Porovnávané verzie

Stará verzia 5

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia 6

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

  • There are two redundant application servers (physical or virtualized) - Windows or Linux.
  • On both servers, D2000 Servers are running as a redundant application (Master/Standby).
  • On both servers, Eclipse Mosquitto MQTT brokers are running, configured in TLS mode with a certificate signed by a certification authority. They are running without configuring message exchange between them, i.e., each of them is completely independent.
  • D2000 Kom process has a configured TCP/IP-TCP Redundant line, with configured MQTT server broker certificate verification, and with configured certificates. D2000 KOM is therefore connected to to both MQTT servers brokers simultaneously.
  • Other MQTT clients (PLC and other devices) are connected to at least one of the MQTT serversbrokers (i.e., they allow you to configure 2 IP addresses of MQTT servers brokers to which they try to establish a connection alternately).
  • TLS certificates signed by a certification authority are used to verify the identity of all clients.

...

Info
titlemyacl.conf
#user without username: anonymous is forbidden, but just to make sure: deny everything
topic deny

#MQTT Edge Node: writes to DATA/BIRTH/DEATH for myGroup/myEdgeNode (and its subdevices), subscribes NCMD/DCMD and queries the state of Host Application
user myEdge
topic write spBv1.0/myGroup/NDATA/myEdgeNode/#
topic write spBv1.0/myGroup/DDATA/myEdgeNode/# 
topic write spBv1.0/myGroup/NBIRTH/myEdgeNode/#
topic write spBv1.0/myGroup/DBIRTH/myEdgeNode/# 
topic read spBv1.0/myGroup/NCMD/myEdgeNode/#
topic read spBv1.0/myGroup/DCMD/myEdgeNode/#
topic read spBv1.0/STATE/D2000komHA

#MQTT Host Application: reads/writes its STATE, reads everything (this might be more precisely specified based on topics above), writes commands for myEdgeNode (and its subdevices)
user myHost
topic readwrite spBv1.0/STATE/D2000komHA
topic read spBv1.0/#
topic write spBv1.0/myGroup/NCMD/myEdgeNodeNadpis 3
topic write spBv1.0/myGroup/DCMD/myEdgeNode/#

...

The following procedure describes how to create keys and TLS certificates for the MQTT broker, the MQTT client myPLC (PLC or other device), and the MQTT client myD2000 (D2000 KOM process).

1.1 Creating a certification authority

This step can be skipped if you already have an existing certification authority, or if someone else signs your certificates. The -days parameter specifies the validity period of the certificate. The -keyout parameter defines the name of the private key file (which must be protected from theft), and the -out parameter defines the name of the certificate (which must be published).

...

When creating a key, you must enter a password to protect it.

1.2 Copying a Certification Authority Certificate

The certification authority certificate (caMQTT.crt) must be copied so that the D2000 KOM has access to it (the easiest way is to put it in the application directory) and set the path to it as the "Partner certificate" parameter (#APPDIR#\caMQTT.crt) in the TCP/IP-TCP Redundant line configuration.

The certification authority certificate (caMQTT.crt) must be copied to the MQTT broker so that the MQTT broker can use it to verify the validity of MQTT client certificates.

Note: In the case of redundant MQTT brokers and redundant D2000 application servers (and other MQTT clients), it is necessary to copy the certification authority certificate to all relevant servers!

2.1 Key creation and certificate signing request for the MQTT broker

...

The broker.crt file (MQTT broker certificate) must be copied to the MQTT serverbroker, along with the broker.key file (MQTT broker private key) and the certification authority certificate (caMQTT.crt). It is also recommended to protect the broker.key file (with access rights, encryption) so that only the user under whom the MQTT broker is running has access to it.

...

The myPLC.crt file (MQTT client certificate) must be copied to the MQTT client, along with the myPLC.key file (MQTT client private key) and the certificate authority certificate (caMQTT.crt). It is also recommended to protect the myPLC.key file (with access rights, encryption) so that only the user under whom the MQTT client is running has access to it.

...