Prevent unexpected registration with MQTT

[Sebastien Risler]

Hi all,

How can we manage authorities on the mqtt channel?

As far as I can understand, a device can register itself. It means that any mqtt client with server IP address can create as many devices as it wants, even to the point of crashing the server.

Is there a way/good practise to avoid that?

Thanks

[Derek Adams]

There are a couple of options. One option is to turn off auto-registration so that devices can not self register, then use the REST services to add new devices instead. Another option is to require a TLS connection from the MQTT client to the broker, though this requires a more powerful device to handle the added computation. To secure the broker/SiteWhere connection, you can enable TLS between the two to prevent man-in-the-middle attacks. We will also be looking into other security options as we move toward SiteWhere 2.0.