Ignition MQTT Security Context

Abstract

MQTT Security Context allows secure command writes through MQTT Engine to MQTT Transmission by using custom tag permissions to authorize a tag write based on user.

When using Ignition Security Context, the user security context is encrypted and included with the published write command message from MQTT Engine. At MQTT Transmission, the security context is decrypted and if the user is authorized to write to the tag, this results in a successful write and the tag change is published. If the user is not authorized to write to the tag, there is no action taken. 

Tags must have write permission enabled. Tag write permissions can applied to the entire tag provider or on individual tags to guarantee the write security. 

Central Gateway Configuration

MQTT Engine

In the Ignition Gateway web UI, navigate to the MQTT Engine Settings in the left side bar. From the Main tab, set the following elements in the Command Settings section.

• Select checkbox Include Security Context in write command to be validated at the Edge Node
  
  
• Select the Security Context Hashing Algorithm algorithm to use when encrypting the Security Context. Options include SHA_1, SHA_224, SHA_256, SHA_384 and SHA_512
  
  
• Select checkbox Change Password? and set the Password to be used when encrypting the Security Context
  
  

Edge Device Configuration

MQTT Transmission

In the Ignition Gateway web UI, navigate to the MQTT Transmission Settings in the left side bar. From the Transmitters tab, for each transmitter set the following elements in the Command Settings section.

• Select checkbox Validate Security Context to validate the security context in write command
  
  

• Select the Security Context Hashing Algorithm algorithm to use when decrypting the Security Context. 
  
  

Select checkbox Change Password? and set the Password to be used when encrypting the Security Context