Difference between revisions of "Modbus data to server via MQTT TLS"

Introduction

MQTT is a publish-subscribe based protocol messaging protocol designed for connections with remote locations where network bandwidth is limited. In MQTT, a secure connection between a server and client is achieved by implementing TLS (Transport Layer Security) as it uses a handshake mechanism where various parameters are negotiated. This article provides guideline on how to secure an MQTT connection using TLS.

Prerequisite

The following prerequisites make it possible to achieve the desired outcome, which is creating a secure MQTT connection using TLS.

• One RUTxxx device.
• A Computer for running Modbus Slave application and MQTT subscriber application, in this example modRSsim2 and MQTT.fx 1.7.1 were used respectively.

Topology

Modbus TCP Configurations

Configuring Modbus TCP/IP Slave

We will use a Windows 10 Computer as the Modbus TCP slave in this example. To do this, the modRSsim2 application will need to be installed on the computer. The modRSsim2 application can be downloaded via this link.

When installation of modRSsim2 application has been successfully completed, open the application, and apply the following configuration.

1. Select Protocol “MODBUS TCP/IP”.
2. Click “Setup the communication Serial or TCP/IP port” button.
3. Take note of the “Port”
4. Click “OK” to close the menu
5. Configure the static IP address of the Windows 10 Computer to match the one in the topology.
6. Change some values in different register of the modRSsim2 application as shown below:

Configuring Modbus TCP/IP Master

For this example, we will use the router as the Modbus TCP Master that will be requesting data from Modbus TCP Slaves.

1. Turn on “Advanced WebUI” mode
2. Navigate to Services → Modbus → Modbus TCP Master
3. Click “Add” to add a new Modbus TCP Slave
4. Enable the Modbus TCP Slave and enter the “Name, Slave ID, IP Address, Port”. Note: Slave’s ID, IP Address and Port should be the same as configured in the slave device.
5. Click “Save” and the slave device will be added.

Testing

To test whether the functionality is working, we can add a Modbus request to obtain data from the Modbus slave. The master sends a request to a slave specifying the function code to be performed. The slave then the requested data back to the master. A maximum of 64 request configurations for each slave device can be created.

1. Click “Edit” button in slave device’s configuration.
2. Type the name of the request followed by clicking the “Add” button in Requests Configuration section to create a new request.
3. Specify the “data type, function, first register, number of registers” and ensure that the request is enabled.
4. Click “Save & Apply” to save the changes.
5. Click “Edit” button
6. Select the request under “Request Configuration Testing” and click to “Test”.
7. The slave device will return the requested data.

Generating TLS Certificate

To secure an MQTT connection using TLS, we need to generate certificates and for this example, openssl daemon that comes pre-installed in RUTOS was used.

Note: Make sure to set the Broker’s Hostname or Domain Name as the Common Name [CN].

For this example, we will generate the TLS certificates (CA key pair, CA certificate, broker key pair, broker certificate, client key pair and client certificate) by following the steps below:

1. Generate a CA key pair #openssl genrsa -out ca.key
2. Generate a CA certificate #openssl req -new -x509 -days 365 -key ca.key -out ca.crt
3. Generate a broker key pair #openssl genrsa -out server.key 2048
4. Generate a broker certificate request #openssl req -out server.csr -key server.key -new
5. Use the CA certificate to sign the broker certificate request #openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
6. Generate the client key #openssl genrsa -out client.key 2048
7. Generate a client certificate request #openssl req -out client.csr -key client.key -new
8. Use the CA certificate to sign the client certificate request #openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365
9. Check if all the required certificates have been generated.
10. Copy the certificates to your Windows 10 Computer for easy upload to the router via WebUI and MQTT client.

Configuring Data to Server

The Data to Server feature provides the ability to set up data senders that collect data from various sources and periodically send it to remote servers. For this example, we are going to follow the steps below.

1. Access the router’s WebUI and navigate to Services → Data to Server
2. Click “Add” to add a data sender
3. Toggle “Enable” button to enable the data sender, enter the “Name”.
4. In “Protocol” drop down menu, select “MQTT” and define the parameters that would want to send
5. Enter the “URL/Host/Connection string”, “Port” and “Topic”
6. Turn on “Use TLS” and upload certificates as shown below
7. Click “Save & Apply” to apply the changes

MQTT Configurations

Configuring MQTT Broker

In this example, the router will be the MQTT broker. For the MQTT broker configurations to be done, kindly ensure that MQTT package is installed on the router.

1. Access router’s WebUI and navigate to Service → MQTT → MQTT Broker
2. Enable “MQTT Broker”, “Remote Access” and “Use TLS/SSL” and upload the certificates. Please note that enabling “Remote Access” is not mandatory if you are connecting via a local network. You may enable “Remote Access” if the subscriber is in a remote network.
3. Click “Save & Apply” to apply the changes

Configuring MQTT Client

For this example, we are going to use MQTT.fx v1.7.1 application to securely connect to the MQTT broker, in this case, the router, and subscribe to a topic.

1. Open MQTT.fx and click the settings button to create a new profile
2. Click “+” to create a new profile
3. Enter the “Profile Name”, “Profile Type”, “Broker Address” and “Broker Port”.
4. Tick the “Enable SSL/TLS” check box under “SSL/TLS” section, ensure that you select the appropriate protocol, select “Self-signed certificates”, upload the certificates, and select the “PEM Formatted” checkbox.
5. Click “Apply” to save the changes and “Ok” to close the configuration window
6. Click “Connect” to establish connection to the MQTT Broker. Upon successful connection the status should change from “grey” to “green”
7. Navigate to the “Subscribe”, enter the topic that you wish to subscribe to and click “Subscribe”. You should see data coming from the server showing that there has been a successful secure MQTT connection using TLS.

See Also

External Links