In a previous example we discussed how to secure connections between an Mosquitto MQTT broker and the Mosquitto client. In that there are several different brokers for an MQTT brokers, there are also several client implementations for the MQTT protocol. There are several libraries available for multiple MQTT clients in various programming languages. This example looks at Paho, a project that was adopted into the Eclipse Foundation much like Mosquitto, that specifically implements a client for MQTT. We will be looking at the Python implementation of Paho. Although you can use any other MQTT server, we already have a Mosquitto server from our previous example that we can use for this tutorial.
Here we will show how simple it is to secure a Mosquitto server and a non-Mosquitto client (Paho) using WoTT. The principles shown here can be applied to any MQTT client accessing a Mosquitto server.
You will need two devices, either a Debian machine or Raspberry Pi. In a set up where you have both, it is preferable to set up the Debian machine as your server device. Both these devices will need to have the WoTT Agent installed and Docker CE installed. Note installation instructions for Docker on Pi is different so refer to the link above for appropriate instructions.
This example contains code snippets. We recommend you clone our examples repository by doing the following:
$ git clone https://github.com/WoTTsecurity/examples.git
Alternatively, you can use curl to manually install the files that you need. Refer to our other code snippet examples (Adafruit IO, Simple WebApp, etc) for instructions to do this. However, if you are going to be looking at our other tutorials in the future we recommend you have the repository readily available.
Please refer to our Mosquitto MQTT example for in depth information on how to set up the server. If you are familiar with this example and want to just quickly ‘set up and go,’ do the following:
Navigate to the directory where you have cloned our ‘examples’ repository:
$ cd examples/mosquitto-server
Alter the ACL file permissions.acl with your WoTT device details for the relevant permissions (remember we want to grant some access to your client device). To find the WoTT Device ID:
$ sudo wott-agent whoami
We are still using the topic /wott/temperature to publish and subscribe messages to and from.
This is where our instructions differ from setting up the Mosquitto client. It is not significantly more complicated but Paho has a different set up. First, you will need to have Paho on your system.
Navigate to the directory containing our examples respository. Navigate to the paho-mqtt-client folder like so:
$ cd examples
$ cd paho-mqtt-client
$ pip3 install -r requirements.txt
There are two files in this folder - a requirements.txt file and the client itself paho-connect-wott.py. The above command installs the version of the Paho client needed for this example.
Note: you can use whatever version of the pip tool you have.
Now that Paho is installed, you need to set your server variables for Paho to connect to. Do the following:
$ export MQTT_SERVER=ServerDeviceID.d.wott.local
$ export MQTT_TOPIC=my/topic
$ export MQTT_PORT=8333
where for this example my/topic refers to the topic wott/temperature (my/topic will default to wott/temperature if not specified otherwise).
Feel free to try and run the client now using sudo python3 paho-connect-wott.py. You will notice that this fails.
This is because we haven’t established a route for the client to connect to the server device through - we need to alter the /etc/hosts file on the client to add a route to the server. In the Mosquitto example, we set this up using Docker, but here you will need to manually add the hostname. So, in whatever text editor you prefer:
$ sudo $EDITOR /etc/hosts
You will see a file containing something like this:
127.0.0.1 localhost
127.0.1.1 your_machine's_name
[...]
Add your server device’s IP followed by the ‘domain’ that you will be calling it by- the device’s WoTT ID (do not remove the other ones!) like so:
IP.Of.Docker.Server ServerDeviceID.d.wott.local
Save and exit. Now you have a route to the server!
Note: we have discussed finding your IP in previous examples. There are several commands such as ip addr show, ifconfig, etc. Take your pick as long as you choose the inet address for your server IP.
Now we can run the client using Python 3. The output will look like the following:
$ sudo python3 paho-connect-wott.py
rc: 0
Subscribed: (1,0)
If you check your server, you will see that it has registered a connection from the Paho client.
You are now securely set up with a Paho MQTT client. The client accesses the server through the server’s CN (common name). This is how the client verifies the server (this is defined in our mosquitto.conf file for the Mosquitto server if you can recall) unlike a typical browser where there is only one-way verification. You can essentially think of it as the client matching the server name to that which is one the ACL file (permissions).
The example we provided contains a simple subscriber. Please experiment with a Paho publisher yourself and other clients. We want you to feel free to break our code! It’s the best way to develop.
Hopefully you’ve now grasped the basic concepts of setting up at least two different types of MQTT server/client with the cryptographic identity that WoTT provides so you don’t actually need to worry about the details of the security itself.
Did you know that WoTT gives you free security audits, including CVE scanning, for your first node? Sign up today.