Scenario 1: Secure messaging
This chapter shows a scenario for secure messaging between MQTT clients and IBM MessageSight. The MQTT clients are the devices that are away from the network boundary of the enterprise. The IBM MessageSight appliance is the edge of the network server that connects to these devices.
This chapter covers the following topics:
7.1 Scenario description
The example MQTT client application is an Android application that runs on a hand-held device. The essential functionality of this application is described in more detail in Chapter 6, “Scenarios overview” on page 175. This chapter describes the authentication and authorization of the application.
This chapter shows how only “known” devices (MQTT clients) are allowed to connect to the IBM MessageSight appliance. When connected, a given device is allowed to publish or subscribe only certain topic strings.
7.2 Scenario setup
Complete the following tasks to set up this scenario:
1. Create a group for users who can use the MQTT client.
2. Create users and passwords, and add them to the group created in step 1.
3. Create a connection policy to authenticate MQTT clients based on the client identifier, user ID, and password combination.
4. Create a messaging policy to allow publication and subscription on topic strings.
7.2.1 User group for MQTT clients
Create a user group driver for the connecting MQTT clients.
Adding a new group using the web user interface
To create users and groups using the web user interface (web UI), follow these steps:
1. Go to Messaging → Users and groups.
2. Start by creating a new group first. Under the Messaging Groups section, click the green plus (+) icon to add a new group.
3. In the resulting dialog box, enter details, as shown in Figure 7-1.
Figure 7-1 Adding a new group for all driver user IDs
Adding a new group using the command-line interface
Example 7-1 shows you how to create a new group using the command-line interface (CLI).
Example 7-1 Creating a new group on IBM MessageSight
Console> imaserver group add "GroupID=drivers" "Description=All truck drivers"
The requested configuration change has completed successfully.
7.2.2 Users and passwords for MQTT clients
After the group is created, you are now ready to define and add users to this group.
Adding users with the web UI
To add users with the web UI, follow these steps:
1. On the same web UI page, go to the Messaging Users section and click the green plus (+) icon to add a new user. This user ID is a messaging user and not a web UI user.
2. In the resulting dialog box (see Figure 7-2), enter the required information to add a new user. Note that the Group Membership that was created earlier is set to drivers.
Figure 7-2 Add a new user to a group
Add users with the CLI
Example 7-2 shows how to add users using the CLI.
Example 7-2 Adding a new user on IBM MessageSight
Console> imaserver user add "UserID=driver01" "Type=Messaging" "Password=new00pwd" "GroupMembership=drivers" "Description=An MQTT client"
The requested configuration change has completed successfully.
Note that the type of user indicated is Type=Messaging to indicate that the user ID being created is a messaging user and not a web UI user.
|
Important: The passwords mentioned in this and subsequent examples are informational only. You ought to follow the password standards as applicable in your enterprise.
|
7.2.3 Connection policy for MQTT clients
Create a connection policy based on the following rules. A given device can connect only if it meets the following requirements:
•It has a client ID among the list of client IDs considered valid for the overall system.
•It has passed a valid ID and password.
Implement these rules by setting up a criteria for client ID such that all client IDs beginning with CASJC are considered valid. Further, set the group ID in the connection policy to drivers so that the incoming connection carries a user ID and password as associated with the drivers group.
Note that these rules can be modified to apply for a particular combination of client ID and user ID too. This can be done by not providing the wildcard character for the client ID criterion, and providing a value for user ID rather than for the group ID.
Figure 7-3 shows how to add this connection policy using the web UI.
Figure 7-3 New connection policy to allow connections from trucks
Example 7-3 shows how to add the connection policy using the CLI.
Example 7-3 Create a new connection policy
Console> imaserver user add "UserID=driver01" "Type=Messaging" "Password=new00pwd" "GroupMembership=drivers" "Description=An MQTT client"
The requested configuration change has completed successfully.
7.2.4 Messaging policy for MQTT clients
Create separate messaging policies for both the publish and subscribe actions. The aim is to limit the publications on a particular topic subtree and subscriptions as applicable to the client ID of the subscribing client.
For publishing clients, provide a topic tree that ends with a wildcard character so that the connecting client can match the type of assistance (AC malfunction, flat tire, or accident) and the level for the client ID.
For subscribing clients, use the variable substitution feature to limit subscriptions to topic strings ending with the client ID ${ClientID}.
Figure 7-4 shows how to create a messaging policy for publishing using the
web UI.
web UI.
Figure 7-4 Messaging policy to allow truck drivers to publish assistance requests
Figure 7-5 shows how to create a messaging policy for subscribing using the
web UI.
web UI.
Figure 7-5 Messaging policy to allow truck drivers to subscribe to assistance responses
Example 7-4 shows the CLI option to create the messaging policies for publish and subscribe, and how to list all of the messaging policies.
Example 7-4 Create new messaging policies
Console> imaserver create MessagingPolicy "Name=ITSO_Driver_Assistance_Request" "Description=Messaging policy for drivers to publish assistance request" "DestinationType=Topic" "Destination=/itso/driver/assistance/request/*" "MaxMessages=5000" "ActionList=Publish" "ClientID=CASJC*" "GroupID=dirvers" "Protocol=MQTT"
Console> imaserver create MessagingPolicy "Name=ITSO_Driver_Assistance_Response" "Description=Messaging policy for drivers to receive assistance response." "DestinationType=Topic" "Destination=/itso/driver/assistance/response/${ClientID}" "MaxMessages=5000" "ActionList=Subscribe" "ClientID=CASJC*" "GroupID=dirvers" "Protocol=MQTT"
Console> imaserver list MessagingPolicy
ITSO_Driver_Assistance_Request
ITSO_Driver_Assistance_Response
Console> imaserver show MessagingPolicy "Name=ITSO_Driver_Assistance_Request"
Name = ITSO_Driver_Assistance_Request
Description = Messaging policy for drivers to publish assistance request
ClientID = CASJC0*
ClientAddress =
UserID =
GroupID = drivers
CommonNames =
Protocol = MQTT
Destination = /itso/driver/assistance/request/*
DestinationType = Topic
ActionList = Publish
MaxMessages = 5000
Console> imaserver show MessagingPolicy "Name=ITSO_Driver_Assistance_Response"
Name = ITSO_Driver_Assistance_Response
Description = Messaging policy for drivers to receive assistance response.
ClientID = CASJC0*
ClientAddress =
UserID =
GroupID = drivers
CommonNames =
Protocol = MQTT
Destination = /itso/driver/assistance/response/${ClientID}
DestinationType = Topic
ActionList = Subscribe
MaxMessages = 5000
7.3 Testing the security scenario
To test the security scenario, first test against the connection and messaging policies. In this scenario, test if the connection policy allows connections from the known clients only. Then, test if clients can publish or subscribe on assigned topic strings.
We use the Android application for testing the constraints of the connection policy. Note that the application does not mandate the entering of credentials in the Login pane. This is done purposely to describe the constraints of the connection policy.
We use the Really Small Message Broker (RSMB) command-line MQTT client, because it enables us to demonstrate each constraint of the messaging policy.
|
Tip: The RSMB broker and client are available for download at the following website:
|
When testing the application, you can check the log for detailed information by using the following command:
show log imaserver-connection.log
To view the log from the web UI, go to Monitoring → Download logs and click imaserver-connection.log. Scroll to the end to view the most recent log entry.
7.3.1 Testing the connection policy
Test the connection policy defined in 7.2.3, “Connection policy for MQTT clients” on page 187, where the connections are allowed only with the following conditions:
•MQTT protocol
•Client ID beginning with CASJC
•User names as defined in the drivers group
•Password for user names defined in 7.2.2, “Users and passwords for MQTT clients” on page 185
Connecting to a random client ID
Attempt a connection from the Android application with client ID (Truck Number) CLIENT01, as shown in Figure 7-6. This client ID does not match with the constraint defined for the client ID in the connection policy created in 7.2.3, “Connection policy for MQTT clients” on page 187).
Figure 7-6 Connecting with an invalid client ID
The application responds with a message, such as “The connection is not authorized”. Connect to the IBM MessageSight appliance and check the connection log, as shown in Example 7-5. Note that only the last few lines of the log are shown.
Example 7-5 Connection log when connecting with a random client ID
Console> show log imaserver-connection.log
2013-09-28T04:02:44.241+00:00 CWLNA1111 notice Connection imaserver 4475: Closing TCP connection: ConnectionID=6637 ClientID="CLIENT01" Protocol=mqtt-tcp Endpoint="ITSO_EndPoint" UserID="" Uptime=0 RC=5 Clean=0 Reason="The connection is not authorized" ReadBytes=24 ReadMsg=0 Write-Bytes=4 WriteMsg=0 LostMsg=0.
As seen in the login Example 7-5, the reason clearly states, “The connection is not authorized”. To further explore this error message, look at the connection policies in effect for the ITSO_EndPoint endpoint (also seen in
the log).
the log).
Because the connection policy expects a client identifier beginning with CASJC, this connection was not authorized.
Connecting with a valid client ID but with no user name
Attempt a connection from the publishing client with a client ID (Truck Number) of CASJC01, as shown in Figure 7-7. This client ID matches with the constraint defined for the client ID in the connection policy. However, omit the user name (the Driver ID) and password fields, which violates the user name and password requirement in the connection policy.
Figure 7-7 Connecting with valid client ID but with no user name and password
The application responds with a message, such as “The connection is not authorized”. Connect to the IBM MessageSight appliance and check the connection log, as shown in Example 7-6. Note that only the last few lines of the log are shown.
Example 7-6 Connection log for the IBM MessageSight appliance
Console> show log imaserver-connection.log
2013-09-28T20:12:44.241+00:00 CWLNA1111 notice Connection imaserver 4475: Closing TCP connection: ConnectionID=6660 ClientID="CASJC01" Protocol=mqtt-tcp Endpoint="ITSO_EndPoint" UserID="" Uptime=0 RC=5 Clean=0 Reason="The connection is not authorized" ReadBytes=23 ReadMsg=0 WriteBytes=4 WriteMsg=0 LostMsg=0.
As seen in Example 7-6 on page 194, the reason clearly states, “The connection is not authorized”. To further explore this error message, look at the connection policies in effect for the ITSO_EndPoint endpoint (also seen in
the log).
the log).
Because the connection policy has an additional constraint where the user name must belong to the drivers group, this connection was not authorized. Note that the UserID in the log is not set to any value.
Connecting with a valid client ID but with an invalid user name
Attempt a connection from the publishing client with client ID (Truck
Number) of CASJC01, as shown in Figure 7-8. This client ID matches with the constraint defined for the client ID in the connection policy. Also provide a user name (Driver ID) that is not defined in the drivers group. This is a violation of the connection policy, because it requires a user name that is defined in the drivers group.
Number) of CASJC01, as shown in Figure 7-8. This client ID matches with the constraint defined for the client ID in the connection policy. Also provide a user name (Driver ID) that is not defined in the drivers group. This is a violation of the connection policy, because it requires a user name that is defined in the drivers group.
Figure 7-8 Connecting with valid client ID with invalid user name
The application responds with a message, such as “The connection is not authorized”. Connect to the IBM MessageSight appliance and check the connection log, as shown in Example 7-7. Note that only the last few lines of the log are shown.
Example 7-7 Connection logon IBM MessageSight appliance
Console> show log imaserver-connection.log
2013-09-28T20:22:44.241+00:00 CWLNA1111 notice Connection imaserver 4475: Closing TCP connection: ConnectionID=6674 ClientID="CASJC01" Protocol=mqtt-tcp Endpoint="ITSO_EndPoint" UserID="USER01" Uptime=0 RC=5 Clean=0 Reason="The connection is not authorized" ReadBytes=32 ReadMsg=0 WriteBytes=4 WriteMsg=0 LostMsg=0.
As seen in Example 7-7, the reason clearly states, “The connection is not authorized”. To further explore this error message, look at the connection policies in effect for the ITSO_EndPoint endpoint.
Because the connection policy expects a client identifier beginning with CASJC and a user name belonging to the drivers group, this connection was not authorized. Note that the UserID in the log is set to USER01.
Connecting with a valid client ID and user name but an invalid password
Attempt a connection from the publishing client using a client ID of CASJC01 and user name of driver01, but with an invalid password, as shown in Figure 7-9 on page 197.
This client ID and user name match with the constraint defined for the client ID and user name (through Groups) in the connection policy. However, the password does not match. This causes a violation of the connection policy, because the user name is not associated with a password as defined for the user driver01.
Figure 7-9 Connecting with a valid client ID and user name, but invalid password
The application responds with a message, such as “The connection is not authorized”. Connect to the IBM MessageSight appliance and check the connection log, as shown in Example 7-8. Note that only the last few lines of the log are shown.
Example 7-8 Connection logon IBM MessageSight appliance
2013-09-27T07:50:18.864+00:00 CWLNA1111 notice Connection imaserver 4475: Closing TCP connection: ConnectionID=6698 ClientID="CASJC01" Protocol=mqtt-tcp Endpoint="ITSO_EndPoint" UserID="driver01" Uptime=0 RC=5 Clean=0 Reason="The connection is not authorized" ReadBytes=43 ReadMsg=0 WriteBytes=4 WriteMsg=0 LostMsg=0.
As seen in Example 7-8, the reason clearly states, “The connection is not authorized”. To further explore this error message, look at the connection policies in effect for the ITSO_EndPoint endpoint (also seen in
the log).
the log).
Because the connection policy expects a client identifier beginning with CASJC and a user name with a valid password belonging to the drivers group, this connection was not authorized. Note that the UserID in the log is set to driver01.
Connecting with a valid client ID, user name, and password
To completely match with the constraints as defined in the connection policy, use the following inputs when connecting:
•Client ID of CASJC01
•User name of driver01
•Password of dr!ver@1
Attempt a connection with a publishing client with the previously mentioned values, and connect to the application successfully.
7.3.2 Testing messaging policy for publishing clients
In this scenario, the messaging policy for publishing is set so that the publications are allowed only with the following conditions:
•MQTT protocol
•Client ID beginning with CASJC
•User names as defined in the group drivers
•Topic string matches itso/driver/assistance/request
In the following sections, we assume that the connection is established successfully, because the connection policy was successfully applied.
Publishing to a random topic string
Attempt a publication to a topic string of your choice, as shown in Example 7-9. Note that the password is provided as dr!ver@1 (with a backslash preceding the exclamation mark (!) to “escape” it) because the exclamation mark refers to command history on a UNIX system.
Example 7-9 Publish to a random topic string
nsubrahm@nsubrahm:~/linux_ia64$ LD_LIBRARY_PATH=. ./stdinpub /some/topic/string --host 9.12.5.191 --port 16105 --clientid CASJC01
--username driver01 --password dr!ver@1
Using topic /some/topic/string
Connecting
Hello! This is a test message
The --host parameter specifies the IP address of the IBM MessageSight appliance, and the --port parameter specifies the endpoint where the appliance is listening to MQTT protocol.
|
Remember: The client does not report a publication failure. This is because, according to the MQTT protocol specification, the client will not be informed of a publication failure due to authorization.
|
For more information about the PUBLISH message in MQTT, see the MQTT protocol specification for PUBLISH at the following website:
Connect to the IBM MessageSight appliance and look at the connection log, as shown in Example 7-10.
Example 7-10 Connection logon IBM MessageSight appliance
Console> show log imaserver-connection.log
…
2013-09-27T11:32:17.504+00:00 CWLNA2106 warning Connection imaserver 4475: Unable to send a message due to an authorization failure: ConnectionID=6910 ClientID="CASJC01" Protocol="mqtt-tcp" Endpoint="ITSO_EndPoint" UserID="driver01".
As seen in Example 7-10, the reason states, “Unable to send a message due to an authorization failure”. To further explore this error message, look at the messaging policies in effect for the ITSO_EndPoint endpoint (also seen in the log). Because the messaging policy expects publication on topic strings that match /itso/driver/assistance/request/*, the publication has failed.
Subscribing to a random topic string
Attempt a subscription to a topic string, as shown in Example 7-11. Note that the password is provided as dr!ver@1 (with a backslash preceding the exclamation mark (!) to “escape” it) because the exclamation mark refers to command history on a UNIX system.
Example 7-11 Subscribe to a random topic string
nsubrahm@nsubrahm:~/linux_ia64$ LD_LIBRARY_PATH=. ./stdoutsub /some/topic/string --host 9.12.5.191 --port 16105 --clientid CASJC01
--username driver01 --password dr!ver@1
Using topic /some/topic/string
The --host parameter specifies the IP address of the IBM MessageSight appliance and the --port parameter specifies the endpoint where the appliance is listening to MQTT protocol.
|
Remember: The client does not report a subscription failure. This is because, according to the MQTT protocol specification, the client will not be informed of a subscription failure due to authorization.
|
For more information about the SUBSCRIBE message in MQTT, see the MQTT protocol specification for SUBSCRIBE at the following website:
Connect to the IBM MessageSight appliance and look at the connection log, as shown in Example 7-12.
Example 7-12 Connection logon IBM MessageSight appliance
Console> show log imaserver-connection.log
…
2013-09-27T11:54:14.725+00:00 CWLNA2202 warning Connection imaserver 4475: Unable to create a consumer due to an authorization failure: ConnectionID=6954 ClientID="CASJC01" Protocol="mqtt-tcp" End-point="ITSO_EndPoint" UserID="driver01".
As seen in Example 7-12, the reason states, “Unable to create a consumer due to an authorization failure”. To further explore this error message, look at the messaging policies in effect for the ITSO_EndPoint endpoint (also seen in the log). Because the messaging policy expects subscription on topic strings that match /itso/driver/assistance/response/${ClientID}, the subscription
has failed.
has failed.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.