/
How to set up Prosys OPC-UA integration with HiveMQ Edge

How to set up Prosys OPC-UA integration with HiveMQ Edge

This document is based on original content created by Miguel Arregui here.

 

HiveMQ Edge supports multiple machine-to-machine communication protocols, including OPC-UA. This guide provides a technical walkthrough establishing a secure, bidirectional communication channel between HiveMQ Edge and Prosys OPC-UA using Mutual TLS for robust authentication.

 

🔒 Certificate Architecture

Before we dive into the implementation steps, first let's review the role each certificate plays and where they are placed. We generate one HiveMQ Edge client certificate that serves two security purposes in the Prosys server:

image-20260212-222917.png
image-20260206-164618.png

 

Critical Understanding:

  • Locations #2 and #3 contain the same certificate (exported from #1)

  • They're in two different folders because OPC UA separates:

    • Application authentication (PKI) - "Is this a trusted application?"

    • User authentication (USERS_PKI) - "Is this a trusted user?".

 

One Certificate We Generate:

  1. HiveMQ Edge Client Certificate

    • Generated with: keytool -genkeypair

    • Stored as: conf/certs/client-keystore.p12

    • Contains: Private key + Public certificate

    • Purpose: HiveMQ Edge's identity for both secure channel and user authentication

 

Two Certificates We Import (From Prosys):

  1. Prosys Server CA Certificate

    • Source: ~/.prosysopc/.../PKI/CA/private/SimulationServerCA.der

    • Imported into: HiveMQ Edge's conf/certs/truststore.jks

    • Purpose: Trust Prosys's Certificate Authority

  2. Prosys Server Certificate

    • Source: ~/.prosysopc/.../PKI/CA/private/SimulationServer@mac_2048.der

    • Imported into: HiveMQ Edge’s conf/certs/truststore.jks

    • Purpose: Trust Prosys's server identity

 

Where Our Client Certificate Goes:

  1. Application Trust (Secure Channel)

    • Location: ~/.prosysopc/.../PKI/CA/certs/[fingerprint].der

    • Purpose: Prosys trusts HiveMQ Edge for TLS secure channel

    • Process: Moved from PKI/CA/rejected/ after first connection

  2. User Trust (User Authentication)

    • Location: ~/.prosysopc/.../USERS_PKI/CA/certs/[fingerprint].der

    • Purpose: Prosys trusts HiveMQ Edge as an authenticated user

    • Process: Moved from USERS_PKI/CA/rejected/ after enabling X.509 auth

 

For ease of explanation, the following mTLS configuration example uses self-signed certificates for the HiveMQ Edge and Prosys OPC-UA server. Self-signed certificates are often used in internal networks or test environments. We do not recommend the use of self-signed certificates in production. For production installations, use certificates that are signed by a trusted certificate authority (CA).

 

📋 Prerequisites

  • Latest version of HiveMQ Edge installed

  • Java keytool (comes with JDK)

  • OpenSSL

Instructions

 

 

Section 1: Install Prosys OPC UA simulation server

Steps:

  1. Visit the Prosys official download page:

image-20260205-210513.png

  1. You will first need to fill out a web form with your details and submit it

  2. Next, you will receive a download link via email

  3. Once the package is downloaded, run the installer and follow the on-screen instructions

  4. Launch the Prosys OPC UA Simulation Server and allow it to initialize default settings

  5. Under the Status tab, you will be presented with an endpoint URL which serves as the connection point for integrating HiveMQ with Prosys