1.Background:

As you know, the architecture of the gateway is as follows:

The MQTT broker could be deployed either inside or outside the gateway.  As security is becoming more and more important in Iot network, it could be a critical problem if the broker is outside the gateway. It’s recommended to connect the gateway and the MQTT broker over a secure connection. This article demonstrates how to connect the gateway to a MQTT broker over TLS.

2.Steps of setting up the secured connection:

The gateway used in this demonstration is based on Z3GatewayHost(EmberZnet 6.4.0), running on Cygwin + Win10. The broker is “Apache Apollo” running on a Ubuntu 18.04 system.

2.1 Setting up the broker:

       2.1.1 Install broker

Download “Apache Apollo” from https://activemq.apache.org/apollo/download.html. Uncompress the package.

       2.1.2 Create a broker instance

jim@jimubuntu:~/develop/broker/apache-apollo-1.7.1$ bin/apollo create mybroker

       2.1.3 Run the broker instance

jim@jimubuntu:~/develop/broker/apache-apollo-1.7.1$ cd mybroker/bin
jim@jimubuntu:~/develop/broker/apache-apollo-1.7.1/mybroker/bin$ ./apollo-broker run

    _____                .__  .__
   /  _  \ ______   ____ |  | |  |   ____
  /  /_\  \\____ \ /  _ \|  | |  |  /  _ \
 /    |    \  |_> >  <_> )  |_|  |_(  <_> )
 \____|__  /   __/ \____/|____/____/\____/
         \/|__|  Apache Apollo (1.7.1)


Loading configuration file '/home/jim/develop/broker/apache-apollo-1.7.1/mybroker/etc/apollo.xml'.
INFO  | OS     : Linux 4.15.0-36-generic (Ubuntu 18.04.1 LTS)
INFO  | JVM    : OpenJDK 64-Bit Server VM 1.8.0_181 (Oracle Corporation)
INFO  | Apollo : 1.7.1 (at: /home/jim/develop/broker/apache-apollo-1.7.1)
INFO  | OS is restricting the open file limit to: 100000
INFO  | Accepting connections at: tcp://0.0.0.0:61613
INFO  | Accepting connections at: tls://0.0.0.0:61614
INFO  | Starting store: leveldb store at /home/jim/develop/broker/apache-apollo-1.7.1/mybroker/data
INFO  | Accepting connections at: ws://0.0.0.0:61623/
INFO  | Accepting connections at: wss://0.0.0.0:61624/
INFO  | virtual host startup is waiting on store startup
INFO  | virtual host startup is no longer waiting.  It waited a total of 1 seconds.
INFO  | Administration interface available at: https://127.0.0.1:61681/
INFO  | Administration interface available at: http://127.0.0.1:61680/

        2.1.4 Get the IP address of the broker

jim@jimubuntu:~$ ifconfig
enp0s8: flags=4163  mtu 1500
        inet 192.168.56.101  netmask 255.255.255.0  broadcast 192.168.56.255
        inet6 fe80::7b92:ce7b:8c37:d508  prefixlen 64  scopeid 0x20
        ether 08:00:27:2c:b8:a6  txqueuelen 1000  (Ethernet)
        RX packets 130  bytes 16701 (16.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 185  bytes 34178 (34.1 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.2 Setting up the gateway:

       2.2.1 create the Z3GatewayHost project, then select the following plugins

• Paho MQTT
• Device Table
• OTA Bootload Cluster Server
• Command Relay
• cJSON
• Gateway Relay Mqtt
• Gateway MQTT Transport

In the properties page of the plugin “Gateway MQTT Transport”, set the URL of the broker to ssl://192.168.56.101:61614. The prefix of the URL should be either “tcp://” for non-secured connection or “ssl://” for secured connection.

       2.2.2 Define a macro “OPENSSL” to enable openssl

       2.2.3 Save and generate the project

       2.2.4 Modify the Makefile of the project

First, add one source file into the makefile:

../../../util/third_party/paho.mqtt.c/src/SSLSocket.c

Second, link the ssl and crypto library to the project:

LINKER_FLAGS ?=-lssl -lcrypto

       2.2.5 Add initialization of the ssl option in the function emberAfPluginTransportMqttInitCallback

MQTTAsync_SSLOptions g_ssl_options = { {'M', 'Q', 'T', 'S'}, 0, NULL, NULL, NULL, NULL, NULL, 0 };  //defined the ssl option. 

void emberAfPluginTransportMqttInitCallback(void)
{
  emberAfCorePrintln("MQTT Client Init");
  EmberEUI64 eui64;
  char euiString[EUI64_NULL_TERMINATED_STRING_SIZE] = { 0 };
  int status;

  status = pthread_mutex_init(&mqttConnectedLock, NULL);
#ifndef EMBER_TEST
  if (status != 0) {
    emberAfCorePrintln("pthread_mutex_init failed, status = 0x%X", status);
    assert(false);
  }
#endif

  // Save our EUI information
  emberAfGetEui64(eui64);
  snprintf(euiString,
           EUI64_NULL_TERMINATED_STRING_SIZE,
           "%02X%02X%02X%02X%02X%02X%02X%02X",
           eui64[7],
           eui64[6],
           eui64[5],
           eui64[4],
           eui64[3],
           eui64[2],
           eui64[1],
           eui64[0]);

  strcat(mqttClientIdString, EMBER_AF_PLUGIN_TRANSPORT_MQTT_CLIENT_ID_PREFIX);
  strcat(mqttClientIdString, euiString);
  emberAfCorePrintln("MQTT Client ID = %s", mqttClientIdString);

  status = MQTTAsync_create(&mqttClient,
                            EMBER_AF_PLUGIN_TRANSPORT_MQTT_BROKER_ADDRESS,
                            mqttClientIdString,
                            MQTTCLIENT_PERSISTENCE_NONE,
                            NULL); // persistence_context is NULL since
                                   // persistence is NONE
  if (status != MQTTASYNC_SUCCESS) {
    emberAfCorePrintln("MQTTAsync_create failed, status = 0x%X", status);
    assert(false);
  }

  status = MQTTAsync_setCallbacks(mqttClient,
                                  NULL, // context is NULL, no app context used
                                        // here
                                  mqttConnectionLostCallback,
                                  mqttMessageArrivedCallback,
                                  NULL); // dc is NULL,
                                         // MQTTAsync_deliveryComplete unusued
  if (status != MQTTASYNC_SUCCESS) {
    emberAfCorePrintln("MQTTAsync_setCallbacks failed, status = 0x%X", status);
    assert(false);
  }

  //init the ssl option used in the connecting process
  mqttConnectOptions.username = "admin";
  mqttConnectOptions.password = "password";
  mqttConnectOptions.ssl = &g_ssl_options;

  mqttConnectOptions.keepAliveInterval = MQTT_KEEP_ALIVE_INTERVAL_S;
  mqttConnectOptions.cleansession = 1;
  mqttConnectOptions.onSuccess = mqttConnectSuccessCallback;
  mqttConnectOptions.onFailure = mqttConnectFailureCallback;
  mqttConnectOptions.context = mqttClient;

// Note that this won't try to connect to MQTT if we are in EMBER_TEST mode
// because the simulator doesn't work with this plugin, we will simply not
// start and never fire our connection event
#ifndef EMBER_TEST
  // Start our connection event timer to attempt to connect to the broker
  emberEventControlSetActive(
    emberAfPluginTransportMqttBrokerReconnectEventControl);
#endif
}

       2.2.6 Build the project and run

The gateway will keep trying to connect the MQTT broker after startup.

3.Demostration:

       3.1 On the gateway side:

       3.2 On the broker side:

       3.3 The communication between the gateway of the broker is over TLS:

       3.4 Test with MQTT client:

       3.4.1 Install MQTT client

Download paho.ui.app from https://repo.eclipse.org/content/repositories/paho-releases/org/eclipse/paho/org.eclipse.paho.ui.app/, uncompress the package.

       3.4.2 Connect the MQTT to broker

Click “+” button to create a new connection, and then set the URL of the broker, then fill the account info or ssl info in the “options” panel, and then connect.

After connected, you can send commands to gateway through the topic “gw//commands”. (Please refer to section 6.3 of UG129 to get detail the topics supported by Z3GatewayHost).

       3.4.3 Send commands to gateway

The message must be in JSON format (Please refer to section 6.3 of UG129 for details). Here we send below commands to the topic “gw/000B57FFFE648DD8/commands”:

{
"commands":[
{
"commandcli":"zcl on-off toggle",
"postDelayMs":0
},
{
"commandcli":"send 0xf4ef 1 1",
"postDelayMs":0
}
]
}

If the commands are received by the gateway, it will send a on-off toggle message to the node 0xf4ef. We can capture the Zigbee packets in the sniffer.