Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 3 Current »

In an ESE pipeline, you can add preprocessing steps before authentication and before authorization.

The X.509 preprocessor makes it possible to use information that is provided in the X.509 certificate of a connecting MQTT client for authentication and authorization of the client in HiveMQ.

Among others, The HiveMQ X.509 preprocessor can extract values from the following X.509 certificate field:

  • Common Names from the Subject Alternative Names extension: Additional names for the subject of the certificate. This field can contain multiple entries. The OID for this field is 2.5.29.17.

This article provides an example of how to generate a client certificate with SAN.

\uD83D\uDCD8 Instructions

  1. Prepare an OpenSSL configuration file req.cnf:

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = DE
ST = Bayern
L = Landshut
O = HiveMQ GmbH
CN = client1

[v3_req]
subjectAltName = dirName:dir_sect

[dir_sect]
C = DE
O = HiveMQ GmbH
OU = HiveMQ Support
CN = client1

  2. Generate the client certificate using the OpenSSL configuration file req.cnf:

    #!/usr/bin/env bash

#Create a new Certificate Signing Request (CSR) and a new Key file
openssl req \
  -new \
  -out 'client1.csr' \
  -newkey rsa:2048 \
  -nodes \
  -sha256 \
  -keyout 'client1-key.temp' \
  -config 'req.cnf'

#verify the CSR
openssl req -text -noout -verify -in 'client1.csr'

#write RSA key
openssl rsa -in 'client1-key.temp' -out 'client1-key.pem'

#generate client certificate using the CSR and the OpenSSL configuration file
openssl x509 -req -in 'client1.csr' \
  -signkey 'client1-key.pem' \
  -out 'client1-cert.pem' \
  -days 365 \
  -extensions 'v3_req' \
  -extfile 'req.cnf'

#convert the client certificate from PEM to CRT
openssl x509 -outform der \
  -in 'client1-cert.pem' -out 'client1-cert.crt'
  
#import the client certificate to the broker's truststore
printf "yes\n" |keytool -import -file 'client1-cert.crt' \
  -alias 'client1' \
  -keystore 'broker-truststore.jks' \
  -storepass 'passwordillo'

    where:
    - client1 is an example client name;
    - broker-truststore.jks is an example broker’s trust store file path;
    - passwordillo is an example password to the broker's trust store.

  3. Example test command:

    mqtt sh
mqtt> connect --host localhost --port 8883 \
  --cafile server.pem \
  --cert client1-cert.pem \
  --key client1-key.pem

  4. Example X509 ESE preprocessor configuration

    <x509-preprocessor prefix="{{" postfix="}}">
        <x509-extraction>
            <x509-field>subject-alternative-common-names</x509-field>
            <ese-variable>string-4</ese-variable>
        </x509-extraction>
    </x509-extractions>
</x509-preprocessor>

  5. Example ESE Logging Preprocessor configuration:

    <logging-preprocessor>
    <message>ESE-Variable string-4(subject-alternative-common-names): ${string-4}</message>
    <level>debug</level>
    <name>com.example.logger</name>
</logging-preprocessor>

  • No labels