Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Anchor
create-keystore
create-keystore

NOTE: The procedure below is only applicable when running pre-4.0.4 modules. Manually configuring MQTT Distributor to consume a Java Keystore is supported and will work properly when running pre-4.0.4 modules, but it is no longer the recommended process for encrypting MQTT communication. If possible, please upgrade to modules version 4.0.4 or higher and follow the default workflow to secure MQTT communication.


Whether you are using a certificate issued by a trusted CA (Certificate Authority) or a self-signed certificate, internally MQTT Distributor accesses these certificate(s) via the Java KeyStore file that it is configured to use. This KeyStore must contain the public certificate, the private key, and possibly an intermediate certificate if applicable. 

Creating

...

a Keystore using Keystore Explorer

There are many ways to create a Java KeyStore.  In this example, we'll show how it can be done using KeyStore Explorer.  It can run on Windows, OSX, or any other OS that can run Java.  It provides an easy to use graphical interface for creating and manipulating Java KeyStores. Keystore explorer can create a keystore from existing keypair (i.e., certificates) or can generate a private keypair if desired. After installing KeyStore Explorer, open it and you should see something similar to the following.  It may ask you to modify some of your Java Security settings before starting.  If so, follow the instructions it provides. 

...

Finally, give it a name and location on the filesystem and click Save:

Generate a Private Key Pair

If you prefer TLS connection over private networks you may instead generate your own Private Key Pair.  Launch KeyStore Explorer and select 'Create a new KeyStore' of the type 'JKS', then [ OK].  In the background of the Untitled-1 page right click and select 'Generate Key Pair' as below:

Image Removed

Image Removed

Image Removed

Image Removed

Image Removed

Image Removed


Configuring MQTT Distributor to use a Keystore

...

Use your browser and login to your Central Gateway (Distributor) and under . Under Config → MQTT Distributor → Settings page under the General Tab upload the keystore file.  Uncheck the box to Enable the plain TCP connection and check the box under TLS Settings to Enable the TLS port(s).  Don't forget to enter the Password in the box just above the Java KeyStore File portion.

In the MQTT Distributor Settings, change the configuration for TLS communication from TCP to SSL.  Upload the keystore file created and enter the password.

Generate rootca.pem file

Export the Certificate Chain for Client-side Use (self-signed certs only)

Anchor
export-cert-chain
export-cert-chain

If using self-signed certificates, the required CA certificates are not known to MQTT clients by default as they would be if the certificate was generated by a real CA. This requires one to acquire and upload the CA certificates that make up the certificate chain (aka. "chain-of-trust"). The certificate chain can be exported from an existing keystore (like the one created here) using the steps below. Return to the Return to your KeyStore Explorer application and generate the necessary root.ca.pem file.  Save this file in same location (by default) as your cert.jks file.  Use this template below to upload this root.ca.pem file to Transmission and Engine.  (Password not required on these pages.)

...

In MQTT Engine or Transmission, there may be a need to specify the TLS components for the client configuration.  In the case of If using certificates signed by a trusted CA that do not require an internediate cert don't need any special configuration other , no additional configuration is required beyond changing the form of the URL.  The form should be as follows:

...

Once the settings are saved, the MQTT client associated with MQTT Engine or MQTT Transmission will connect using TLS.

Additional Resources