4 Replies Latest reply on Sep 26, 2016 12:40 PM by smarino RSS
    smarino Newbie

    SSL/TLS MQTT

    Hallo.

     

    I would like to connect my Thingworx platform 7.2 with a MQTT broker in a secure mode SSL TLS.

    I’m using ActiveMQ 5.3 as MQTT broker and MQTT Thingworx extension as connector.

     

    I successfully tested the connection without SSL mode.


    However, I could not implement secure mode connection.

      I have made two changes to activemq.xml file.

    a) Instead of line

    <transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>,

    I used

    <transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:8883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>

    b) I added

    <sslContext>

    <sslContext keyStore="file:${activemq.base}/conf/activemq.ks"

                                 keyStorePassword="password"

                                 trustStore="file:${activemq.base}/conf/activemq.ts"

                                 trustStorePassword="password" />

    </sslContext>

    1. Activemq.ks is a keystore containing the certificate I generated for the broker.
    2. Activemq.ts is a keystore containing the certificate I generated for the broker clients.

      I tested Activemq server with MQTT.fx client tool. I could connect in SSL/TLS mode, with TLSv2 protocol option and CA certificate keystore option, by importing the certificate broker client I made in keystore for MQTT.



    My questions.


    1)     Is my ActiveMQ configuration proper?


    2)     Where should I put the broker client certificate in Thingworx side?


    3)     Perhaps the MQTT Thingworx extension uses Tomcat to communicate to ActiveMQ broker? Following this assumption I modified the server.xml file of Tomcat configuration.


    Below there is one of my unsuccessful tests:
    a) I added this connector

     

                   <Connector

                                                port="8443"

                                                protocol="org.apache.coyote.http11.Http11NioProtocol"

                                                maxThreads="150"

                                                SSLEnabled="true"

                                                scheme="https"

                                                secure="true"

                                                clientAuth="true"

                                                sslProtocol="TLS"

                                                enableLookups="false"

                                                keystoreFile="conf/tomcat.ks" keystorePass="password"

                                                truststoreFile="conf/tomcat.ts" truststorePass="password"

                                                >

                   </Connector>

    Tomcat.ks is a keystore containing the certificate I generated for the broker clients.

    Tomcat.ts is a keystore containing the certificate I generated for the broker.

    I removed this line 

    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />


    4)     Instead of MQTT Thingworx extension, it is possible to use ActiveMQ extension for a secure SSL/TLS connection throw ActiveMQ?

     

    Thank you for your attention.

     

    Best regards,

     

        Sergio Marino