openHAB2: connect to MQTT using client certificate

Add-ons Bindings
1

Hi Guys,

after giving up the beta version of openHab2 trying to connect securely to my mqtt broker, I was trying again with the release version. There were some great improvements like being able to set up a secure connection with client certificate connections to openHAB itself.

Unfortunately the MQTT connection problem does not seem to be solved. And that’s a bit disapointing as it was possible in OpenHAB 1.x. There it was possible doing it via the Java framework, setting the following parameters in the openhab start script (/etc/init.d/openhab):

com.ibm.ssl.trustManager=SunX509
com.ibm.ssl.keyManager=SunX509
com.ibm.ssl.contextProvider=SunJSSE

Keystore information

com.ibm.ssl.keyStore=${user.root}/etc/keystore.jks
com.ibm.ssl.keyStorePassword=keystore_password
com.ibm.ssl.keyStoreType=JKS
com.ibm.ssl.keyStoreProvider=SUN

Truststore information

com.ibm.ssl.trustStore=${user.root}/etc/truststore.jks
com.ibm.ssl.trustStorePassword=truststore_password
com.ibm.ssl.trustStoreType=JKS
com.ibm.ssl.trustStoreProvider=SUN

Unfortunately I cannot seem to get these parameters working in OpenHAB2, I tried setting the options in the /usr/share/openhab2/bin/setenv as well as in /var/lib/openhab2/etc/jre.properties.

I also verified the connection working with an openssl s_client … test on the openhab2 machine. In case I do not submit the client cert the connection is closed the same way the openhab connection is. In case I provide the client cert i can connect with openssl.

I know that there is another base used with karaf but it should be possible nevertheless, right?

There are enough threads on the net connecting to mqtt from openhab1.x via SSL, but nobody seems to try to do it from 2.0.

Any help would be greatly appreciated.
Peter

2

After hours of debugging and searching google, I finally found the reason --> my stupidity :slight_smile:

After all, I was doing everything as it is supposed to work. Only the configuation was wrong. In mgtt.cfg I was using

tcp://server:8883

instead of

ssl://server:8883

–> changed tcp to ssl and it works like a charm.

So, for everyone trying to achieve the connection to mosquitto with client certificates just do the following:

  1. Create all necessary certificates: client Cert + key , CA cert

  2. put those in a java keystore and truststore --> plenty of howto’s on the net

  3. add the following options to /usr/share/openhab2/runtime/bin/setenv

    -Dcom.ibm.ssl.trustManager=SunX509
    -Dcom.ibm.ssl.keyManager=SunX509
    -Dcom.ibm.ssl.contextProvider=SunJSSE
    -Dcom.ibm.ssl.keyStore=${user.root}/etc/keystore.jks
    -Dcom.ibm.ssl.keyStorePassword=keystore_password
    -Dcom.ibm.ssl.keyStoreType=JKS
    -Dcom.ibm.ssl.keyStoreProvider=SUN
    -Dcom.ibm.ssl.trustStore=${user.root}/etc/truststore.jks
    -Dcom.ibm.ssl.trustStorePassword=truststore_password
    -Dcom.ibm.ssl.trustStoreType=JKS
    -Dcom.ibm.ssl.trustStoreProvider=SUN

it has to be appended to

export JAVA_OPTS="${JAVA_OPTS}
1 Like
3

Thank you @porsche
I was looking for this exactly and unfortunately the knowledge surrounding HB is very messy and not easy to find.
Your summary is great, but for a fairly newcomer to the platform it is a verbal summary of what needs to be done without the actual steps of how to do it.

Would it be too much to ask of you to actually write the process down in a step by step process, with the associated commands to complete this? I am sure this will be beneficial for many others as well. Especially with MQTT being extremely easy to use and simple for Home Automation, but with many security risks. I believe this is very important to make sure the implementation is also secure.

Many thanks!!!

4

Sorry for the late reply, I am really swamped at the moment.

I am rendering a step by step guide for myself at the moment, but it grows ever so slowly…

I will post, when I am finished.

5

I would thank you a lot if you release some step by step tutorial. I’m stuck at the java part.

Thanks!