Connect WM2000 to MQTT Broker with TLS
Hardware Requirements:
WM2000 module
WM2000 evaluation board (WM2000EV)
TypeC-to-USB cable to powerup the EV board
Router for Network LAN
Computer with Virtual Box or any pseudo hypervisor pre-installed for creating a VM
Software Requirements:
WM2000 latest firmware file on your computer
TDST (Tibbo Device Server Toolkit) on your computer
TIDE (Tibbo Integrated Development Environment) on your computer
MQTT.fx (or any MQTT client) application pre-installed on your laptop
Virtual Machine (Ubuntu) mosquitto server, client and Openssl along with updated package manager pre-installed (Virtual Box)
CODY for Startup:
Generate the project using Cody by selecting WM2000EV as your device and in the "Features" tab enable the MQTT feature and fill in the respective details.
As we are using the authentication parameters too along with TLS1.2, so you have to define the correct username and password that you created on mosquitto server.
*NOTE: Please enable the TLS feature
In the "WI-FI WM2000" feature, you can either enable DHCP or write the Static IP address of the WM2000 module as per your LAN settings.
Fill in the Access Point credentials of your LAN as WM2000 is a WIFI only module, so there is no other way that it can connect to LAN.
If you are connecting multiple WM2000 modules to the mosquitto server, download the project file to your computer and make the necessary changes in the TIDE project file, you have to change the IP address of the WM2000 and Client ID.
Client ID is also an important parameter; if multiple numbers of clients will be connected to the mosquitto server, each WM2000 module should have a unique "Client ID".
I have also added a small code structure that will publish the message from WM2000 5 times on a system time interval, you can add your logic to test and verify the results.
Project steps:
- Generate Certificates:
- Create the CA authority on your mosquito server; generate the broker certificate and then link the broker certificate to the CA authority for validation
- It will be better to create a directory in mosquitto server default location /etc/mosquitto/your_directory to store the certificates in a defined location and then mention the same in the configuration file of mosquitto
$ sudo mkdir certs
$ cd certs
$ sudo mkdir ca
$ cd ca/
$ sudo openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt
Generating a RSA private key
.....+++++
................................+++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:IP Address of your machine***
Email Address []:
$ ls
ca.crt ca.key
$ cd ..
-
- Create the public key, Certificate Signing Request (csr) of broker and then pass the Certificate Signing Request (csr) file to our CA validation authority
$ sudo mkdir broker
$ cd broker
$ sudo openssl genrsa -out broker.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................................................................................................................+++++
.......................................................................................+++++
e is 65537 (0x010001)
$ ls
broker.key
$ sudo openssl req -out broker.csr -key broker.key -new
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:IP Address of your machine***
Email Address []:
A challenge password []:
An optional company name []:
$ ls
broker.csr broker.key
***While filling in the above details to generate csr file, you have to take caution, in the Common Name field you have to provide the IP address of the machine
-
- Now we can pass the Certificate Signing Request (csr) file to the CA validation authority
$ sudo openssl x509 -req -in broker.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -CAcreateserial -out broker.crt -days 365
Signature ok
subject=C = TW, ST = , L = , O = , CN = IP Address of your machine***, emailAddress =
Getting CA Private Key
Enter pass phrase for ../ca/ca.key:
$ ls
broker.crt broker.csr broker.key
$ cd ..
-
- Note the location (path) of the certificates on the VM as you need them later for the mosquitto server config file
- Mosquitto Server:
- The mosquitto server is installed at the default location of /etc/mosquitto in Ubuntu VM
- Enable the authentication on mosquitto server
sudo mosquitto_passwd -c /etc/mosquitto/passwd em2000
-
- em2000 is the user name and select password of your choice, in my case, it is "tibbo", which should match in the TIDE project file
- Create default conf file of mosquitto server
sudo nano /etc/mosquitto/conf.d/default.conf
-
- Contents of default.conf:
allow_anonymous false
password_file /etc/mosquitto/passwd
port 8883
#capath /etc/mosquitto/certs/ca
cafile /etc/mosquitto/certs/ca/ca.crt
# Path to the PEM encoded server certificate.
certfile /etc/mosquitto/certs/broker/broker.crt
# Path to the PEM encoded keyfile.
keyfile /etc/mosquitto/certs/broker/broker.key
require_certificate false
tls_version tlsv1.2
-
- Change the path location of certificates in the mosquitto config file to your respective location on your VM
- All the above steps will enable the TLS1.2 and authentication on mosquitto server in your VM
- Enable the UFW firewall on the VM and allow the ports 1883 and 8883 (TLS1.2), reload the UFW firewall and restart the mosquitto services in the VM
- Copy the CA certificate (in my case it is "ca.crt") to your computer and convert it to DER encoded binary X.509 (.CER) (in my case it is "ca.cer") using the method here https://docs.tibbo.com/taiko/object_sock_tls_cert
- Now copy the X.509 encoded binary (ca.cer) to the TIDE project folder and add the file as a "Resource" file in the project
- Open the MQTT.fx application on your computer and add the server IP address, port number, authentication parameters and SSL/TLS certificate path of your computer
- Test the communication between MQTT.fx application with the mosquitto server, try to fix the problem, by checking the certificate path and the correct certificate, IP address and port number
- If the communication is good between the MQTT.fx application and mosquitto server, then open the TIDE project file and start compiling
- If no errors in compiling then you can start debugging and it will auto-publish the messages to the subscriber
Final results will appear like this
Comments
0 comments
Please sign in to leave a comment.