Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This guide will show you the required steps and some common pitfalls when setting up a HiveMQ cluster and enforcing TLS for each step of communication.

Certificate and keystore generation as well as their use will be demonstrated.

Requirements

  • HiveMQJava keytool

  • JDK 11 or higher

  • openssl

  • MQTT CLI

Instructions

...

  1. We will create a keystore used by our HiveMQ nodes

breakoutMode
Code Block
wide
keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass changeme -validity 360 -keysize 2048

keytool will ask for the necessary information to create our root certificate and private key.

These will be stored in hivemq.jks which we need to make available to all our cluster nodes.

...

2. Next we need to create a client certificate (mqtt-client-cert.pem), generate an x509, DER encoded certificate from it (mqtt-client.crt) and make them available to HiveMQ in form of a keystore (hivemq-trust-store.jks)

wide
Code Block
breakoutMode
openssl req -x509 -newkey rsa:2048 -keyout mqtt-client-key.pem -out mqtt-client-cert.pem -days 360 
openssl x509 -outform der -in mqtt-client-cert.pem -out mqtt-client-cert.crt
keytool -import -file mqtt-client-cert.crt -alias client -keystore hivemq-trust-store.jks -storepass changeme

...

<path> in <keystore> must point to our earlier generated hivemq.jks

<path> in <truststore> will be our hivemq-trust-store.jks

<private-key-password> must be identical to the one we set during creation and

<client-authentication-mode> must be set to REQUIRED

Note

When your are running multiple HiveMQ nodes on a single server remember that each instance requires a unique listening port

...

We must again adjust the paths of our server’s keystore and truststore (path to our generated server.jks)

and since we are running our cluster nodes on a single machine, each must bind to a different <bind-port>

...

Note

To avoid further binding conflicts, modify jmxremote.port to a unique value in each node’s JAVA_OPTS variable within the corresponding run.sh

...

2. .. while including our server.pem

Code Block
mqtt sub -t topic -q 1 -h localhost -i testclient --cafile /some/dir/server.pem -d

CLIENT testclient: sending CONNECT
PUBLISH: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
PUBLISH: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

...