Modbus data to server via MQTT TLS: Difference between revisions

From Teltonika Networks Wiki
No edit summary
No edit summary
 
(13 intermediate revisions by the same user not shown)
Line 5: Line 5:
The following prerequisites make it possible to achieve the desired outcome, which is creating a secure '''MQTT''' connection using '''TLS'''.
The following prerequisites make it possible to achieve the desired outcome, which is creating a secure '''MQTT''' connection using '''TLS'''.


* One RUTxxx device.
* One RUTxxx device
* A Computer for running Modbus Slave application and MQTT subscriber application, in this example '''modRSsim2''' and '''MQTT.''fx'' 1.7.1''' were used respectively.
* A computer for running applications.
* Modbus Server and MQTT subscriber application (for this example '''modRSsim2''' and '''MQTT.fx v1.7.1''' applications were used)
 


==Topology==
==Topology==
<gallery>
[[File:New topology.png|border|class=tlt-border]]<br>
File:Modbus data to server via MQTT TLS Topology.png
</gallery>
 
==Modbus TCP Configurations==
===Configuring Modbus TCP/IP Slave===
We will use a Windows 10 Computer as the Modbus TCP slave in this example. To do this, the '''modRSsim2''' application will need to be installed on the computer. The modRSsim2 application can be downloaded via this link.
 
When installation of '''modRSsim2''' application has been successfully completed, open the application, and apply the following configuration.
 
# # Select Protocol '''“MODBUS TCP/IP”.'''
# # Click '''“Setup the communication Serial or TCP/IP port”''' button.
# [[File:ModRSim2 test1.png|left|thumb]]
 


# # Take note of the '''“Port”'''
# # Click '''“OK”''' to close the menu
# # Configure the static IP address of the Windows 10 Computer to match the one in the topology.
# # Change some values in different register of the '''modRSsim2''' application as shown below:


===Configuring Modbus TCP/IP Master===
===Configuring Modbus TCP/IP Client===
For this example, we will use the router as the Modbus TCP Master that will be requesting data from Modbus TCP Slaves.
For this example, we will use the router as the Modbus TCP Client that will be requesting data from Modbus TCP Servers


# Turn on “Advanced WebUI” mode
# Turn on “Advanced WebUI” mode [[File:Advance.png|border|class=tlt-border]]<br>
# Navigate to '''Services → Modbus → Modbus TCP Master'''
# Navigate to '''Services → Modbus → Modbus TCP Client'''
# Click '''“Add”''' to add a new Modbus TCP Slave
# Click '''“Add”''' to add a new Modbus TCP Client [[File:Modbust TCP Client.png|border|class=tlt-border]]<br>
# Enable the Modbus TCP Slave and enter the '''“Name, Slave ID, IP Address, Port”.''' '''''Note: Slave’s ID, IP Address and Port should be the same as configured in the slave device.'''''
# Enable the Modbus TCP Client Configuration and enter the '''“Name, Server ID, IP Address, Port”. Note: Server’s ID, IP Address and Port should be the same as configured in the client device.'''[[File:Modbus server config1.png|border|class=tlt-border]]<br>
# Click '''“Save”''' and the slave device will be added.
# Click '''“Save”''' and the slave device will be added.


===Testing===
===Testing===
To test whether the functionality is working, we can add a Modbus request to obtain data from the Modbus slave. The master sends a request to a slave specifying the function code to be performed. The slave then the requested data back to the master. A maximum of 64 request configurations for each slave device can be created.
To test whether the functionality is working, we can add a Modbus request to obtain data from the Modbus server. The client sends a request to a specifying the function code to be performed. Then the requested data is sent back to the Client. A maximum of 64 request configurations for each device can be created.  


# Click '''“Edit”''' button in slave device’s configuration.
# Click '''“Edit”''' button in client device’s configuration.[[File:Modbus TCP devices.png|border|class=tlt-border]]<br>
# Type the name of the request followed by clicking the '''“Add”''' button in Requests Configuration section to create a new request.
# Type the name of the request followed by clicking the '''“Add”''' button in Requests Configuration section to create a new request.[[File:Request data.png|border|class=tlt-border]]<br>
# Specify the '''“data type, function, first register, number of registers”''' and ensure that the request is enabled.
# Specify the '''“data type, function, first register, number of registers”''' and ensure that the request is enabled.[[File:Request configuration.png|border|class=tlt-border]]<br>
# Click '''“Save & Apply”''' to save the changes.
# Click '''“Save & Apply”''' to save the changes.
# Click '''“Edit”''' button
# Click '''“Edit”''' button
# Select the request under '''“Request Configuration Testing”''' and click to '''“Test”'''.
# Select the request under '''“Request Configuration Testing”''' and click to '''“Test”'''.
# The slave device will return the requested data.
# The server device will return the requested data.[[File:Requested Data.png|border|class=tlt-border]]<br>


==Generating TLS Certificate==
==Generating TLS Certificate==
To secure an '''MQTT''' connection using '''TLS''', we need to generate certificates and for this example, '''openssl daemon''' that comes pre-installed in '''RUTOS''' was used.
To secure an MQTT connection using TLS, we need to generate certificates and for this example, the certificates will be generated from the device.
 
'''Note: Make sure to set the Broker’s Hostname or Domain Name as the Common Name [CN].'''


For this example, we will generate the TLS certificates (CA key pair, CA certificate, broker key pair, broker certificate, client key pair and client certificate) by following the steps below:
# Navigate to '''System > Administration > Certificates'''.
 
# Click on “GENERATE”
# Generate a CA key pair '''#openssl genrsa -out ca.key'''
# Navigate to the next tab CERTIFICATES MANAGER [[File:Generate Certificates.png|border|class=tlt-border]]<br>
# Generate a CA certificate '''#openssl req -new -x509 -days 365 -key ca.key -out ca.crt'''
# Download the highlighted certificates: ca.cert.pem, client.cert.pem, ca.key.pem and client.key.pem to your Windows 11 Computer for easy upload to the MQTT client.[[File:Download_Certs.png|border|class=tlt-border]]<br>
# Generate a broker key pair '''#openssl genrsa -out server.key 2048'''
# Generate a broker certificate request '''#openssl req -out server.csr -key server.key -new'''
# Use the CA certificate to sign the broker certificate request '''#openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365'''
# Generate the client key '''#openssl genrsa -out client.key 2048'''
# Generate a client certificate request '''#openssl req -out client.csr -key client.key -new'''
# Use the CA certificate to sign the client certificate request '''#openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365'''
# Check if all the required certificates have been generated.
# Copy the certificates to your Windows 10 Computer for easy upload to the router via WebUI and MQTT client.


==Configuring Data to Server==
==Configuring Data to Server==
The Data to Server feature provides the ability to set up data senders that collect data from various sources and periodically send it to remote servers. For this example, we are going to follow the steps below.
The Data to Server feature provides the ability to set up data senders that collect data from various sources and periodically send it to remote servers. For this example, we are going to follow the steps below.


# Access the router’s '''WebUI''' and navigate to '''Services Data to Server'''
# Access the router’s WebUI and navigate to Services > Data to Server.
# Click '''“Add”''' to add a data sender
# Click “Add” to add a data sender. [[File:Data_to_server_Add.png|border|class=tlt-border]]<br>
# Toggle '''“Enable”''' button to enable the data sender, enter the '''“Name”'''.
# Select Modbus in the Type area.
# In '''“Protocol”''' drop down menu, select '''“MQTT”''' and define the parameters that would want to send
# Select Json in the Format type.
# Enter the '''“URL/Host/Connection string”, “Port”''' and '''“Topic”'''
# Click on the NEXT: COLLECTION EDIT BUTTON [[File:Data_to_server_conf.png|border|class=tlt-border]]<br>
# Turn on '''“Use TLS”''' and upload certificates as shown below
# Click on enable.
# Click '''“Save & Apply”''' to apply the changes
# Choose the Json format in format type.
# Click on '''ADVANCED SETTINGS'''. [[File:Data_to_server_Advanced.png|border|class=tlt-border]]<br>
# The settings should be Period:60, turn on the Retry option, retry count:10 Timeout:1 and then click on '''Next: Server configuration'''. [[File:Data_to_server_adv_sett.png|border|class=tlt-border]]<br>
# Select type to MQTT and fill in the details as so. Turn on the TLS, and certificates from device and choose the client certificates. [[File:Data_to_server_MQTT.png|border|class=tlt-border]]<br>
# Navigate to '''Services>MQTT>Broker''' and fille in the settings as so and turn on TLS and turn on the certificates file from device.[[File:MQTT settings.png|border|class=tlt-border]]<br>


==MQTT Configurations==
==MQTT Configurations==
===Configuring MQTT Broker===
===Configuring MQTT Client===
In this example, the router will be the '''MQTT''' broker. For the '''MQTT''' broker configurations to be done, kindly ensure that MQTT package is installed on the router.
For this example, we are going to use MQTT.fx v1.7.1 application to securely connect to the MQTT broker, in this case, the router, and subscribe to a topic.
# Open MQTT.fx and click the settings button to create a new profile. [[File:MQTT_sett_app.png|border|class=tlt-border]]<br>
# Click “+” to create a new profile.
# Enter the “Profile Name”, “Profile Type”, “Broker Address” and “Broker Port”.
# Tick the “Enable SSL/TLS” check box under “SSL/TLS” section, ensure that you select the appropriate protocol, select “Self-signed certificates”, upload the certificates, and select the “PEM Formatted” checkbox.
# Click “Apply” to save the changes and “Ok” to close the configuration window [[File:Mqtt_client_conf_app.png|border|class=tlt-border]]<br>
# Click “Connect” to establish connection to the MQTT Broker. Upon successful connection the status should change from “grey” to “green” [[File:MQTT_conneted_app.png|border|class=tlt-border]]<br>
# Navigate to the “Subscribe”, enter the topic that you wish to subscribe to and click “Subscribe”. You should see data coming from the server showing that there has been a successful secure MQTT connection using TLS.[[File:Mqtt_data_flowing.png|border|class=tlt-border]]<br>


# Access router’s '''WebUI''' and navigate to '''Service → MQTT → MQTT Broker'''
# Enable '''“MQTT Broker”, “Remote Access”''' and '''“Use TLS/SSL”''' and upload the certificates. '''Please note''' that enabling “'''Remote Access'''” is not mandatory if you are connecting via a '''local network'''. You may enable “'''Remote Access'''” if the subscriber is in a '''remote network'''.
# Click '''“Save & Apply”''' to apply the changes
===Configuring MQTT Client===
For this example, we are going to use '''MQTT.''fx''''' v1.7.1 application to securely connect to the '''MQTT''' broker, in this case, the router, and subscribe to a topic.


# Open MQTT.'''''fx'' and''' click the settings button to create a new profile
# Click '''“+”''' to create a new profile
# Enter the '''“Profile Name”''', '''“Profile Type”''', '''“Broker Address”''' and '''“Broker Port”.'''
# Tick the “Enable SSL/TLS” check box under “SSL/TLS” section, ensure that you select the appropriate protocol, select '''“Self-signed certificates”''', upload the certificates, and select the '''“PEM Formatted”''' checkbox.
# Click '''“Apply”''' to save the changes and “Ok” to close the configuration window
# Click “Connect” to establish connection to the MQTT Broker. Upon successful connection the status should change from '''“grey”''' to '''“green”'''
# Navigate to the '''“Subscribe”''', enter the topic that you wish to subscribe to and click '''“Subscribe”'''. You should see data coming from the server showing that there has been a successful secure '''MQTT''' connection using '''TLS'''.


==See Also==
==See Also==
==External Links==
==External Links==

Latest revision as of 10:35, 22 March 2024

Introduction

MQTT is a publish-subscribe based protocol messaging protocol designed for connections with remote locations where network bandwidth is limited. In MQTT, a secure connection between a server and client is achieved by implementing TLS (Transport Layer Security) as it uses a handshake mechanism where various parameters are negotiated. This article provides guideline on how to secure an MQTT connection using TLS.

Prerequisite

The following prerequisites make it possible to achieve the desired outcome, which is creating a secure MQTT connection using TLS.

  • One RUTxxx device
  • A computer for running applications.
  • Modbus Server and MQTT subscriber application (for this example modRSsim2 and MQTT.fx v1.7.1 applications were used)


Topology



Configuring Modbus TCP/IP Client

For this example, we will use the router as the Modbus TCP Client that will be requesting data from Modbus TCP Servers

  1. Turn on “Advanced WebUI” mode
  2. Navigate to Services → Modbus → Modbus TCP Client
  3. Click “Add” to add a new Modbus TCP Client
  4. Enable the Modbus TCP Client Configuration and enter the “Name, Server ID, IP Address, Port”. Note: Server’s ID, IP Address and Port should be the same as configured in the client device.
  5. Click “Save” and the slave device will be added.

Testing

To test whether the functionality is working, we can add a Modbus request to obtain data from the Modbus server. The client sends a request to a specifying the function code to be performed. Then the requested data is sent back to the Client. A maximum of 64 request configurations for each device can be created.

  1. Click “Edit” button in client device’s configuration.
  2. Type the name of the request followed by clicking the “Add” button in Requests Configuration section to create a new request.
  3. Specify the “data type, function, first register, number of registers” and ensure that the request is enabled.
  4. Click “Save & Apply” to save the changes.
  5. Click “Edit” button
  6. Select the request under “Request Configuration Testing” and click to “Test”.
  7. The server device will return the requested data.

Generating TLS Certificate

To secure an MQTT connection using TLS, we need to generate certificates and for this example, the certificates will be generated from the device.

  1. Navigate to System > Administration > Certificates.
  2. Click on “GENERATE”
  3. Navigate to the next tab CERTIFICATES MANAGER
  4. Download the highlighted certificates: ca.cert.pem, client.cert.pem, ca.key.pem and client.key.pem to your Windows 11 Computer for easy upload to the MQTT client.

Configuring Data to Server

The Data to Server feature provides the ability to set up data senders that collect data from various sources and periodically send it to remote servers. For this example, we are going to follow the steps below.

  1. Access the router’s WebUI and navigate to Services > Data to Server.
  2. Click “Add” to add a data sender.
  3. Select Modbus in the Type area.
  4. Select Json in the Format type.
  5. Click on the NEXT: COLLECTION EDIT BUTTON
  6. Click on enable.
  7. Choose the Json format in format type.
  8. Click on ADVANCED SETTINGS.
  9. The settings should be Period:60, turn on the Retry option, retry count:10 Timeout:1 and then click on Next: Server configuration.
  10. Select type to MQTT and fill in the details as so. Turn on the TLS, and certificates from device and choose the client certificates.
  11. Navigate to Services>MQTT>Broker and fille in the settings as so and turn on TLS and turn on the certificates file from device.

MQTT Configurations

Configuring MQTT Client

For this example, we are going to use MQTT.fx v1.7.1 application to securely connect to the MQTT broker, in this case, the router, and subscribe to a topic.

  1. Open MQTT.fx and click the settings button to create a new profile.
  2. Click “+” to create a new profile.
  3. Enter the “Profile Name”, “Profile Type”, “Broker Address” and “Broker Port”.
  4. Tick the “Enable SSL/TLS” check box under “SSL/TLS” section, ensure that you select the appropriate protocol, select “Self-signed certificates”, upload the certificates, and select the “PEM Formatted” checkbox.
  5. Click “Apply” to save the changes and “Ok” to close the configuration window
  6. Click “Connect” to establish connection to the MQTT Broker. Upon successful connection the status should change from “grey” to “green”
  7. Navigate to the “Subscribe”, enter the topic that you wish to subscribe to and click “Subscribe”. You should see data coming from the server showing that there has been a successful secure MQTT connection using TLS.


See Also

External Links