This guide will show you the required steps and some common pitfalls when setting up a HiveMQ cluster and enforcing TLS for each step of communication.
Certificate and keystore generation as well as their use will be demonstrated.
Requirements
HiveMQJava keytool
JDK 11 or higher
openssl
MQTT CLI
Instructions
...
We will create a keystore used by our HiveMQ nodes
Code Block | |
---|---|
wide | keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass changeme -validity 360 -keysize 2048 |
keytool will ask for the necessary information to create our root certificate and private key.
These will be stored in hivemq.jks
which we need to make available to all our cluster nodes.
...
2. Next we need to create a client certificate (mqtt-client-cert.pem), generate an x509, DER encoded certificate from it (mqtt-client.crt) and make them available to HiveMQ in form of a keystore (hivemq-trust-store.jks)
Code Block | breakoutMode | wide
---|
openssl req -x509 -newkey rsa:2048 -keyout mqtt-client-key.pem -out mqtt-client-cert.pem -days 360 openssl x509 -outform der -in mqtt-client-cert.pem -out mqtt-client-cert.crt keytool -import -file mqtt-client-cert.crt -alias client -keystore hivemq-trust-store.jks -storepass changeme |
...
<path> in <keystore> must point to our earlier generated hivemq.jks
<path> in <truststore> will be our hivemq-trust-store.jks
<private-key-password> must be identical to the one we set during creation and
<client-authentication-mode> must be set to REQUIRED
Note |
---|
When your are running multiple HiveMQ nodes on a single server remember that each instance requires a unique listening port |
...
We must again adjust the paths of our server’s keystore and truststore (path to our generated server.jks
)
and since we are running our cluster nodes on a single machine, each must bind to a different <bind-port>
...
Note |
---|
To avoid further binding conflicts, modify jmxremote.port to a unique value in each node’s JAVA_OPTS variable within the corresponding run.sh |
...
2. .. while including our server.pem
Code Block |
---|
mqtt sub -t topic -q 1 -h localhost -i testclient --cafile /some/dir/server.pem -d CLIENT testclient: sending CONNECT PUBLISH: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate PUBLISH: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate |
...