Gateway doesn't support clients with certificates for AWS IOT endpoint

[saumilsdk]

I have couple of IOT devices which are registered as AWS IOT device and have a certificate to communicate to AWS IOT using MQTT protocol. Now i wanted to use MQTT-SN gateway in middle so that IOT devices can use UDP connection. Issue is where we cannot provide each client with their specific certificates and certificate has to be given at MQTT-SN gateway.conf. This makes all clients communication to AWS IOT as single principleID.

[ty4tw]

Hi,

This makes all clients communication to AWS IoT as single

Clients defined as secure by the clients.conf file can commutate to AWS IoT.

[saumilsdk]

Hi @ty4tw . I have clients which are having their own certificates generated by AWS IOT at the time of registration. If i have MQTT-SN gateway as intermediary client, then i'll see only one client connecting to AWS IOT even if i have many clients connecting to gateway.

[ty4tw]

The gateway can not use client certification. So use core certification instead of them.

[saumilsdk]

@ty4tw What is the core certification? How will I identify individual clients on AWS IOT then? Even if MQTT-SN is acting as transparent, i can see only one client which is gateway connected at broker.

[ty4tw]

Hi, When ClientAuthentication=YES in gateway.conf, Only clients which exist in clients.conf can CONNECT the gateway. I think AWS IoT allows sharing a TLS certification for a device group. So, All clients can share the gateway's certification.

Tomoaki YAMAGUCHI

2020年5月21日(木) 15:53 Saumil Kapadia notifications@github.com:

@ty4tw https://github.com/ty4tw What is the core certification? How will I identify individual clients on AWS IOT then? Even if MQTT-SN is acting as transparent, i can see only one client which is gateway connected at broker.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/eclipse/paho.mqtt-sn.embedded-c/issues/199#issuecomment-631918166, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB3X2BAWP75R6YKNC2DYVZTRSTFV7ANCNFSM4MYQ5FLQ .

[nikhil1983]

Hello @ty4tw , I currently have few mqtt-sn clients communicating with Eclipse paho mqtt-sn gateway and everything works fine. I am able to use public brokers for ex Eclipse IoT broker or local broker running on PC.

Now I want to establish connection from MQTT-SN gateway to AWS MQTT broker. So will providing path of my root ca certificate and private keys along with clients list solve the issue ?

And in the sample client list I can see the clients are mentioned as client name,ipaddr,extra information. Currently all my mqtt-sn all are connecting with same IP addr with different client names. So can the below information enough for my clients file ? Client1,ipv4addr Client2,ipv4ddr

What else information I have to add to establish a connection to AWS IoT

[nikhil1983]

@saumilsdk did you get it working ? Because I am also stuck in same situation like yours. Any suggestion will be helpful

[saumilsdk]

@nikhil1983 i had it working for AWS IOT. Below is the configuration I had used which had client authentication as YES. To support clients without making them part of the clients.conf, you need to make code changes and need to add additional config key-value pair to handle that. For clientID and IP configuration, you can configure any random IP for clients to communicate for each unique clientID.

[nikhil1983]

Hey Saumil,

Thanks brother. As you have enabled the authentication on can you just also show me your clients file.

I am currently finding it difficult in defining my clients in client list as I don't know which IP address and port I should mention in it along with client ID.

On Thu, Aug 12, 2021, 22:58 Saumil Kapadia @.***> wrote:

@nikhil1983 https://github.com/nikhil1983 i had it working for AWS IOT. Below is the configuration I had used.

` [image: image] https://user-images.githubusercontent.com/8816702/129241501-b01f4c97-8e0f-4d3a-97c7-bb94033f60ce.png

`

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/eclipse/paho.mqtt-sn.embedded-c/issues/199#issuecomment-897825174, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIKD3QHF2OWQHIZTAJCKY2DT4QACNANCNFSM4MYQ5FLQ .

[saumilsdk]

@nikhil1983 I would recommend to change code and support any client to connect to gateway with ClientAuthentication=NO and still connect to AWS IOT using secure connection ignoring this value in code.

My clients conf when ClientAuthentication=YES.

# Each client should have unique IP and PORT.
# Random IP and PORT combination seems working but has to be unique.
# AS Broker's Connection is SSL, write "secureConnection".

GatewayTestClient,127.0.0.1:20020,secureConnection
client1,35.170.7.1:20020,secureConnection
client2,35.170.7.2:20020,secureConnection
client3,35.170.7.3:20020,secureConnection

[nikhil1983]

Hey,

Thanks for the clients file.

I see that in comment section you have written we have to use different IP address for each client's. Do you know the reason for that ?

You advised me to change code so that I can use disable authentication and still connect. I would like to know which code you were talking about. Paho mqqt-sn gateway side ?

And finally in paho-mqttsn-gateway config file you passed certificates and keys for authentication. Are this device certificate ?

On Thu, Aug 12, 2021, 23:15 Saumil Kapadia @.***> wrote:

@nikhil1983 https://github.com/nikhil1983 I would recommend to change code and support any client to connect to gateway with ClientAuthentication=NO and still connect to AWS IOT using secure connection ignoring this value in code.

My clients conf when ClientAuthentication=YES.

Each client should have unique IP and PORT.

Random IP and PORT combination seems working but has to be unique.

AS Broker's Connection is SSL, write "secureConnection".

GatewayTestClient,127.0.0.1:20020,secureConnection client1,35.170.7.1:20020,secureConnection client2,35.170.7.2:20020,secureConnection client3,35.170.7.3:20020,secureConnection

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/eclipse/paho.mqtt-sn.embedded-c/issues/199#issuecomment-897836460, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIKD3QGDJMOZO54G3PVUCG3T4QCEJANCNFSM4MYQ5FLQ .

[saumilsdk]

@nikhil1983

1. Yes you need to have unique IP but i have assigned random IP from 1, 2, 3 and it still works.
2. Yes Paho gateway you should change the way ClientAuthentication is used. You can add additional config SecureConnection to manage cert based authentication.
3. Certs for mqtt-sn gateway is the client certificated generated from AWS IOT gateway for a device as for IoT, MQTT-SN gateway is also a client.

[nikhil1983]

Thanks for clarification.

I didn't used the "secure connection" in my client list file and rest configuration almost looks similar.

Will get back to you if needed any help.

On Thu, Aug 12, 2021, 23:31 Saumil Kapadia @.***> wrote:

@nikhil1983 https://github.com/nikhil1983

1. Yes you need to have unique IP but i have assigned random IP from 1, 2, 3 and it still works.
2. Yes Paho gateway you should change the way ClientAuthentication is used. You can add additional config SecureConnection to manage cert based authentication.
3. Certs for mqtt-sn gateway is the client certificated generated from AWS IOT gateway for a device as for IoT, MQTT-SN gateway is also a client.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/eclipse/paho.mqtt-sn.embedded-c/issues/199#issuecomment-897854327, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIKD3QAAPV2FHD2CTRNZQB3T4QD7VANCNFSM4MYQ5FLQ .

[saumilsdk]

@nikhil1983 While using ClientAuthentication=YES all clients has to have secureConnection in clients list.

[nikhil30081995]

@saumilsdk Whenever i use ClientAuthentication=YES my MQTT-SN clients are not able to find MQTT-SN gateway. And when i just switch off the ClientAuthentication=NO and just pass certificates than my MQTT-SN clients are able to find gateway but can't connect to it.