluster Archetypes
- Enabling Mosquitto SSL/TLS
- Mosquitto Docker Compose
- MQTT perf_test App
Redis
Spark