search

IBMStreams / streamsx.messaging

This toolkit is focused on interacting with popular messaging systems such as Kafka, JMS, XMS, and MQTT. After release v5.4.2 the complete toolkit will be deprecated. See the README.md file for hints to alternative toolkits.
http://ibmstreams.github.io/streamsx.messaging/
Apache License 2.0
30 stars 32 forks source link

Using MQTT operators with SSL? #210

Closed ddebrunner closed 8 years ago

ddebrunner commented 8 years ago

I'm getting failures connecting to IBM Watson IoT Platform using SSL.

https://docs.internetofthings.ibmcloud.com/applications/mqtt.html

It's potentially because of this:

In many client libraries you will need to provide the server’s public certificate in pem format.

Is there a way to pass the pem to an invocation of an MQTT operator?

ddebrunner commented 8 years ago

This is the connection URI: 18 Mar 2016 23:42:15.445 [5434] DEBUG #splapptrc,J[19],P[190],IotfDevices.Events.RawEvents.Messages M[MqttClientWrapper.java:com.ibm.streamsx.messaging.mqtt.MqttClientWrapper.doConnectToServer:211] - [Connect:] ssl://XXXXX.messaging.internetofthings.ibmcloud.com:8883 Attempt: 4

XXXXX is replaced with my organization identifier.

and the connect attempt fails with:

18 Mar 2016 23:42:16.177 [6194] DEBUG #splapptrc,J[19],P[190],IotfDevices.Events.RawEvents.Messages M[?:org.eclipse.paho.client.mqttv3.internal.ClientComms.connectBG:run:-1] - a:XXXXXX:19_evt: connect failed: unexpected exception 18 Mar 2016 23:42:16.178 [6194] DEBUG #splapptrc,J[19],P[190],IotfDevices.Events.RawEvents.Messages M[?:?:0] - java.net.SocketException: Connection reset

ddebrunner commented 8 years ago

Ok - found the pem can be set in the connection document:

http://ibmstreams.github.io/streamsx.messaging/com.ibm.streamsx.messaging/doc/spldoc/html/tk$com.ibm.streamsx.messaging/tk$com.ibm.streamsx.messaging$5.html

Though it says it's relative to the data directory, which I don't have, so maybe that's the older SPLDOC as #206

(adding comments as I find stuff to provide a trail for others)

ddebrunner commented 8 years ago

The connection doc isn't applicable for my case where I don't want the URI to be fixed as it depends on the IoT Platform organization, I tried just pointing the trustStore parameter to the pem file but that didn't seem to work, I'm going to try adding some tracing to the MQTT operators to see what is going on.

ddebrunner commented 8 years ago

Individually adding the public certificates in the pem file to a java trust store and then pointing to the trust store with the parameters trustStore and trustStorePassword allowed connections using SSL, though in my case TLSv1.2 was required which is not supported by the operators (see #216 ).

Also I added #215 to try and understand why the connection document uses a pem file as the trust store.

conglisc commented 8 years ago

Hi @ddebrunner ,

I think this issue is being addressed via #215 and #216 so I am closing this issue.