Part I – Securing connection from remote device to Thingworx platform

The goal of this first part is to setup a certificate authority (CA) and sign the certificates to authenticate MQTT clients. At the end of this first part the MQTT broker will only accept clients with a valid certificate.

A note on terminology: TLS (Transport Layer Security) is the new name for SSL (Secure Sockets Layer). 

Requirements


  • The certificates will be generated with openssl (check if already installed by your distribution).

 

Demonstrations will be done with the open source MQTT broker, mosquitto. To install, use the apt-get command:

 

$ sudo apt-get install mosquitto

$ sudo apt-get install mosquitto-clients

 

01.png



Procedure


NOTE: This procedure assumes all the steps will be performed on the same system.


1. Setup a protected workspace

 

Warning: the keys for the certificates are not protected with a password.
Create and use a directory that does not grant access to other users.


$ mkdir myCA
$ chmod 700 myCA
$ cd myCA


02.png


2. Setup a CA and generate the server certificates

Download and run the generate-CA.sh script to create the certificate authority (CA) files, generate server certificates and use the CA to sign the certificates.


NOTE: Open the script to customize it at your convenience.


$ wget https://github.com/owntracks/tools/raw/master/TLS/generate-CA.sh .

$ bash ./generate-CA.sh


002.png


004.png


The script produces six files: ca.crt, ca.key, ca.srl, myhost.crtmyhost.csr,  and myhost.key.

There are:


  • certificates (.crt),
  • keys (.key),
  • a request (.csr
  • a serial number record file (.slr) used in the signing process.


005.png


Note that the myhost files will have different names on your system (ubuntu in my case)


Three of them get copied to the /etc/mosquitto/ directories:


$ sudo cp ca.crt /etc/mosquitto/ca_certificates/
006.png

$ sudo cp myhost.crt myhost.key /etc/mosquitto/certs/
007.png

They are referenced in the /etc/mosquitto/mosquitto.conf file like this:


010.png


008.png


After copying the files and modifying the mosquitto.conf file, restart the server:


$ sudo service mosquitto restart

 

011.png

 

3. Checkpoint

 

To validate the setup at this point, use mosquitto_sub client:

If not already installed please install it:
012.png

Change folder to ca_certificates and run the command :
013.png

The topics are updated every 10 seconds. If debugging is needed you can add the -d flag to mosquitto_sub
and/or look at
/var/logs/mosquitto/mosquitto.log.


4. Generate client certificates

The following openssl commands would create the certificates:


$ openssl genrsa -out client.key 2048

014.png

$ openssl req -new -out client.csr  -key client.key -subj "/CN=client/O=example.com"

015.png
$ openssl x509 -req -in client.csr -CA ca.crt  -CAkey ca.key -CAserial ./ca.srl -out client.crt  -days 3650 -addtrust clientAuth

016.png


The argument -addtrust clientAuth makes the resulting signed certificate suitable for use with a client.


5. Reconfigure

 

Change the mosquitto configuration file

017.png

To add the require_certificate line to the end of the /etc/mosquitto/mosquitto.conf file so that it looks like this:

018.png

Restart the server:

$ sudo service mosquitto restart

019.png

6. Test


The mosquitto_sub command we used above now fails:

020.png


Adding the --cert and --key arguments satisfies the server:


$ mosquitto_sub -t \$SYS/broker/bytes/\# -v --cafile ca.crt --cert client.crt --key client.key

021.png

To be able to obtain the corresponding certificates and key for my server (named ubuntu), use the following syntax:

022.png


And run the following command:

023.png



Conclusion


This first part permit to establish a secure connection from a remote thing to the MQTT broker.
In the next part we will restrict this connection to TLS 1.2 clients only and allow the websocket connection.