This folder contains a demo for the IETF draft MQTT-TLS profile of ACE (https://tools.ietf.org/html/draft-sengul-ace-mqtt-tls-profile-01).
The demo consists of:
- Express Node.js based Authorisation Server (AS)
- Mosquitto Client extensions
- Mosquitto Broker auth_plugin extensions
SystemImplementation.md explains the design choices and limitations of this prototype implementation.
Important note: To secure the AS additional steps need to be taken, which depends on the particular deployment environment.
(Prerequisite: MongoDB installation - https://docs.mongodb.com/manual/installation/ and running mongodb)
- Inside the AS folder, install all the dependencies:
npm install- Create a ca certificate and secret key, and place it under a folder named
app_files(for an example for how to create certificates with openssl, see: https://devcenter.heroku.com/articles/ssl-certificate-self) - To start the server:
npm startNote: Make sure your mongodb server is running before starting.
By default, this starts a server at localhost, port 3001 (in the case of http) and port 8001 (in the case of https) if different ports are not defined in the config file.
- The list of configuration options in the config file as_config.json are:
{
"host": "<host_address>",
"port": "<port_number>",
"port_https": "<https_port_number>",
"security": {
"tokenLife": "<time in seconds>",
"clientSecretLife": "<time in months>",
"sessionSecret": "<secret string>"
},
"mongoose":{
"uri": "<mongodb uri>"
}
}- Example curl tests for client and resource owner API are under tests/ directory.
- Prerequisite: install openssl
- Clone mosquitto from the git repo linked at https://mosquitto.org/download/
In themosquittofolder: - Run:
cmake .
This will create a folder called CMakeFiles and a file CMakeCache.txt.
4. Run:
make- This
makemay fail, if openssl installation is not in default folders. Then, in theCMakeCache.txt, update the OPENSSL_CRYPTO_LIBRARY:FILEPATH, OPENSSL_INCLUDE_DIR:PATH and OPENSSL_SSL_LIBRARY:FILEPATH to the appropriate paths for your installation. - In the
srcfolder, run:
./mosquitto
to run the broker.
Clone directly from https://github.com/ciseng/mosquitto-auth-plug/. We try to keep up-to-date with upstream. Or, do the following:
- Clone the repository in https://github.com/jpmens/mosquitto-auth-plug/
- You will use the
ace_auth_plugfolder to patch the plugin. - In your
mosquitto-auth-plugfolder:
cp config.mk.in config.mk- Edit the
config.mk(see the config file underace_auth_plug- make sure BACKEND_MEMCACHED?=no otherwise, it throws an error)
- Add
BACKEND_ACE ?=yes - Specify
MOSQUITTO_SRCandOPENSSLDIRpaths.
- The ace_auth_plug.patch makes the following changes to the Makefile (see an example under
ace_auth_plug):
- Add to
OBJSthe following keyword:token-cache.o - Add:
ifneq ($(BACKEND_ACE), no)
BACKENDS += -DBE_ACE
BACKENDSTR += ACE
BE_LDADD += -lcurl
OBJS += be-ace.o nxjson.o
endif
- Modify
OSSLIBS=-L$(OPENSSLDIR)/lib -lssl -lcrypto - Modify
auth-plug.so : $(OBJS) $(BE_DEPS) $(CC) $(CFLAGS) $(LDFLAGS) -fPIC -shared -undefined dynamic_lookup -o $@ $(OBJS) $(BE_DEPS) $(LDADD) - Add
token-cache.o: token-cache.h token-cache.c uthash.h Makefile - Add
be-ace.o: be-ace.c be-ace.h Makefile backends.h nxjson.h nxjson.c token-cache.h token-cache.c
- ace_auth_plug.patch also creates
be-ace.c,be-ace.h,token-cache.c,token-cache.h,nxjson.handnxjson.cas new files. These files are also underace_auth_plugfolder. - You can patch your folder using
ace_auth_plug.patchor apply changes manually. (The patch has been created against 30/01/2018 of the git repo.)
patch < ace_auth_plug.patch
- Run make.
- After a successful
make, a shared object calledauth-plug.sois created which you will reference in themosquitto.conf. So, make sure you copy/maintainauth-plug.soin the location referenced by themosquitto.conf.
To start the mosquitto broker at localhost:
- Register the mosquitto broker with ACE AS server using api/client/dyn_client_reg endpoint (see mqtt_ace_as/tests folder, client_curl_tests.md for an example).
This will return
client_idandclient secretto be used to set auth_opt_http_basic_auth_key in mosquitto.conf in Step 2. - Update the mosquitto.conf file as explained below. See the mosquitto.conf file under this directory as an example to how to modify the configuration file. In summary:
- Set the port to 8883
- Sets the cafile and/or capath
- Set the certfile
- Set the keyfile
- Set tls_version to tlsv1.2
- Set require_certificate to false (This is a client certificate requirement)
- Set log_dest to stdout (or a place of your choice)
- Set allow_anonymous to false
- Set auth_plugin to auth_plugin location
- Set auth_opt_backends to ace
- Set auth_opt_http_ip to 127.0.0.1
- Set auth_opt_http_port to 8001 (This is where the ACE AS HTTPS endpoints run)
- Set auth_opt_http_getuser_uri to /api/rs/introspect
- Set auth_opt_http_with_tls true
- Set auth_opt_http_basic_auth_key to broker's
client_id:client secretin base 64 encoding
- Change to src folder and run
./mosquitto -c ../mosquitto.conf -v
- From
mosquitto_clientapply client_shared_source.patch and client_shared_header.patch in themosquitto/clientfolder. Run make again in this folder. - Register a pub and a sub client with ACE AS server using api/client/dyn_client_reg endpoint (see mqtt_ace_as/tests folder, client_curl_tests.md for an example).
- Both clients need to get an ACE access token from the AS using the token endpoint (see mqtt_ace_as/tests folder, client_curl_tests.md for an example). For the token endpoint to return a ticket, the resource owner must have set policies for the pub/sub client for the requested topic (see mqtt_ace_as/tests folder resource_owner_curl_tests.md for an example.)
- If it is not already started, start the mosquitto broker; start the AS.
- See under client_files examples of how to call the pub/sub clients: ace_script_pub and ace_script_sub - username: token, password: PoP key
- Start the subscriber client (see script ace_script_sub). Subscriber client stays connected.
- Start the publisher client (see script ace_script_pub). Publisher client disconnects after publishing.