# MSTC 2019: MQTT w/ ioThinx 4510 ###### tags: `Moxa` :::info By: Anthony Ho, MUS Applications Engineer ::: #### Applies to Product ioThinx 4510, UC-8100A-ME-T-LX version 1.0 #### Firmware Revision UC-8100A-ME-T-LX version 1.0 Build 18121114 ioThinx 4510 V1.1.0_Build19043017 #### Objective #### Topology #### Requirements: - Mosquitto - OpenSSL ## Publishing and Suscribing SSH into the UC-8100 and type in the following command to initialize the Mosquitto broker with default settings. ```bash $ sudo mosquitto -v ``` There are many ways to subscribe to the broker. For testing purposes, open another SSH client to connect to the UC-8100. **Do not close the other screen where the broker was initialized.** ### Using mosquitto_sub to Subscribe This command will subscribe to all topics, but only returns the payload on stdout. ```bash $ sudo mosquitto_sub -h localhost -t "#" ``` ### Using Python3 to Subscribe This script will return both topic and payload on the stdout. ```bash $ cd /home/moxa/mqtt-ioThinx-4510/mqtt-python-client $ ./ioThinx-sub.py ``` ### Using Python3 to Publish To trigger DOs on the ioThinx 4510, run the following python script. ```bash """ Arguement -t corresponds to the specific DO. -t 00 --> DO-00 -t 01 --> DO-01 Argument -v corresponds to the value based on the selected DO from arguement -t. -v 1 --> value = 1 --> on -v 0 --> value = 0 --> off """ $ ./ioThinx-4510-45MR-2606-pub.py -t 00 -v 1 ``` *This script will trigger DO0 to turn on.* ## Publishing and Subscribing with TLS SSH into the UC-8100 and navigate to the mosquitto directory. ```bash $ cd /etc/mosquitto ``` Execute the following command to start the broker with default settings. ```bash $ sudo mosquitto -v ``` Now, if we enable TLS on the ioThinx 4510, the broker will no longer recieve the messages from the ioThinx. For the TLS to work, we have to modify and configure the mosquitto broker to support the encryption. In the mosquitto directory, create a file call `sec.cof`. Copy and paste the following to the file you just created. ```tiddlywiki= [req] days = 365 default_md = sha256 distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] CN = <broker IP address> OU = DAC O = Moxa Inc. L = Taipei ST = Taiwan C = TW [v3_req] keyUsage = critical, digitalSignature, keyAgreement, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names basicConstraints = CA:FALSE [alt_names] IP.1 = <broker IP address> ``` **Note**: Make sure to enter the correct IP address to ``<broker IP address>``. Input the following commands to generate the required files for TLS encryption. ```bash $ openssl ecparam -name prime256v1 -genkey -noout -out key.pem $ openssl req -x509 -nodes -new -key key.pem -out ca.crt -config sec.cof $ openssl req -new -key key.pem -out certificate.csr -config sec.cof $ openssl x509 -req -in certificate.csr -CA ca.crt -CAkey key.pem -CAcreateserial -out certificate.crt ``` You should see the following after inputting the last command. ```bash Signature ok subject=CN = <Broker IP address>, OU = DAC, O = Moxa Inc., L = Taipei, ST = Taiwan, C = TW Getting CA Private Key ``` With that completed, we have to modify `mosquitto.conf` to add the files we just created using OpenSSL to support SSL/TLS encryption over port 8883. ```bash # Default port port 8883 cafile ca.crt certfile certificate.crt keyfile key.pem tls_version tlsv1.2 # Listener listener 1883 ``` Now, execute the following command to run the broker with the modified configuration. ```bash $ mosquitto -c mosquitto.conf ``` You should now be able to subscribe and publish with the TLS enabled. :100: ### Authentication To add another layer of security, we can configure the Mosquitto broker to require authentication using a valid username and password before a connection is establish. To add this security, add the following lines to the `mosquitto.conf`. ```bash allow_anonymous false password_file /etc/mosquitto/pwfile ``` To add the user and password on the broker, type in the following command: ```bash $ sudo mosquitto_passwd -c /etc/mosquitto/pwfile admin ``` Now, if you try subscribing to the broker with `mosquitto_sub`, you will see the following on the stdout. ```bash Connection Refused: not authorised. ``` To authorized yourself, we will have to include the username and password. ```bash $ sudo mosquitto_sub -h localhost -t "#" -u admin -P moxa ``` ## Constraint :::warning - ioThinx 4510 does not support using a domain name for MQTT target host - Majority of the SSL Certifcates are assigned to the domain names, it is rare to see a certificate using IP address signed by a well-known trusted organization yet - ioThinx 4510 only supports the following ciphers suites: - MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :::