I road-tested the Harting MICA Complete IIoT Starter Kit.

In this follow up blog, I validate their Alpine Linux container as a host for a safe(r) MQTT broker.

 

As usual, I follow someone else's instructions. This time Mosquitto SSL Configuration -MQTT TLS Security

 

The Alpine Linux Container

 

It's one of the three Linux general purpose flavours. The fourth one is a Linux container specifically targeted as a development sandbox.

 

I have never used Alpine before and this first experience was good. The only 2 differences from Debian for this exercise were that I had to:

  • use a different package manager. apk instead op apt.
  • use a different daemon manager. rc instead of service.
  • Nothing to be scared of.

 

To install the container, download it from Harting's container page and install via the Mica management console.

I had to enable IPv4 in the container's settings. Else it couldn't connect to the network. I don't know if that's because of my local situation or generic.

 

Once installed, log in via SSH (e.g.: PuTTY) and change root password

 

passwd

 

Then upgrade the distro:

 

apk update
apk upgrade

 

If you like to use nano (this step is not necessary):

 

apk add nano

 

That's part 1 of the exercise.

 

Install Mosquitto MQTT Broker

 

Next step is to install a plain MQTT server and test it.

 

apk add mosquitto

 

Enable on-boot startup

 

rc-update add mosquitto boot

 

Start the service for the first time

 

rc-service mosquitto start
rc-service mosquitto status

 

You can use MQTT.fx, the mica Node Red container or your favourite MQTT client to test the connection:

Paho client users, attention. The test without certificates will work for you.

The next step, where we secure the connection with a self signed certificate, is not supported (or at least: I don't know how it works) by Paho.

If you want to use Paho as a client with a secure MQTT broker, you'll need to get certificates issued by a certificate authority or fiddle out how to configure it for self signed keychains.

 

Securing MQTT Part 1: Generate Keys and Certificates

 

Install openSSL:

 

 

apk add openssl

 

 

Then navigate to a temp directory (/tmp) and blindly follow these steps. Better, read Mosquitto SSL Configuration -MQTT TLS Security . Steve explains each of the steps.

When you are prompted for common name, enter your domain name of the server if you have it, or the mica or mica container name.  Or something else - as long as you use the same one consistently.

 

openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360

 

You should now have these 6 files.

 

Create 2 folders under your mosquitto installation directory:

 

mkdir /etc/mosquitto/ca_certificates
mkdir /etc/mosquitto/certs

 

Copy the required files to these 2 folders:

 

cp /tmp/ca.crt /etc/mosquitto/ca_certificates
cp /tmp/servder.crt /etc/mosquitto/certs
cp /tmp/servder.key /etc/mosquitto/certs

 

Also download ca.crt. You need it in the MQTT client application to connect.

 

Now back up all generated files to a safe and secure location before doing the next step.

 

Delete all generated files from the /tmp folder.

Before doing that, click below checkbox to confirm that you backed up the files:

 

Now execute:

 

rm /tmp/server.key
rm /tmp/server.csr
rm /tmp/server.crt
rm /tmp/ca.srl
rm /tmp/ca.key
rm /tmp/ca.crt

 

Securing MQTT Part 2: Configure Mosquitto

 

Open the config file in the editor of your choice.

 

nano /etc/mosquitto/mosquitto.conf

 

Look for these entries and edit them to be exact the same as below:

 

# Port to use for the default listener.
port 8883

cafile /etc/mosquitto/ca_certificates/ca.crt
#capath

# Path to the PEM encoded server certificate.
certfile /etc/mosquitto/certs/server.crt

# Path to the PEM encoded keyfile.
keyfile /etc/mosquitto/certs/server.key

user mosquitto

 

The mosquitto user account is created by the installer. This user will be used to run the daemon, not root.

 

Test. stop and start the service

 

rc-service mosquitto restart

 

I used MQTT.fx again. I adapted the existing configuration.

You'll need to have ca.crt stored on the computer you are testing from.

 

 

Test!

 

I also tested with the Mica Node Red container:

 

 

 

Related Blog
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 1: User Experience
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 2: MICA Debian Stretch Setup
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 3: Eclipse Configuration on Windows
HARTING MICA: Develop and Debug a C GPIO Example in Eclipse - Part 4: Build and Debug the GPIO Example
HARTING MICA: Make a Safe(r) MQTT Container with Certificate and TLS/SSL
HARTING MICA: Manage Access to USB and other Devices
HARTING MICA: SD Card as Shared Storage
HARTING MICA: Alpine Linux and another MQTT Container with Certificate and TLS/SSL
HARTING MICA: Connect to Amazon Web Services
HARTING MICA: Install Java 8 VM in a Debian Stretch Container
HARTING MICA: Read BOSCH CISS Sensor with Java - part 1: USB Connect and Listen