Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleWork in progress!

This document is WIP!

The WSO2 IoT Server is packaged with a broker profile to handle message brokering. The following section provides an alternative to using the broker profile , and guides you through using WSO2 Message Broker (WSO2 MB) to act as the MQTT broker with the WSO2 IoT Server device management profile. This is useful in a production environment where a WSO2 MB node is already in use and you want to use the WSO2 IoT Server device management profile with it. 

Follow the steps below to configure WSO2 IoT Server with WSO2 MB 3.2.0 for brokering. 

  1. Download the following feature installation pom file and broker-feature-installation.xml file and place it inside the <MB_HOME> directory.

  2. Navigate to <MB_HOME> on the terminal and execute the following command. This will install the required features to the WSO2 IoT Server pack. 

    Code Block
    mvn clean install -f broker-feature-installation.pomxml
  3. Open the broker. xml file found in the <MB_HOME>/repository/conf folder and do the following:

    1. Add Replace the following configuration found under the <security> tag with the following configuration: 

      Info

      This configuration configures the properties and classes required to allow devices to publish to the MQTT server.

      Code Block
      languagexml
      <security>
          <!--
           Instructs the MQTT server whether clients should always send credentials
           when establishing a connection.
           Possible values:
         		OPTIONAL: This is the default value. MQTT clients may or may not send
             credentials. If a client sends credentials server will
             validates it.
             If client doesn't send credentials then server will not
             authenticate, but allows client to establish the connection.
             This behavior adheres to MQTT 3.1 specification.
         		REQUIRED: Clients should always provide credentials when connecting.
             If client doesn't send credentials or they are invalid
             server rejects the connection.
          -->
          <authentication>REQUIRED</authentication>
          <!--Class name of the authenticator to use. class should
           inherit from org.dna.mqtt.moquette.server.IAuthenticator
           Note: default implementation authenticates against carbon user store
           based on supplied username/password
          -->
          <authenticator class="org.wso2.carbon.andes.authentication.andes.OAuth2BasedMQTTAuthenticator">
              <property name="hostURL">https://localhost:9443/services/OAuth2TokenValidationService</property>
              <property name="username">admin</property>
              <property name="password">admin</property>
              <property name="maxConnectionsPerHost">10</property>
              <property name="maxTotalConnections">150</property>
          </authenticator>
          <!--
          Instructs the MQTT server whether clients should be authorized before either publishing or subscribing
          Possible values:
        		NOT_REQUIRED: This is the default value. MQTT clients will skip the authorization check
        		REQUIRED: Clients will authorized before publishing. this will execute the class given in authorzier
        	Note: authentication should be REQUIRED for authorization to be REQUIRED.
         	-->
          <authorization>REQUIRED</authorization>
          <!--Class name of the authorizer to use. class should
        	inherit from org.dna.mqtt.moquette.server.IAutherizer
        	Note: default implementation authorizes against carbon permission with the topic.
       	-->
          <!--connectionPermission is required for a user to connect to broker
       		subscriberPermission is needed to subscribe(subriber permission can be more than one)
       		publisherPermission is needed to publish(publisher permission can be more than one)
       	-->
          <authorizer class="org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.DeviceAccessBasedMQTTAuthorizer">
              <property name="username">admin</property>
              <property name="password">admin</property>
              <property name="tokenEndpoint">https://localhost:8243</property>
              <!--offset time from expiry time to trigger refresh call - seconds -->
              <property name="tokenRefreshTimeOffset">100</property>
              <property name="deviceMgtServerUrl">https://localhost:8243</property>
          </authorizer>
      </security>
    2. Ensure that the hostURL property points to the key manager token endpoint. 
    3. Ensure that the deviceMgtServerURL points to the gateway endpoint. 
  4. Update If you have changed the default port of the broker profile, update the environment variables in following files with the correct endpoint.

      • <IoTS_HOME>/bin/iot-server.sh

    file and the analytics.sh file found in the <IOTS
      • <IoTS_HOME>

    /bin folder with the correct endpoint. code
      • /wso2/analytics/bin/wso2server.sh

        Panel
        titleEXAMPLE

         If the port offset is increased by 3 and broker host is localhost then  -Dmqtt.broker.host and  - Dmqtt.broker.port environment variables in above files have to be changed as shown below:

        • -Dmqtt.broker.host="localhost"

        • \

        • -Dmqtt.broker.port="1886"
    \
        • \
        Info

        If you are a Window's user, environment variables needs to be changed in the .bat files listed below.

        • <IoTS_HOME>/bin/iot-server.bat

        • <IoTS_HOME>/wso2/analytics/bin/wso2server.bat
  5. The default keystore used in WSO2 IoT Server has been updated from version 3.1.0 onwards. Since all servers must use the same certificate, do the following to update the keystores in WSO2 Message Broker 3.2.0.

    1. Navigate to the <IoTS_HOME>/repository/resources/security directory and copy the client-truststore.jks, wso2carbon.jks, and wso2certs.jks files.

    2. Get a back of the files client-truststore.jks, and wso2carbon.jks files in the <MB_HOME>/repository/resources/security directory .

    3. Replace the client-truststore.jkswso2carbon.jks, and  wso2certs.jks  files in the <MB_HOME>/repository/resources/security folder by pasting the files copied in step 5.a.