Mobius SSL TLS Enabling
Mobius can provide confidentiality and integrity of the data transmitted using the https and mqtts protocols based on Secure Sockets Layer / Transport Layer Security (SSL/TLS).
Commercial servers are issued certificates through a validated Certificate Authority (CA) to use SSL/TLS, but for personal use, an openSSL is used to create and use certificates to avoid paying the cost of issuing certificates.
This document provides guide to 'how to generate certificate using openSSL and applying to Mobius'.
- Download opsnSSL for Windows and extract the zip file.
- Open CMD and enter in to the downloaded and extracted directory.
For example, if you download and extract file on C directory, CMD command entering the directory is below.
cd C:\openssl-0.9.8k_X64
- Open terminal and enter command below.
sudo apt-get install libssl-dev openssl
-
To download and install openssl using brew can be good method.
About brew installation, please reference brew official site. -
After install brew, open terminal and enter command below.
brew install openssl
-
On CMD or terminal, enter command below to create CA key pair.
openssl genrsa -out ca-key.pem 4096
-
Enter command below to create CA certificate.
openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-crt.pem
To create CA certificate, some information are required. Input your information.
-
To create server key pair, enter command below.
openssl genrsa -out server-key.pem 4096
-
Enter command below to create csr which will be needed to create server certificate.
openssl req -new -out server-csr.pem -key server-key.pem
To create csr file, some information are required. Input your information.
In this section, What you have to note is that you have to enter your server's domain name on Common Name field.
-
Create server certificate using server-ser.pem and ca-crt.pem. The command is below.
openssl x509 -req -in server-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out server-crt.pem -days 9999
To enable SSL/TLS on mosquitto, some steps are required.
- Copy and paste the ca-crt.pem file into the certs directory under /etc/mosquitto directory and the server-key.pem, server-crt.pem files into the ca_certificates directory under /etc/mosquitto directory.
(For Windows OS, mosquitto.conf file exist in C:\Program Files (x86)\mosquitto)
(For macOS and 1.4.14_2 version of mosquitto, mosquitto.conf file exist in /usr/local/Cellar/mosquitto/1.4.14_2/etc/mosquitto)
- Edit mosquitto.conf to append SSL/TLS setting scripts.
(cafile, certfile, keyfile should be exact path where each files placed. Below example is for Ubuntu.)
listener 8883
cafile /etc/mosquitto/ca_certificates/ca-crt.pem
certfile /etc/mosquitto/certs/server-crt.pem
keyfile /etc/mosquitto/certs/server-key.pem
- Open CMD or terminal and enter into directory where mosquitto.conf placed.
Run mosquitto with command below.
mosquitto -c mosquitto.conf
To enable SSL/TLS on Mobius, some steps are required.
- Delete server-key.pem, server-crt.pem, ca-crt.pem files which are downloaded with Mobius.
- Copy and paste server-key.pem, server-crt.pem, ca-crt.pem that you created using openssl to Mobius root directory.
- Edit mobius.js 43 line code like below.
- Run Mobius with command below.
sudo node mobius.js
To test SSL/TLS setting of Mobius, oneM2M API Testing and Postman can be used.
- Download and install Postman.
- Download and extract oneM2M API Testing.
- Import oneM2M API Testing to Postman.
- Open Mobius_Release2 and click CSEBase RETRIEVE under Collections tab.
Edit destination URI like below.
https://localhost:7579/Mobius
And send it, then response could be taken.
- Also you can see that all of request and response packets are encrypted.
(If you want to test using non-localhost machine, you have to disable SSL certificate verification option of Postman)
