How Does eG Enterprise Monitor Mosquitto MQTT?
eG Enterprise is capable of monitoring the Mosquitto MQTT message broker in both agent-based and agentless manners. However, eG Enterprise recommends monitoring Mosquitto MQTT in an agent-based manner. In case of the agentless approach, the remote agent used to monitor the server should be deployed on a remote Windows host in the environment.
Pre-Requisites for Monitoring a SSL-enabled Mosquitto MQTT
In order to monitor a SSL-enabled Mosquitto MQTT message broker, the following steps need to be followed:
-
Creating a self-signed Certificate Authority (CA) File
-
Creating the Server Certificate File
Creating the Client Certificate File
-
Creating the Client Key File
-
Creating a Java Keystore File
Each step is discussed in detail in the forthcoming sections.
Creating a self-signed Certificate Authority File
To monitor a SSL-enabled Mosquitto MQTT, it is essential to create a self-signed Certificate Authority file on the host on which Mosquitto MQTT message broker is installed. To create this file, administrators need to use the openssl software. Following are the steps that need to be followed to create the Certificate Authority File:
In order to create a self-signed Certificate Authority file, you may first need a CA Key Pair. For this, open the Command Prompt on the Mosquitto MQTT host as an "Administrator" and execute the command as shown in Figure 1. As an example, the CA Key pair is named as m2mqtt_ca.key.
Figure 1 : Generating a CA Key Pair
Once the Key pair is generated, you will be prompted to specify the password for the Key Pair as shown in Figure 2.
Figure 2 : Specifying the password for the generated CA Key Pair
The CA Key Pair will now be generated successfully. Now, using the CA Key Pair mentioned in Figure 2, you need to generate a CA Certificate File (e.g., m2mqtt_ca.crt) using the command specified in Figure 3.
Figure 3 : Generating the CA Certificate File
This CA Certificate File is mandatory to create a Server Certificate File and the Client Certificate File. Also, if the target Mosquitto MQTT is being monitored in an agentless manner, ensure that the CA Certificate is copied to the <eG_INSTALL_DIR>\egurkha\lib folder on the remote Windows host.
Creating a Server Certificate File
For seamlessly communicating between the Clients and the Servers, the Mosquitto MQTT message broker requires the Server Certificate and the Client Certificate. This section briefly discusses on creating a Server Certificate. Follow the steps below to create a Server Certificate:
In order to create a Server Certificate, you may first need a Server Key Pair i.e., the Private Key of the server. For this, open the Command Prompt on the Mosquitto MQTT host as an "Administrator" and execute the command as shown in Figure 4. In our example, the Server Key Pair is named as m2mqtt_srv.key
Figure 4 : Creating Server Key Pair
Once the Server Key Pair is created, you should raise a Server certificate request (see Figure 5) to generate the Server Certificate. The Server certificate request created here is m2mqtt_srv.csr.
Figure 5 : Raising Server Certificate Request
To generate the Server Certificate (for e.g., m2mqtt_srv.crt), use the CA Key Pair and the CA Certificate File (generated in Figure 3) to sign the generated Server certificate request. The command for execution is specified in Figure 6.
Figure 6 : Generating the Server Certificate
Securing the Certificate Files on Mosquitto MQTT
Once the CA Certificate and the Server Certificate files are created, you are required to copy the CA Certificate, Server Certificate and the Server Key Pair to a common folder in the host where the Mosquitto MQTT is installed. Let us say, the common folder is 'cert'. In some installations, this folder may pre-exist. If this folder pre-exists, just copy the files to this folder. If the 'cert' folder does not exist, you are required to create a new folder. Figure 7 shows the files copied in the 'cert' folder.
'
Figure 7 : The files in the cert folder
Editing the Mosquitto MQTT Configuration File
Now that the CA Certificate File, Server Certificate and the Server Key Pair are copied to the cert folder, you are required to edit the mosquitto.conf file i.e., the configuration file of Mosquitto MQTT. in the mosquitto.conf file, specify the port on which the Mosquitto MQTT should listen to and the full path to the CA Certificate File, Server Certificate and the Server Key Pair as shown in Figure 8.
Figure 8 : Editing the mosquitto.conf file
Next, save the mosquitto.conf file.
After saving the file, ensure that you execute the following command on the Mosquitto MQTT host:
mosquitto -c mosquitto.conf -v
Once the command execution is successful (see Figure 9), the target Mosquitto MQTT starts listening on the port mentioned in the mosquitto.conf file (see Figure 8).
Figure 9 : Successful execution of the command
Creating a Client Certificate File
Now that the CA Certificate and the Server Certificate files are created and the files are available in the target Mosquitto MQTT host, it is now necessary to create a Client Certiicate Key Pair and the Client Certificate. Follow the steps below to create a Client Certificate:
The first step to create a Client Certificate is to create a Client Key Pair i.e., the Private Key of the Client. For this, open the Command Prompt on the Mosquitto MQTT host as an "Administrator" and execute the command as shown in Figure 10. In our example, the Client Key Pair is named as client.key.
Figure 10 : Creating Client Key Pair
The Client Key Pair will be created after you specify the password for the Client Key Pair as shown in Figure 10. Note that the password of the Client Key pair should be the same as that of the CA Key Pair. Once the Client Key Pair is created, you should raise a Client certificate request (see Figure 11) to generate the Server Certificate. The Server certificate request created here is client.csr.
Figure 11 : Raising Client Certificate Request
To generate the Client Certificate (for e.g., client.crt), use the CA Key Pair and the CA Certificate File (generated in Figure 3) to sign the generated Client certificate request. The command for execution is specified in Figure 12.
Figure 12 : Generating the Client Certificate
Ensure that the Client Certificate and the Client Key pair are also placed in the 'cert' available in the host on which the target Mosquitto MQTT is installed.
While configuring the tests of the target Mosquitto MQTT message broker, you need to provide the full path to the CA Certificate File, Client Certificate and the Client Key Pair against the CA CERT FILE, CLIENT CERT FILE and the CLIENT KEY FILE parameters.