Contents
Cirrus Link Resources
Cirrus Link Website
Contact Us (Sales/Support)
Forum
Cirrus Link Modules Docs for Ignition 7.9.x
Inductive Resources
Ignition User Manual
Knowledge Base Articles
Inductive University
Forum
MQTT Distributor provides a configuration section to the Ignition Gateway. These can be seen in the Configure section of the Ignition Gateway web UI in the left-hand navigation panel - Configure → MQTT Distributor → Settings.
Once in the Settings section there are two tabs. Each has a number of configuration options as described below.
These are the global MQTT Server configuration parameters. For more details on enabling TLS for the MQTT Server see this tutorial: TLS Enable MQTT Distributor.
Enable TCP
This denotes whether or not to enable plain TCP connections. This is enabled by default.
Enable TLS
This denotes whether or not to enable TLS connections. If TLS is used a Java Keystore file must be uploaded to secure the connection. This is not enabled by default
These are the username/password pairs that are allowed to connect to the MQTT Server and also contains the Access Control Lists (ACLs) for each user. MQTT Distributor requires that every client connecting to the MQTT Server must provide a valid username and password that is provisioned here. Any client attempting an anonymous connection will be rejected. ACLs control what topics a given username/password pair is allowed to publish and subscribe on. These are described later in this page.
Each user has the following configuration:
ACL Format
ACLs are defined by the following format: [R|W|RW] topic
where:
R = Read or 'subscribe' privileges
W = Write or 'publish' privileges
RW = Read and Write (subscribe and publish) privileges
topic = The topic or wildcard topic representing the scope of the privilege
Examples:
RW #
R #
W #
W device_one/temp/#,R state/#
ACLs should be designed with a 'principal of least privilege' model while also considering device management and maintenance. For example gateways and devices in the field should be limited to publishing and subscribing only on the topics for which they should be expected to. The same should be true of 'consumer' applications that will be either sending commands to devices in the field or consuming data coming from those devices.
It is also important to note that a username is not limited to a single MQTT client. A username/password pair could be used for multiple MQTT clients.
If you are new to MQTT topics, the Eclipse Foundation's Paho project provides good information here on the basics of wildcards.