Openhab MQTT using ssl certificates?

823 views
Skip to first unread message

blade...@gmail.com

unread,
Jul 29, 2014, 12:10:19 PM7/29/14
to ope...@googlegroups.com
Hey guys,
              I wasw wondering if there was a way to use certificates for communication with an mqtt broker.

I seen on the page for mqtt configuration that you can use username and password.

https://github.com/openhab/openhab/wiki/MQTT-Binding


mqtt:mosquitto.url=ssl://test.mosquitto.org:8883
mqtt:mosquitto.user=administrator
mqtt:mosquitto.pwd=mysecret
mqtt:mosquitto.qos=1
mqtt:mosquitto.retain=true
mqtt:mosquitto.async=false


Is there any reason for not using certificates? Is it because eclipse paho (mqtt api we are usingin openhab) does not support certificates?

martin

Martin Naughton

unread,
Jul 29, 2014, 12:54:02 PM7/29/14
to ope...@googlegroups.com, blade...@gmail.com

I seen in the class a method openconnection() has all these properties. It looks like it can take certificates in to account when doing a connection.

https://github.com/openhab/openhab/blob/e3f8d40b041740de34094dfb6f9e3c1232de74e7/bundles/io/org.openhab.io.transport.mqtt/src/main/java/org/openhab/io/transport/mqtt/internal/MqttBrokerConnection.java



				Properties sslProps = new Properties();
				addSystemProperty("com.ibm.ssl.protocol", sslProps);
				addSystemProperty("com.ibm.ssl.contextProvider", sslProps);
				addSystemProperty("com.ibm.ssl.keyStore", sslProps);
				addSystemProperty("com.ibm.ssl.keyStorePassword", sslProps);
				addSystemProperty("com.ibm.ssl.keyStoreType", sslProps);
				addSystemProperty("com.ibm.ssl.keyStoreProvider", sslProps);
				addSystemProperty("com.ibm.ssl.trustStore", sslProps);
				addSystemProperty("com.ibm.ssl.trustStorePassword", sslProps);
				addSystemProperty("com.ibm.ssl.trustStoreType", sslProps);
				addSystemProperty("com.ibm.ssl.trustStoreProvider", sslProps);
				addSystemProperty("com.ibm.ssl.enabledCipherSuites", sslProps);
				addSystemProperty("com.ibm.ssl.keyManager", sslProps);
				addSystemProperty("com.ibm.ssl.trustManager", sslProps);

Has a search on the internet on an example of how to fill these. Does any one have any openhab documentation on these on how they should be filled?

com.ibm.ssl.alias=DefaultSSLSettings
com.ibm.ssl.protocol=SSL
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=SunX509
com.ibm.ssl.keyManager=SunX509
com.ibm.ssl.contextProvider=SunJSSE
com.ibm.ssl.enableSignerExchangePrompt=gui

# Keystore information
com.ibm.ssl.keyStoreName=ClientDefaultKeyStore
com.ibm.ssl.keyStore=${user.root}/etc/keystore.jks
com.ibm.ssl.keyStorePassword=keystore_password
com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.keyStoreProvider=SUN
com.ibm.ssl.keyStoreFileBased=true

# Truststore information
com.ibm.ssl.trustStoreName=ClientDefaultTrustStore
com.ibm.ssl.trustStore=${user.root}/etc/truststore.jks
com.ibm.ssl.trustStorePassword=truststore_password
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.trustStoreProvider=SUN
com.ibm.ssl.trustStoreFileBased=true


Martin Naughton

unread,
Jul 30, 2014, 6:49:13 AM7/30/14
to ope...@googlegroups.com

I found a link to describe all the properties

http://www-01.ibm.com/support/knowledgecenter/SS7JFU_6.1.0/com.ibm.websphere.express.doc/info/exp/ae/rsec_sslclientpropsfile.html?lang=en

Martin Naughton

unread,
Jul 30, 2014, 12:20:26 PM7/30/14
to ope...@googlegroups.com
A few more link to help people understand if they are going through this

http://publib.boulder.ibm.com/infocenter/ledoc/v6r2/index.jsp?topic=/com.ibm.rcp.tools.doc.admin/configuringsslforthewebcontainer.html
https://gist.github.com/jpmens/8029383
http://publib.boulder.ibm.com/infocenter/wsdoc400/v6r0/index.jsp?topic=/com.ibm.websphere.iseries.doc/info/ae/ae/usec_rassl.html


Since the property com.ibm.ssl.keyStoreClientAlias  is missing from the list in the code it means you have to create a keystore file for open hab. The keyManager will get the first cert in the keystore if the alias is not provided. 

An attempt at configuring the keystore.

-Dcom.ibm.ssl.protocol=SSL
-Dcom.ibm.ssl.contextProvider=SunJSSE
-Dcom.ibm.ssl.enabledCipherSuites   # Leaving this out

-Dcom.ibm.ssl.keyStore=<location of key store>
-Dcom.ibm.ssl.keyStorePassword=<Password for the above keystore file>
-Dcom.ibm.ssl.keyStoreType=JKS (Java Key Store)
-Dcom.ibm.ssl.keyStoreProvider=SUN
-Dcom.ibm.ssl.keyManager=SunX509


-Dcom.ibm.ssl.trustStore=<location of key store>
-Dcom.ibm.ssl.trustStorePassword=<Password for the above keystore file>
-Dcom.ibm.ssl.trustStoreType=JKS (Java Key Store)
-Dcom.ibm.ssl.trustStoreProviderr=SUN
-Dcom.ibm.ssl.trustManager=SunX509

Martin Naughton

unread,
Jul 31, 2014, 11:23:21 AM7/31/14
to ope...@googlegroups.com

I found this interesting paragraph. this is why the IBM jvm arguements are int he code.


On the client side, Paho has several options for specifying properties for the creation of SSL sockets

   (Properties, JVM arguments, etc).  However, none of them will work with mosquitto (historically, Paho worked with IBM brokers).

   Fortunately, it also accepts a custom made instance of javax.net.ssl.SSLSocketFactory through the method MqttConnectOptions.setSocketFactory() and this works.


had a look at the PAHO github for ibm.
https://github.com/eclipse/paho.mqtt.java/search?q=com.ibm.ssl&type=Code

I seen in this code that it is creating a SSLConnectionFactory  using the ibm jvm arguments or the java ssl jvm arguments if the ibm arguments are not specified. Check if ibm is available default to java if it is not.
https://github.com/eclipse/paho.mqtt.java/blob/52fb0f011aa1442b600aac5957f0be271bc2471b/org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/internal/security/SSLSocketFactoryFactory.java

I thought the ibm jvm arguments were for java core itself but they are only used for PAHO.

From line 290 onwards it tells you have to configure the ibm jvm arguments for paho.
https://github.com/eclipse/paho.mqtt.java/blob/d13e69ed00a5ed8a00099bf682d89eb991a271fc/org.eclipse.paho.client.mqttv3/src/main/java/org/eclipse/paho/client/mqttv3/MqttConnectOptions.java

Martin Naughton

unread,
Jul 31, 2014, 1:32:34 PM7/31/14
to ope...@googlegroups.com
i have gotten as far as open hab starting but unable to find a trusted cert. I have added the root_ca.cert to my cacert repo. Not sure why it is not finding it.

I discovered aswell that the mqtt.client.id value is used to find the cert to use in the cacert file. Since there is already 100 certs in there by default by java. You create an import the cert with an alias the same name as mqtt.client.id


I took out these jvm arguements because they were giving an error of SunX509 is not in SUN.
com.ibm.ssl.keyStoreProvider=SUN
com.ibm.ssl.trustStoreProvider=SUN


Martin Naughton

unread,
Aug 1, 2014, 9:44:22 AM8/1/14
to ope...@googlegroups.com
got open hab working with SSL certificates and communicating with a mosquitto broker.


Jan-Piet Mens

unread,
Aug 1, 2014, 10:14:26 AM8/1/14
to ope...@googlegroups.com
> got open hab working with SSL certificates and communicating with a
> mosquitto broker.

Great, how about showing us how you did that or, even better, updating
the openHAB Wiki? :-)

-JP

Ben Jones

unread,
Aug 1, 2014, 3:43:36 PM8/1/14
to ope...@googlegroups.com
Yes great work Martin. I would be very interested to know how you got that working.

John Harrison

unread,
Sep 6, 2014, 11:28:03 AM9/6/14
to ope...@googlegroups.com
There are few things more annoying that a post saying I got it working, but no explanation of how.

Good for you bud, lol!
Reply all
Reply to author
Forward
0 new messages