As you know, the architecture of the gateway is as follows:
The MQTT broker could be deployed either inside or outside the gateway. As security is becoming more and more important in Iot network, it could be a critical problem if the broker is outside the gateway. It’s recommended to connect the gateway and the MQTT broker over a secure connection. This article demonstrates how to connect the gateway to a MQTT broker over TLS.
2.Steps of setting up the secured connection:
The gateway used in this demonstration is based on Z3GatewayHost(EmberZnet 6.4.0), running on Cygwin + Win10. The broker is “Apache Apollo” running on a Ubuntu 18.04 system.
jim@jimubuntu:~/develop/broker/apache-apollo-1.7.1$ cd mybroker/bin
jim@jimubuntu:~/develop/broker/apache-apollo-1.7.1/mybroker/bin$ ./apollo-broker run
_____ .__ .__
/ _ \ ______ ____ | | | | ____
/ /_\ \\____ \ / _ \| | | | / _ \
/ | \ |_> > <_> ) |_| |_( <_> )
\____|__ / __/ \____/|____/____/\____/
\/|__| Apache Apollo (1.7.1)
Loading configuration file '/home/jim/develop/broker/apache-apollo-1.7.1/mybroker/etc/apollo.xml'.
INFO | OS : Linux 4.15.0-36-generic (Ubuntu 18.04.1 LTS)
INFO | JVM : OpenJDK 64-Bit Server VM 1.8.0_181 (Oracle Corporation)
INFO | Apollo : 1.7.1 (at: /home/jim/develop/broker/apache-apollo-1.7.1)
INFO | OS is restricting the open file limit to: 100000
INFO | Accepting connections at: tcp://0.0.0.0:61613
INFO | Accepting connections at: tls://0.0.0.0:61614
INFO | Starting store: leveldb store at /home/jim/develop/broker/apache-apollo-1.7.1/mybroker/data
INFO | Accepting connections at: ws://0.0.0.0:61623/
INFO | Accepting connections at: wss://0.0.0.0:61624/
INFO | virtual host startup is waiting on store startup
INFO | virtual host startup is no longer waiting. It waited a total of 1 seconds.
INFO | Administration interface available at: https://127.0.0.1:61681/
INFO | Administration interface available at: http://127.0.0.1:61680/
2.2.1 create the Z3GatewayHost project, then select the following plugins
Paho MQTT
Device Table
OTA Bootload Cluster Server
Command Relay
cJSON
Gateway Relay Mqtt
Gateway MQTT Transport
In the properties page of the plugin “Gateway MQTT Transport”, set the URL of the broker to ssl://192.168.56.101:61614. The prefix of the URL should be either “tcp://” for non-secured connection or “ssl://” for secured connection.
Second, link the ssl and crypto library to the project:
LINKER_FLAGS ?=-lssl -lcrypto
2.2.5 Add initialization of the ssl option in the function emberAfPluginTransportMqttInitCallback
MQTTAsync_SSLOptions g_ssl_options = { {'M', 'Q', 'T', 'S'}, 0, NULL, NULL, NULL, NULL, NULL, 0 }; //defined the ssl option.
void emberAfPluginTransportMqttInitCallback(void)
{
emberAfCorePrintln("MQTT Client Init");
EmberEUI64 eui64;
char euiString[EUI64_NULL_TERMINATED_STRING_SIZE] = { 0 };
int status;
status = pthread_mutex_init(&mqttConnectedLock, NULL);
#ifndef EMBER_TEST
if (status != 0) {
emberAfCorePrintln("pthread_mutex_init failed, status = 0x%X", status);
assert(false);
}
#endif
// Save our EUI information
emberAfGetEui64(eui64);
snprintf(euiString,
EUI64_NULL_TERMINATED_STRING_SIZE,
"%02X%02X%02X%02X%02X%02X%02X%02X",
eui64[7],
eui64[6],
eui64[5],
eui64[4],
eui64[3],
eui64[2],
eui64[1],
eui64[0]);
strcat(mqttClientIdString, EMBER_AF_PLUGIN_TRANSPORT_MQTT_CLIENT_ID_PREFIX);
strcat(mqttClientIdString, euiString);
emberAfCorePrintln("MQTT Client ID = %s", mqttClientIdString);
status = MQTTAsync_create(&mqttClient,
EMBER_AF_PLUGIN_TRANSPORT_MQTT_BROKER_ADDRESS,
mqttClientIdString,
MQTTCLIENT_PERSISTENCE_NONE,
NULL); // persistence_context is NULL since
// persistence is NONE
if (status != MQTTASYNC_SUCCESS) {
emberAfCorePrintln("MQTTAsync_create failed, status = 0x%X", status);
assert(false);
}
status = MQTTAsync_setCallbacks(mqttClient,
NULL, // context is NULL, no app context used
// here
mqttConnectionLostCallback,
mqttMessageArrivedCallback,
NULL); // dc is NULL,
// MQTTAsync_deliveryComplete unusued
if (status != MQTTASYNC_SUCCESS) {
emberAfCorePrintln("MQTTAsync_setCallbacks failed, status = 0x%X", status);
assert(false);
}
//init the ssl option used in the connecting process
mqttConnectOptions.username = "admin";
mqttConnectOptions.password = "password";
mqttConnectOptions.ssl = &g_ssl_options;
mqttConnectOptions.keepAliveInterval = MQTT_KEEP_ALIVE_INTERVAL_S;
mqttConnectOptions.cleansession = 1;
mqttConnectOptions.onSuccess = mqttConnectSuccessCallback;
mqttConnectOptions.onFailure = mqttConnectFailureCallback;
mqttConnectOptions.context = mqttClient;
// Note that this won't try to connect to MQTT if we are in EMBER_TEST mode
// because the simulator doesn't work with this plugin, we will simply not
// start and never fire our connection event
#ifndef EMBER_TEST
// Start our connection event timer to attempt to connect to the broker
emberEventControlSetActive(
emberAfPluginTransportMqttBrokerReconnectEventControl);
#endif
}
2.2.6 Build the project and run
The gateway will keep trying to connect the MQTT broker after startup.
3.Demostration:
3.1 On the gateway side:
3.2 On the broker side:
3.3 The communication between the gateway of the broker is over TLS:
Click “+” button to create a new connection, and then set the URL of the broker, then fill the account info or ssl info in the “options” panel, and then connect.
After connected, you can send commands to gateway through the topic “gw//commands”. (Please refer to section 6.3 of UG129 to get detail the topics supported by Z3GatewayHost).
3.4.3 Send commands to gateway
The message must be in JSON format (Please refer to section 6.3 of UG129 for details). Here we send below commands to the topic “gw/000B57FFFE648DD8/commands”:
If the commands are received by the gateway, it will send a on-off toggle message to the node 0xf4ef. We can capture the Zigbee packets in the sniffer.
Zigbee & Thread Knowledge Base
How to connect the gateway to a MQTT broker over TLS
1.Background:
As you know, the architecture of the gateway is as follows:
The MQTT broker could be deployed either inside or outside the gateway. As security is becoming more and more important in Iot network, it could be a critical problem if the broker is outside the gateway. It’s recommended to connect the gateway and the MQTT broker over a secure connection. This article demonstrates how to connect the gateway to a MQTT broker over TLS.
2.Steps of setting up the secured connection:
The gateway used in this demonstration is based on Z3GatewayHost(EmberZnet 6.4.0), running on Cygwin + Win10. The broker is “Apache Apollo” running on a Ubuntu 18.04 system.
2.1 Setting up the broker:
2.1.1 Install broker
Download “Apache Apollo” from https://activemq.apache.org/apollo/download.html. Uncompress the package.
2.1.2 Create a broker instance
2.1.3 Run the broker instance
2.1.4 Get the IP address of the broker
2.2 Setting up the gateway:
2.2.1 create the Z3GatewayHost project, then select the following plugins
In the properties page of the plugin “Gateway MQTT Transport”, set the URL of the broker to ssl://192.168.56.101:61614. The prefix of the URL should be either “tcp://” for non-secured connection or “ssl://” for secured connection.
2.2.2 Define a macro “OPENSSL” to enable openssl
2.2.3 Save and generate the project
2.2.4 Modify the Makefile of the project
First, add one source file into the makefile:
Second, link the ssl and crypto library to the project:
2.2.5 Add initialization of the ssl option in the function emberAfPluginTransportMqttInitCallback
2.2.6 Build the project and run
The gateway will keep trying to connect the MQTT broker after startup.
3.Demostration:
3.1 On the gateway side:
3.2 On the broker side:
3.3 The communication between the gateway of the broker is over TLS:
3.4 Test with MQTT client:
3.4.1 Install MQTT client
Download paho.ui.app from https://repo.eclipse.org/content/repositories/paho-releases/org/eclipse/paho/org.eclipse.paho.ui.app/, uncompress the package.
3.4.2 Connect the MQTT to broker
Click “+” button to create a new connection, and then set the URL of the broker, then fill the account info or ssl info in the “options” panel, and then connect.
After connected, you can send commands to gateway through the topic “gw//commands”. (Please refer to section 6.3 of UG129 to get detail the topics supported by Z3GatewayHost).
3.4.3 Send commands to gateway
The message must be in JSON format (Please refer to section 6.3 of UG129 for details). Here we send below commands to the topic “gw/000B57FFFE648DD8/commands”:
If the commands are received by the gateway, it will send a on-off toggle message to the node 0xf4ef. We can capture the Zigbee packets in the sniffer.