AWS IoT Core broker compliance

[leonpros]

Provide a possibility to connect to AWS IoT Core broker with different connection types

[jinfahua]

It should be supported. AWS IoT can using Dual SSL authentication.

[leonpros]

Is there an example of a working test for this? Is this relevant for a specific AWS IoT configuration?

[kfeuser]

@leonpros I got it working for AWS IoT with Dual SSL authentication: I created a trusted key store with keytool for the root ca of the endpoint (i.e. for iot:Data-ATS Amazon Root CA 1): keytool -import -file /path/to/root/ca/amazon1 -alias Amazon1 -keystore myTrustStore.jks

You then need to create a .p12. AWS IoT provides pem, private and public key on certificate creation. In order to create the openssl pkcs12 -export -in cert.crt -inkey privateKey.pem -out certname.p12

Just enable Dual SSL authentication and provide the p12 file and the myTrustStore.jks.

[Zubair-Alam1]

Thanks @kfeuser, it worked.

[ouyun]

@leonpros I got it working for AWS IoT with Dual SSL authentication: I created a trusted key store with keytool for the root ca of the endpoint (i.e. for iot:Data-ATS Amazon Root CA 1): keytool -import -file /path/to/root/ca/amazon1 -alias Amazon1 -keystore myTrustStore.jks

You then need to create a .p12. AWS IoT provides pem, private and public key on certificate creation. In order to create the openssl pkcs12 -export -in cert.crt -inkey privateKey.pem -out certname.p12

Just enable Dual SSL authentication and provide the p12 file and the myTrustStore.jks.

@kfeuser Could you tell me the versions of this xmeter plugin and JMeter? Thanks.

[trademark18]

@kfeuser Thanks for the detailed instructions. They would make a great addition to the bottom of the Readme.

[abarzenok]

For those who are wondering how to run the plugin with AWS IoT, I've got the following configuration working: Java 12+ mqtt plugin version 2.0.2 openssl 3.0.3 to generate .p12 cert

in the connect sampler: port 8883 (must be opened on your machine) mqtt version 3.1.1 protocol SSL Dual SSL authentication enabled .p12 generated as kfeuser suggested earlier:

openssl pkcs12 -export -in cert.crt -inkey privateKey.pem -out certname.p12

useful links: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-why-it-is-useful-and-how-it-works/ https://community.hivemq.com/t/is-alpn-protocol-supported-in-hivemqtt/587 (these 2 links describe why mqtt connection on 443 port may work from SDK and do not work with the plugin)

also for debugging AWS SDK examples are helpful, like this one. It allows you to enable the debug logging mode, which may give you additional info about the communication between your computer and the AWS.

[napalm684]

@leonpros I got it working for AWS IoT with Dual SSL authentication: I created a trusted key store with keytool for the root ca of the endpoint (i.e. for iot:Data-ATS Amazon Root CA 1): keytool -import -file /path/to/root/ca/amazon1 -alias Amazon1 -keystore myTrustStore.jks

You then need to create a .p12. AWS IoT provides pem, private and public key on certificate creation. In order to create the openssl pkcs12 -export -in cert.crt -inkey privateKey.pem -out certname.p12

Just enable Dual SSL authentication and provide the p12 file and the myTrustStore.jks.

I have SSL and Dual SSL enabled but there is no input for the jks file?

UPDATE: It appears to be disabled on this commit https://github.com/emqx/mqtt-jmeter/commit/a8c7f01344fd1c52e110f3c25f38f3b7aaa01cb4

I am wondering if anyone has had luck connecting to AWS IoT core without being able to specify the jks?

UPDATE 2: Figured it out. It makes sense, but for those finding this make sure your client id matches your AWS thing identifier. Also uncheck the random append to the right of this input. Thanks @kfeuser for figuring this out.

[MohithVarma2002]

@napalm684 how did it work in the latest version of the plugin where there is no option to provide the jks?