Meraki

Community

MQTT SSL/TLS Connectivity: Client Authentication (CA Cert + Client Cert + Client Private Key)

JohanMynhardt
Here to help
‎Feb 9 2023 6:54 AM
‎Feb 9 2023 6:54 AM

MQTT SSL/TLS Connectivity: Client Authentication (CA Cert + Client Cert + Client Private Key)

This relates to AWS IoT Core.

 

I'm running into a situation where the bridge-workaround [0] is not optimal any longer.

 

The next step is to look at AWS IoT custom authorizers, but it would be helpful to know whether there are plans from Meraki to support TLS client authentication since there is currently a big push on this kind of authentication.

 

[0]: https://aws.amazon.com/blogs/iot/how-to-bridge-mosquitto-mqtt-broker-to-aws-iot/

Labels:
0 Kudos
2 Replies 2
JohanMynhardt
Here to help
‎Feb 13 2023 11:29 PM
‎Feb 13 2023 11:29 PM

I have gone down the path of using an AWS IoT Custom Authorizer, and I'm 99% of the way there. The last thing I'm unable do via the Meraki console is to specify an ALPN [0] value as required by AWS IoT Custom Authorizer protocols. [1], [2], [3].

The following is an example command using `mosquitto_pub` to test that AWS IoT is reachable using only a CA Cert and a Custom Authorizer (no mTLS authorization though CA cert + device cert + device key):

 

 

mosquitto_pub \
  --tls-alpn mqtt \
  --cafile AmazonRootCA1.pem \
  -h ${IOT_ENDPOINT} \
  -p 443 \
  -t ${THE_TOPIC} \
  -m "{\"msg\": \"hello IoT!\"}" \
  -i ${CLIENT_ID} \
  -u USER_NAME?x-amz-customauthorizer-name=${AUTHORIZER_NAME} \
  -P ${PASSWORD} \
  -d

 

 

The crucial part that I'm unable to do via Meraki Console is the equivalent of `--tls-alpn mqtt`.

 

A successful response looks like:

Client ${CLIENT_ID} sending CONNECT
Client ${CLIENT_ID} received CONNACK (0)
Client ${CLIENT_ID} sending PUBLISH (d0, q0, r0, m1, '${THE_TOPIC}', ... (20 bytes))
Client ${CLIENT_ID} sending DISCONNECT

 

I don't know how a big a request that is, but hopefully it can be added as an option soon, if mTLS is not planned to be supported.

 

Links:

[0]: https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation

[1]: https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth.html#custom-auth-mqtt

[2]: https://docs.aws.amazon.com/iot/latest/developerguide/protocols.html

[3]: https://aws.amazon.com/blogs/iot/mqtt-with-tls-client-authentication-on-port-443-why-it-is-useful-an...

Computeracer
Conversationalist
‎Feb 21 2024 7:18 AM
‎Feb 21 2024 7:18 AM

Hello @JohanMynhardt Were you able to make any further progress on getting such a solution to work with the AWS service?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.