Edge EFM Collection - Broker Configuration

Owned by Michael Standal
Dec 18, 2024

While Edge EFM Collection can occur without using a secure connection, AUTOSOL suggests using TLS certificates for the MQTT subscription in all production environments. It is highly advisable to take these steps before continuing ACM Monitor TLS setup:

  1. Work with a qualified security professional to determine the best means of securing MQTT communications for your use case. AUTOSOL support cannot provide security advice.

  2. Configure the MQTT broker according to your needs. Note: ACM requires use of a TLS certificate.

  3. Test using a third party MQTT client with support for certificates and Sparkplug B. AUTOSOL used Node-RED during testing, among others.

Certificate configuration in particular tends to be the most problematic area of MQTT setup. Taking these steps, with the help of a qualified security professional, will greatly simplify ACM configuration.

General Tab

Edge Group Id 

The Sparkplug B identifier the Edge EFM Collection service will use for itself when subscribing to the broker.  The MQTT Topic is displayed below for reference purposes. 

SCADA Host Id

Defines the scada_host_id to which the Edge EFM Collection service will use for STATE updates (the SCADA Host going OFFLINE, for example).  For more information on Scada Hosts, see the Sparkplug B Specification.   Note: This should be kept as short as possible as it adds to the size of every message sent to the broker.

Enable Debug/Trace Logging

When enabled, the service logs additional connection status information, EFM record processing details (including record field information), and MQTT trace messages.

Broker Address/Port

The IP address and port of the broker.  This can be entered in both IPv4 or IPv6 format. 

Client ID

The MQTT identifier for a client connecting to an MQTT broker. This must be unique from other clients sharing the same broker(s), including other ACM installations. By default, it is auto generated but can also be manually updated to something more human readable. A new, random client ID can be generated by clicking the "cog" button ( ) to the right of the client ID box.

Authentication Tab

The Authentication tab properties allow entry of username and password, if authentication is required by the broker.

SSL/TLS Tab

Secure Connections

By default, the Use a secure connection is selected enabling configuration of SSL/TLS options. For non-production environments, the Do not use a secure connection option can be used for testing.

ACM currently supports three categories of TLS certificates:

  1. CA signed Server Certificate - when using a public certificate authority

  2. CA Certificate file - when using a private certificate authority

  3. Self Signed Certificates

In the case of the latter two options, the certificate files must remain in place on the file system as long as they are configured for use in ACM.

1. CA Signed Server Certificate

Use the CA signed server certificate option when there is already a CA signed certificate uploaded server side (broker) and the same cert is used for client authentication. There is no need to upload a certificate here.

2. CA Certificate file

The CA certificate used in server side (broker) should be used here and must be in PEM format. Intermediate certificates can also be used here but they must be combined into a single bundle in PEM format.

3. Self Signed Certificates

This option is used when both client and server require mutual authentication. The client certificate must be signed by the same CA certificate as the broker. The CA file must be in PEM format. The client certificate file combined with its key file must be uploaded in PFX format. The passphrase can also be given if the client certificate is password protected.

After setting up all the properties related to the broker, click “Save” to apply the settings.











For assistance, please submit a ticket via our Support Portal, email autosol.support@autosoln.com or call 281.286.6017 to speak to a support team member.