MQTT TLS

AAM provides MQTT TLS settings for configuration. These are accessed via the main node properties.

An invalid or incorrect setting for either AAM or an Edge Node may result in loss of communication to a broker.

(Click to expand image)

To view details about a property, hover over the property name on the left column.

Certificates Explained

The TLS Broker connection works in the following way:

A CA File is required and must be the same CA File used by the Broker in its TLS Settings.
If you upload a Client Certificate, you will also need to upload the Client Private Key that goes with it.
- If the Client Private Key is encrypted, you will need to enter the Private Key Password
If Verify Certificate is checked, the Broker’s certificate signature will be verified against the CA file you uploaded

If Verify Certificate is not checked, it is impossible to guarantee that the host you are connecting to is not impersonating your server. This can be useful in initial server testing, but makes it possible for a malicious third party to impersonate your server through DNS spoofing, for example.

If a Broker allows anonymous connections, a CA File is uploaded without a Client Certificate and may be used on its own.

Broker 1 and 2 Explained

After the server starts, or when the Restart MQTT Client option under the Node commands is run, the settings will be checked and the following logic will execute.

If Broker 1 is enabled, and the connection fails, it will attempt another connection after the Broker1 → Connection Retry Interval has passed.
After the Broker 1 → Connection Retries are exhausted, the Broker 2 settings, if enabled, will be used.
The logic repeats for Broker 2, and then switches to Broker 1. This will occur indefinitely if both broker connections are enabled.
If Broker 1 is disabled, Broker 2 is checked first, and the reconnection will continue forever only for the one enabled broker.
If no brokers are enabled, no client connections will be attempted.