...
TLS with Server Certificate Authentication
TLS with Server and Client Certificate Authentication
Steps for Creating Certificates for Client Authentication
For this step, the client (the eACM MQTT app, Bridge, Edge Manager, etc.) authenticates to the server with a certificate before the TLS connection is fully established. This takes place after the server has authenticated to to the client with its own (server) certificate.
...
| Code Block |
|---|
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 --outform PEM |
Configuration
You now have all the files required to configure your client and server (broker) for TLS authentication with both server authentication and client authentication.
You will need to provide ca.pem to both your client and server.
You will need to provide server.key and server.pem to your server.
You will need to provide client.key and client.pem to each client. The client will also need to be provided with the password used to encrypt its client.key.
Client
In older versions of eACM, you must copy (scp) your ca.pem, client.key and client.pem to the host where eACM is installed and reference the path to it in your TLS Settings object (MQTT app) or the Broker 1/2 tab of your Node object (Edge Manager).
...
Assign the password used to encrypt client.key to Private Key Password.
Server (Broker)
The broker configuration will be different for each broker. Example for mosquitto:
...
| Code Block |
|---|
user MyEACM topic read STATE/+ topic readwrite spBv1.0/# user SparkplugViewer topic read STATE/+ topic read spBv1.0/# user HMI topic readwrite STATE/+ topic readwrite spBv1.0/# |
What to do when authentication fails
When the MQTT client (eACM, Edge Manager or Bridge) fail to connect to the broker the first thing to do is to enable logging on your MQTT broker. Then compare the broker logging in the context of logging from eACM.
...