Contents
Cirrus Link Resources
Cirrus Link Website
Contact Us (Sales/Support)
Inductive Resources
Ignition User Manual
Knowledge Base Articles
Inductive University
Forum
Prerequisites:
- Installing the Java Runtime Environment
- Installing Ignition
- Installing the following MQTT Modules
- MQTT Distributor
- v1.7.1 or greater if using Ignition 7.7.X
- v1.8.1 or greater if using Ignition 7.8.X
- MQTT Engine
- v1.7.3 or greater if using Ignition 7.7.X
- v1.8.3 or greater if using Ignition 7.8.X
- MQTT Distributor
Overview:
MQTT Distributor can be enabled to use TLS for encryption of the communication between MQTT clients. This is useful if MQTT Distributor is used on a public network. Since MQTT communications are not encrypted by default, enabling TLS is highly recommended on a public network. There are two ways this can be done. First is to certificate signed by a publicly trusted certificate authority (CA). While there are nominal costs associated with this, it is the proper and recommended way to go if communicating over the Internet. Alternatively, it is possible to create and use a self-signed certificate. This is useful for debugging and development. However, it is not recommended in production scenarios over the Internet. It is, however, a viable option if utilizing a private network in which encryption is a requirement.
Getting a Certificate from a Certificate Authority:
The first step is to get a certificate from a certificate authority (CA). There are many available such as Verisign, Thawte and RapidSSL. There are also a number of other certificate authorities available. The general process is as follows:
- Generate a RSA key
- This is the private key and used for encryption/decryption of data. Keep this private and don't share it with anyone including the CA. However, the server (MQTT Distributor) will need it to encrypt/decrypt data.
- Create a Certificate Signing Request (CSR)
- Generally the CA can provide instructions on how to generate a CSR. Windows, Linux, and OSX all have tools available for generating a CSR and there is lots of documention online about all of them.
- Give the CSR to the CA
- The CA will then provide back a public certificate for use with MQTT Distributor
- In some cases depending on the CA an intermediate certificate may also be required. If so, the CA will also provide this.
Creating a Self-Signed Certificate:
Coming Soon...
Using the Certificate to Secure Communication with MQTT Distributor:
Whether you are using a certificate issued by a trusted CA or a self-signed certificate, a Java keystore file must be created for use with MQTT Distributor. This keystore will contain the public certificate, the private key, and possibly an intermediate certificate if applicable. There are many ways to create a Java keystore. In this example, we'll show how it can be done using Keystore Explorer. It can run on Windows, OSX, or any other OS that can run Java. It provides an easy to use graphical interface for creating and manipulating Java keystores. After installing Keystore Explorer, open it and you should see something similar to the following. It may ask you to modify some of your Java Security settings before starting. If so, follow the instructions it provides. Select 'Create a new Keystore'
Select a 'JKS' as the type as shown below:
As this point, we need to pull the required components into the keystore. We'll start with the public/private keypair. This is the public certificate and the private key that we originally generated. Click the 'Import Key Pair' icon from the Keystore Explorer menu. It is the icon with two keys and a blue downward arrow:
Overview
Content Tools