How to Set Up Transport Layer Security
Implementing MQTT in Ignition: Video 115 min video / 5 minute read
< Previous Video | Next Video >
Travis Cox demonstrates how to set up Transport Layer Security (TLS) in the MQTT Distributor, Engine, and Transmission Modules. This is critical for secure and encrypted communication.
Travis: In this session, we're going to show how to set up TLS (Transport Layer Security) in the MQTT Distributor, Engine, and Transmission Modules. This is important so we can have secure, encrypted communication. First, we're going to start with the MQTT server, which is a Distributor in my case. If you have a different MQTT server, make sure to follow their instructions on setting up TLS.
For the Distributor Module, we have to log into the Ignition Gateway configuration section, and go to the MQTT Distributor settings area. On the general tab, there's a section for TLS. Here we can simply enable TLS and specify the port, which is 8883 by default. You can also enable secure web socket connections, but at the bottom, we have to specify a Java KeyStore file. This is going to actually contain the certificate itself. If you've never created a Java KeyStore file before, you can use Java's key tool, which is a command-line tool, or you can use KeyStore Explorer, which is what I prefer. You can go to keystore-explorer.org, and you can download the utility. Once you have it downloaded, go ahead and open it up, and we can create a new KeyStore that is a JKS format for Java Keystore. Once we have that, we can either import the certificate if we purchased it outside or we can generate a self-signed one. That's what I'm going to do here.
So I'm going to right-click first to create our root CA. So I generate a new key pair, RSA2048 and I'm going to give it a name, which is going to be called Root CA for IT, and Organization will be IA. Now we have to add a couple of extensions to this, let it know it's a root CA. So the first one is basic constraints. I’ve got to check the box for subject as a CA. And the second is key usage, and we have to select the certificate signing and CRL sign. Go ahead and press OK, now I've got my root CA, I'll give it an alias of Root CA.
Now we have to specify a password for our KeyStore file. Remember this password 'cause we going to enter it into Ignition later. Now that I have my root CA, I can right-click on that to sign a new key pair, so my actual certificate off of that route. So, RSA 2048 again, here we're going to give this a name. The common name is typically the IP address of the host name of that server. I'm going to call mine Local Host for now. I'll go IT, and IA. And that's it, I'll go ahead and press OK, I'll give it that alias and my password again. So I've got now that certificate created. That's it, all ready to save the file and use it. So I'm going to go ahead and file, save — And I'll save it here. It's going to be a — I'll call it cert.JKS, that's the format. Go ahead and save it.
Now we're ready to go, so I can come back to the MQTT Distributor Module and down here I can choose that. Go to Downloads here and choose that cert, and then we'll have to give it the password. So that's the password that we used when generating it, and we'll go ahead and save it. So now TLS is turned on for the MQTT server. Now we have to go to our Engine Module and our Transmission Module to change the connection to make it TLS. So let's go first start with Transmission, so go down here, Transmission settings, we're going to go to servers, and we're going to edit this connection that I had right now, which is going to my local machine over 1883, the non-TLS. So, first thing we have to do is change the URL to be SSL: // and then the port is going to be 8883. And then everything else will be the same, except for we do have to specify the certificate to upload.
Now, this is not the Java KeyStore that we just created because that has all the private stuff that we need. This just needs to be that root CA. So all we’ve got to do is go back to KeyStore Explorer, right-click on the root CA, and we're going to export that, export certificate chain, we're going to do the head only. The X509PEM, and we're going to call that PEM there, and now I have that exported. I can come over here, I can choose that PEM and that's it. We're going to come down to the bottom and there's no password on that particular one, go ahead and save it, and we should have two of two connected. So now this is ready to go. Now it's all over the TLS connection.
Do the same thing for the Engine Module, so go over here to NPT engine settings, servers, edit that one. Again, we have to specify this to SSL and then the Port is 1883. Come down here, choose that root CA and that's it there, go ahead and save it, and we should get connected here as well. And that's it. So, we've stuck a TLS on all three of the MQTT modules for admission. Of course, if you're using third-party servers or clients you’ve got to do the same things there, but you can use these exact same certificates.