Securing HTTP and MQTT endpoints

By default the integrated HTTP server and MQTT broker in the Node use unencrypted communication without authentication. In this article we will explain how you can configure your Nodes with encryption and/or authentication.

TLS & Certificates

To enable encrypted communication (TLS) you need a certificate file that can be used by the node.

Good links for reading about certs

• https://letsencrypt.org/docs/certificates-for-localhost/
• https://github.com/Azure/azure-xplat-cli/wiki/Getting-Self-Signed-SSL-Certificates-(.pem-and-.pfx)
• http://paulstovell.com/blog/x509certificate2

Create certificates for test

In a production environment we recommend using a trusted certificate. For testing purposes you can create a self-signed certificate by following the below steps.

A great tool for creating test certificates is openssl:

# Generate a private key and self-signed certificate for edgenode.local

openssl req -x509 -out edgenode.crt -keyout edgenode.key   -newkey rsa:2048 -nodes -sha256   -subj '/CN=edgenode.local' -extensions EXT -config <( \
printf "[dn]\nCN=edgenode.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:edgenode.local\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

# Generate a edgenode.pfx cert

openssl pkcs12 -export -in edgenode.crt -inkey edgenode.key -out edgenode.pfx

Register the cert

On the clients attaching to the node you should add the edgenode.crt file as a root cert in your cert store and change the cert to always be trusted.

Edit hosts

Edit your hosts file so that egdenode.local targets 127.0.0.1.

Configure Cert for HTTPS/MQTT

Note: We show HTTP here, but MQTT works the same way.

When starting the server all files will be created with default values, so make sure you have done that. In the 'data' folder you will find all configuration files. The httpconfiguration.json/mqttconfiguration.json files will look something like:

{
  "HttpConfiguration": {
    "HttpEndpoints": [
      {
        "Address": "0.0.0.0",
        "Port": 9090,
        "Name": "---",
        "AuthenticationType": "None",
        "AuthenticationEncryption": "MD5",
        "AuthenticationFolder": "authentication",
        "AuthenticationFile": "httpAccess9090.config",
        "CertificateType": "None",
       "StoreCertificate": {
          "Subject": "",
          "StoreName": "My",
          "StoreLocation": "LocalMachine",
          "AllowValidOnly": true,
          "SslProtocols": "Tls12"
        },
        "FileCertificate": {
          "CertificatePath": "",
          "CertificatePassword": "",
          "SslProtocols": "Tls12"
        }
      }
    ]
  }
}

Use cert from file

Below we have changed to configuration to have:

• CertificateType = FileCertificate
• FileCertificate.CertififcatePath = edgenode.pfx
• FileCertificate.CertififcatePassword = !4U2know

The certificate must be stored in /data/certificates. If the folder does not exist, create it on your own. CertificatePassword should be whatever you used as password when creating the cert.

{
  "HttpConfiguration": {
    "HttpEndpoints": [
      {
        "Address": "0.0.0.0",
        "Port": 9090,
        "Name": "---",
        "AuthenticationType": "None",
        "AuthenticationEncryption": "MD5",
        "AuthenticationFolder": "authentication",
        "AuthenticationFile": "httpAccess9090.config",
        "CertificateType": "FileCertificate",
        "StoreCertificate": {
          "Subject": "",
          "StoreName": "My",
          "StoreLocation": "LocalMachine",
          "AllowValidOnly": true,
          "SslProtocols": "Tls12"
        },
        "FileCertificate": {
          "CertificatePath": "edgenode.pfx",
          "CertificatePassword": "!4U2know",
          "SslProtocols": "Tls12"
        }
      }
    ]
  }
}

Start the Node, then open a browser and navigate to https://edgenode.local:9090. The certificate should be valid and you are now accessing the Node over HTTPS with a file certificate.

Authentication

When the server is started it will create default configuration files for HTTP and MQTT if they do not exist: httpconfiguration.json and mqttconfiguration.json

Each file contains an array of endpoints to start and each endpoint can have its own security settings. The files will be located in the data folder.

Configuration Example

{
  "MqttConfiguration": {
    "MqttEndpoints": [
      {
        "Address": "0.0.0.0", // The address to bind to
        "Port": 1883, // The port to use
        "Name": "---", // A custom name for the endpoint (optional)
        "AuthenticationType": "Basic", // None or Basic are current options
        "AuthenticationEncryption": "MD5", // None or MD5 are current options
        "AuthenticationFolder": "authentication", // folder to store access config in
        "AuthenticationFile": "mqttAccess1883.config" // the name of the access file for the endpoint
      }
    ]
  }
}

By default the AuthenticationType is set to 'None' but if we change to 'Basic' and restart the server we will see that we get new files in the folder 'data/authentication'. We will see 2 files if we change the configuration above to use Basic authentication.

• mqttAccess1883.config - Contains all encrypted passwords. Do not edit this file.
• new_mqttAccess1883.config - Enter new users into this file in the format username:password in clear text. Separate users with new lines

When the server is started it will encrypt the password using the AuthenticationEncryption chosen in the endpoint configuration.

Example

If you enter uffe:foo into the file new_mqttAccess1883.config the server will encrypt the password into something like

uffe:$MD5$eTtZYr8vuDnBnQL/o2IM2ayZRnvhGC3lChmi8X98N2QOhzdNDII8mGhrv9bUZIPu1+pclAYohitAY9FpfY5IB+TsZiH79yCTxLpHr+z91jgacfA3YiOP8PZpcFTy1PIRLbMcOnTChzsdYYOlhMWv3LYm/iobDxq6ccX3uEL5+lo=$ITVf94re52wCB2lQqF2NeQ==

and store the information in the mqttAccess1883.config file. The content that was saved in clear text in new_mqttAccess1883.config will be removed.

Note that if you use 'None' as AuthenticationEncryption the password will be stored in clear text.

Usage

When using MQTT you can use the Username/Password feature of the protocol. So that you can connect to the Crosser MQTT Broker with client credentials.

When using HTTP you can use this to get Basic Authentication. ​

Example for encryption and user authentication with docker-compose file

If you prefer to specify the endpoint configuration within your docker-compose file, you can use the example for MQTT below.

Keep in mind that all requirements still apply:

• Certificates for endpoint must be available in ./data/certificates

• edgenode.local 127.0.0.1 must be added to /etc/hosts (depending on the Operating System)

• A file which holds the new users, in this case new_mqttAccess8883.config, must be available in ./data/authentication/

Note: You could specify multiple MQTT endpoints, therefore you have to specify the index __0__

services:
  edgenode:
    image: docker.crosser.io/crosser/edgenode:latest
    container_name: crosser-edgenode
    restart: always
    environment:
      - SecurityConfiguration__Credentials__NodeId=ENTER-YOUR-NODEID-HERE
      - SecurityConfiguration__Credentials__AccessKey=ENTER-YOUR-ACCESS-KEY-HERE
      - MqttConfiguration__MqttEndpoints__0__Address=0.0.0.0
      - MqttConfiguration__MqttEndpoints__0__Port=8883
      - MqttConfiguration__MqttEndpoints__0__AuthenticationType=Basic
      - MqttConfiguration__MqttEndpoints__0__AuthenticationEncryption=MD5
      - MqttConfiguration__MqttEndpoints__0__AuthenticationFolder=authentication
      - MqttConfiguration__MqttEndpoints__0__AuthenticationFile=mqttAccess8883.config
      - MqttConfiguration__MqttEndpoints__0__CertificateType=FileCertificate
      - MqttConfiguration__MqttEndpoints__0__clientCertificateRequired=false
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__StoreName=My
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__StoreLocation=LocalMachine
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__AllowValidOnly=true
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__SslProtocols=Tls12
      - MqttConfiguration__MqttEndpoints__0__FileCertificate__CertificatePath=edgenode.pfx
      - MqttConfiguration__MqttEndpoints__0__FileCertificate__CertificatePassword=ENTER-YOUR-CERTIFICATE-PASSWORD-HERE
      - MqttConfiguration__MqttEndpoints__0__FileCertificate__SslProtocols=Tls12
    ports:
      - 9090:9090
      - 9191:9191
      - 8883:8883
    volumes:
      - "./data:/application/data"
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "2"
 

Limitations

• You should only use one settings file per endpoint. Do not try to use one file for several endpoints

• Only Basic authentication is currently supported.