Industrial OT Server
You can set up an MQTT Server through DeviceHub that supports MQTT generic and MQTT SSL v.5.
You can configure the server with the following authentication options when connecting to clients.
When configuring the server, can select to enable only MQTT, only MQTT SSL, or both MQTT and MQTT SSL. You have the option of adding User Credentials or Mutual TLS Authentication to existing authentication configurations.
Learn more about Certificates.
When considering authentication options, keep the following in mind:
- You can't use any certificates used for your Manufacturing Connect Edge instance for server authentication.
- The automatically generated self-signed certificates may not be compatible with third-party hostname verification.
- If using your own CA Chain, the client connecting to the server needs to be configured to trust the server or one of the server's CAs (certificate authorities).
- If the certificate files have no hostname defined, then you may need to disable hostname checking in the client to connect successfully to the server.
If you enable the User Password option, the client will have to provide a username and password to connect to the server.
When you enable the Enable MQTT option, no authentication will be used to connect the client to the server.
When you enable the Enable MQTT SSL option, you have the option of using the automatically generated self-signed certificates for the server. Copy and paste the self-signed Server Certificate and Server Private Key in the appropriate certificate files when configuring the client.
You can also use your own self-signed certificates by replacing the automatically generated ones. If you'll be using your own certificates, you'll need to replace the Server Certificate and Server Private Key in the server configuration.
When you enable the Enable MQTT SSL option, you can replace the automatically generated self-signed certificates with your own CA Chain. You will need to replace the self-signed Server Certificate and Server Private Key in the server configuration by copying and pasting or uploading the files. In the Server Certificate field, paste or upload the appropriate server "leaf" certificate associated with the CA Chain.
When you enable the Enable MQTT SSL option, you can also enable the Require Client Certificate option. This provides two-way authentication between the server and client. You will need to paste or upload the client certificate in the Certificate Authority field for the server.
To add the MQTT Server to Device Hub:
- In Manufacturing Connect Edge, navigate to DeviceHub
Click Add New Device.
The Add New Device icon- For Driver Type, select MQTT. Then, for Driver Name, select MQTT Server.
- Enter a name for the server. Optionally, add a description.
Configure the server with the following options. You can select to enable only MQTT, only MQTT SSL, or both MQTT and MQTT SSL.
You can enable a required username and password for the client to connect to the server.
If you enable this option, update the default values as needed for User and Password.
The MQTT generic option connects the server and client with no authentication.
If you enable this option, configure the port and interface.
MQTT Port: The default port is 1883.
MQTT Interface: The default value 0.0.0.0 means the server listens to all interfaces. If needed, update to a specific network interface.
The MQTT SSL option allows the client to connect to the server by providing the client configuration with certificates. Learn more about Certificates.
If you enable MQTT SSL, configure the following parameters. Please review the Authentication Options section.
MQTT SSL Port: The default port value is 8883.
MQTT SSL Interface: The default value 0.0.0.0 means the server listens to all interfaces. If needed, update to a specific network interface.
Server Certificate: A self-signed certificate is automatically generated. When configuring the MQTT client, copy and paste this value in the certificate file. If you are using your own certificate, replace the self-signed certificate by copying and pasting or uploading the certificate file.
Server Private Key: A self-signed private key is automatically generated. When configuring the MQTT client, copy and paste this value in the private key file. If you are using your own certificate, replace the self-signed certificate by copying and pasting or uploading the certificate file.
Require Client Certificate: If enabled, you will need to provide the client certificate that will be used by the server to authenticate the client. Paste or upload the certificate in the Certificate Authority field
Advanced: If you select Show, use the Min TLS Version drop-down list to select the minimum version of TLS to use for authentication.
See the Define Optional Parameters section to learn more about additional options.
When done configuring the device, click Add Device.
Note: The server will show a disconnected status until an MQTT client connects to the server.
Once you set up the server in DeviceHub, you can connect an MQTT Client to the server.
Note: You can't connect the DeviceHub MQTT Client to the MQTT Server if they are using the same Manufacturing Connect Edge instance. This includes connecting through the Flows Manager or through an Integration connector. If they are using different Manufacturing Connect Edge instances, they can connect.
When connecting the client, configure the following:
Host: Enter the IP address or domain name of your Manufacturing Connect Edge instance. For example, if your Manufacturing Connect Edge instance IP address is https://192.168.0.26, enter mqtt://192.168.0.26.
Port: If connecting to MQTT generic, enter port 1883 or the port specific to your configuration. If connecting to MQTT SSL, enter port 8883 or the port specific to your configuration.
Username: If User Password is enabled, enter the User value.
Password: If User Password is enabled, enter the Password value.
SSL Authentication: If MQTT SSL is enabled, copy the Server Certificate and Server Private Key values from the MQTT Server configuration and paste them into the appropriate certificate files. Then, upload the files as needed in the client configuration.
Once the client has published topics, you can add tags to the server based on the published topics. Follow the steps to Browse Tags to the server. The tags will be used as topics to receive data from MQTT clients.