You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/src/operate/security/mqtt-tls-configuration.md
+43-1Lines changed: 43 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,11 +5,17 @@ description: Setting up TLS for secure local MQTT communication
5
5
---
6
6
7
7
%%te%% supports certificate-based authentication when communicating with
8
-
an MQTT broker. Three levels of security are supported:
8
+
an MQTT broker. Four levels of security are supported:
9
9
10
10
1. No authentication (default)
11
11
2. Server authentication
12
12
3. Server + client authentication
13
+
4. Username and password authentication
14
+
15
+
:::note
16
+
Username and password authentication can be used as the sole authentication method, or it can be layered on top of server or server + client authentication for enhanced security.
17
+
See [here](#username-password-authentication) for details.
When a local MQTT broker requires username/password authentication,
238
+
the %%te%% components need to provide this username and password.
239
+
240
+
Configure the username and the path to the password file using `tedge config`:
241
+
242
+
```sh
243
+
sudo tedge config set mqtt.client.auth.username "USERNAME"
244
+
sudo tedge config set mqtt.client.auth.password_file "PATH_TO_PASSWORD_FILE"
245
+
```
246
+
247
+
In the password file, write the password on the first line. The second line and any subsequent lines will be ignored.
248
+
249
+
```sh title="file: PATH_TO_PASSWORD_FILE"
250
+
YOUR_PASSWORD
251
+
```
252
+
253
+
For security reasons, we recommend changing the password file's ownership to `tedge:tedge`
254
+
and setting the permissions to `600`.
255
+
This ensures that only %%te%% services can read the password.
256
+
257
+
```sh
258
+
sudo chown tedge:tedge "PATH_TO_PASSWORD_FILE"
259
+
sudo chmod 600 "PATH_TO_PASSWORD_FILE"
260
+
```
261
+
262
+
In addition, if TLS is enabled on the broker, configure the secure port (8883 is the standard port) and provide the path to the trusted CA certificate file using `tedge config`:
263
+
```sh
264
+
sudo tedge config set mqtt.client.port 8883
265
+
sudo tedge config set mqtt.client.auth.ca_file "PATH_TO_CA_CERTIFICATE"
266
+
```
267
+
268
+
If any %%te%% services (e.g. tedge-agent) are already running, they must be restarted for the changes to take effect.
269
+
270
+
229
271
## Next steps
230
272
231
273
- For more options to customize behaviour of mosquitto broker, see
0 commit comments