Blog of Random Thoughts and Pictures

WordPress Blog posts by miguelpdl.

Bridging MQTT brokers and using security certs from Let’s Encrypt

October 14th, 2019

This is an item that came up while working on a project within the TSSG and so might be worth sharing.

Have you ever tried to use a MQTT broker ? Message Queuing Telemetry Transport (MQTT) is a machine-to-machine (M2M), Internet of Things data protocol, which is in line with other data protocols such as XMPP, CoAP, AMQP, and Websockets. Invented in 1999, MQTT is now an OASIS (Organization for the Advancement of Structured Information Standards) standard, and ISO standard (ISO/IEC PRF 20922).

MQTT is extensively used in Amazon Web Services, Microsoft Azure IoT Hub, IBM WebSphere MQ, and is a publish/subscribe message exchange pattern, that can support persistent message storage on the broker and supports security in the form of authentication using user name and password, and encryption using SSL/TLS.

For something like the Eclipse Mosquitto broker, MQTT it has a really small code footprint, the libmosquitto (client library) is about 1.3 MB and is ideal if processor or memory resources are limited and also ideal if bandwidth is low or network is unreliable. Classic problems in the IoT space.

In the case of using MQTT for the smart grid, scale and security are top priorities. To achieve scale I’ve looked at bridging MQTT brokers in a hub and spoke model, where a very light MQTT broker is at the edge of the network (at the end of the spoke) and there’s a large MQTT broker at the hub which can aggregate all the data.

However the purpose of this post is to highlight the security aspects within MQTT and in particular the application of encryption (SSL/TLS) when using Let’s Encrypt certificates. Applying a certificate to an MQTT broker is not too hard, there’s a nice guide here on Mosquitto SSL Configuration for MQTT TLS Security and here too on SSL/TLS Client Certs to Secure MQTT however in the vast majority of cases the examples use self-signed certs and not certs as provided by Let’s Encrypt.

By the way if you don’t know Let’s Encrypt is a non-profit certificate authority run by the Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days and the renewal process is quite simple.

Now bridging two MQTT brokers can be relatively straight forward too however getting the certs right when you want that bridge to be encrypted can be a little tricky look at how much you have to do to bridge a Mosquitto MQTT Broker to AWS IoT.

In my case I wanted to bridge two Mosquitto MQTT Brokers, each with encryption enabled by a Let’s Encrypt cert. Firstly I created a [special Docker container]() that could pick up the Let’s Encrypt cert, and having followed all the guides I kept getting the following error in the logs

OpenSSL Error: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca

OpenSSL Error: error:140370E5:SSL routines:ACCEPT_SR_KEY_EXCH:ssl handshake failure

Socket error on client , disconnecting.

I tried verifying the certs, by installing openssl

openssl verify cert.pem

But all was fine.

I thought I had to download the trusted root CA certificates for Let’s Encrypt and place it somewhere in the Alpine linux system (the base OS of the broker), but I must admit this “somewhere” was not so clear me.

The problem is that the MQTT broker does not know how to verify its own CA before starting the ssl exchange with any client. This is because the CA signing the Let’s Encrypt cert is not yet distributed and bundled by default in to the Alpine Linux system and therefore has to be added manually.

In the Mosquitto MQTT broker configuration, instead of just pointing directly at the chain.pem file I decided to point at the default place where all ca certs should be.

#cafile /mosquitto/config/certs/chain.pem
capath /etc/ssl/certs

And this write up on installing certificates in an Alpine Image to establish Secured Communication (SSL/TLS) really got to the heart of the matter, the cert needs to be copied to a special directory /usr/local/share/ca-certificates/and then you need to run the program update-ca-certificates so it gets placed in the right way into the folder /etc/ssl/certs.

After much head scratching, it all comes down to 2 command lines

cp /mosquitto/config/certs/chain.pem /usr/local/share/ca-certificates/chain.pem

update-ca-certificates

Once done (via a docker-entrypoint.sh command) the container is able to handle the CA issue, and bridging 2 Mosquitto MQTT brokers that are using Let’s Encrypt certificates can be achieved.

Tags: , , , ,
Posted in EC, EU, ICT, Technology | No Comments »

Presenting the ICT PROSE project at Open World Forum

November 1st, 2012

I had the pleasure of attending the Open World Forum recently, where I got to represent a new FP7 project on open source called ICT PROSE.

Open World Forum

OWF itself really opened up my eyes to the activities happening around Europe in regards to open source in the enterprise. An overview of what I got up to is on the TSSG review of OWF12, and the rest of this post is a cross post of what I’ve written with Roberto Galoppini on behalf of the ICT PROSE project.

==================

Can projects and organisations keep full control of their data in open source forges? This was one of the key questions asked during the recent Open Forges Summit, part of the Open World Forum 2012*, held in Paris. With Roberto Galoppini (Geeknet) as Track Chair, and Miguel Ponce de Leon (TSSG) presenting, the PROSE project had some insights to present on the matter.

As part of the summit Roberto introduced participants to the changed landscape for source forges.

From there Ross Gardler of the Apache Software Foundation highighted how forges, today, don’t make it easy to discover the individuals and the communities behind the software and he made some suggestions (around the humble honey bee) on how forges could improve the way forge users could discover the important people and communities behind open source projects.

Scott Wilson of OSS Watch showed how its possible to bridge the gap between open source development processes and app stores, particularly in the case for mobile apps – but he pondered the question on how this could be applied to other kinds of software.

Stijin Goedertier of the ADMS Working Group outlined the future plans for the AMDS.SW metadata vocabulary which is used by JoinUp to describe open source software in the forge, making it possible to more easily explore, find, and link open source software on the web.

Olivier Berger & Christian Bayle of FusionForge did a integrated presentation on the advances of interoperability of FLOSS forges from the COCLICO projects.

Miguel then shared the goals of the ICT PROSE project. Through the presentation “Empowering FLOSS in European Projects” Miguel informed the audience of the PROSE project whose objective is to accelerate the adoption of open source software on EU ICT projects. The presentation highlighted the projects plans to increase the lifetime of the software developed inside European projects and thus maximizing projects’ impacts. The presentation showed the creation and management of a platform for FLOSS project management, the development of a training program on legal and business aspects pertaining to FLOSS adoption and provided insight on a dissemination program to promote the adoption of a FLOSS-driven model in EU ICT projects.

Finally the summit concluded with Laurent Charles on behalf of Enalean, highlighting how faster innovation was achieved by them with the Tuleap forge, and how customers quickly understood the gains: more contributions, exchanges, quality developments that really match their needs while staying free and independent.

Clearly there are new opportunities on how to allow projects to keep full control over their data in open source forges and new initiatives that the EU is driving have started to address the issues.

The Open World Forum is the leading global summit meeting bringing together decision-makers, communities and developers to cross-fertilize open technological, economic and social initiatives, in order to build the digital future. The event was founded in 2008, and now takes place every year in Paris, with over 180 speakers from 40 countries, an international audience of 1,900 delegates in 2011.

Tags: , , , , ,
Posted in EU, ICT, Open Source, Research | No Comments »

Scaling XMPP

August 29th, 2012

Zoosk – The Engineering behind Real Time Communications and XMPP

Tags:
Posted in ICT, Technology | No Comments »

TV Isn’t Dead or Dying

June 24th, 2012

Finally a post that asks for the facts to be clearly displayed. TV Isn’t Dead or Dying, And It Doesn’t Need To Be Saved | Dan Rayburn – from StreamingMediaBlog.com

Tags:
Posted in ICT, Technology | No Comments »

15th Meeting of the COST Domain Committee for ICT

March 4th, 2011

This has been cross posted to my TSSG blog

Some early morning fog in Brussels had me held up a little on arrival but once we touched down it turned out to be a glourious spring day in Belgium. I’m was here in Brussels for the COST ICT domain committee meeting and hearings, where we are listening to and deciding on some new COST actions in ICT.

We are also here to discuss the COST ICT Domain budget update, full proposal selection process and the proposal ranking algorithm, and had an overview of the outlier tool.

There were also some changes in final event handling (as of Nov. 2010) and some e-COST updates that needed to be discussed and of course the monitoring of ICT Actions in progress.

We went through the evaluation of completed and ending actions which included:

2010 Completed Actions

With the action ended the rappatours were giving an overview of some of the final news items from the Actions.


Action 2100 was highlighting its joint workshop on Wireless Communications, 1 – 2 March 2011, Paris, France. JNCW 2011 was organised jointly by the European Network of Excel- lence in Wireless Communications (NEWCOM++) and the European Cooperation Action on Pervasive Mobile and Ambient Wireless Communications (COST 2100).


Action 2101 was highlighting its Biometric ID Management Workshop ( BioID 2011 ) which was the Third International Workshop organised by COST Action 2101. The BioID 2011 will be held in the city of Brandenburg in the Brandenburg University of Applied Sciences.


Action 2102 was higlighting a publication announcement of the Proceedings of the PINK COST 2102 INTERNATIONAL Conference on “Analysis of Verbal and Non Verbal Communication and Enactment: The Processing Issues”, in LNCS and also its Third International Training School notes from March 15-19, 2010.

Posted in COST, EU, ICT, Research, Technology | No Comments »

7th concerntation meeting of Future Networks

February 11th, 2011

This entry is cross posted from my TSSG blog.

Okay time is not being kind to me especially when it comes to completing entries for this blog and while February 2011 is already a lifetime away, but given that I was in Brussels directly after the FIRE workshop, I’d like to report on my attendance at the 7th concerntation meeting of Future Networks.

The main part of the plenary was given over to description of Future Networks research towards standardisation activities. The last part of the session was given over to future research topics in the area as identified by Net!Works, ISI, EIFFEL, NEWCOMM++, BINE and EURO-NF. All presentations can be seen off this link.

The second day of this meeting was split into a number of separate plenaries as the Network of the Future projects are organised into three clusters: Future Internet Technologies (FI Cluster), Radio Access and Spectrum (RAS Cluster) and Converged and Optical Networks (CaON Cluster). I attended the FI Cluster, the agenda and presentations of which you can see off of this link.

There were a number of presentation on the economic and user perspective of Inter-ISP traffic optimization, where ETICS, IBBT, SESERV and SMOOTH-IT made presentations on the matter.

I was quite interested in the session on Information and Execution Automation between the Service and Network planes where GEYSERS, MEDIEVAL, ONE, ONEFIT and  UNIVERSELF gave their view points, however I was left a little perplexed that there was no real concensus on the topic and no plan to reach one.

Okay only a few words it really shouldn’t have taken me this long to post it
, but I hope this gives you a quick overview of the EU activities in the area of the Future Internet, with the next big event FIA Budapest in May.

Tags:
Posted in Autonomic Network Management, EC, EU, FP7, Future Internet, ICT, Research, Technology | No Comments »

FIRE open call, mini call, whatyamacall

February 9th, 2011

This entry is cross posted from my TSSG blog.

Having finished up the SFI FI workshop, I had a little time to kill before an early flight to Brussels so I stayed in Dublin and headed for Landsdowne Road (Aviva Stadium) and the Ireland V Wales friendly. It was a cold-wet night, with not that many fans about, with it only livened up by a fantastic goal by Darron Gibson.

Anyway to day one of a 3 day trip to Brussels, I headed for Etterbeck and the Vrije Universiteit Brussels (VUB) campus for the FIRE open call information day. Firstly there was a slight route optimization problem with getting to VUB from the airport but a train, metro, bus combination eventually got me there. Then comes the maze that is VUB really even with new signs the place is hard to navigate but lucky enough a memory of a Living Labs & Open Innovation event in 2007 got me to the right building location and room.

The information day was an opportunity to see how to submit proposals for the open calls launched by the BonFIRE, OFELIA, and TEFIS projects.

BonFIRE was up first up giving an overview of how it targets the Internet of Services and Future Networks research communities with it’s text bed infrastructure and in particular highlighting its multi-cloud facility and sophisticated network emulation [pdf].

Next up the TEFIS project gave an overview of their interdisciplinary infrastructure which has various testbed resources such as new network paradigms, cloud computing, advanced user interface for services [pdf].

Finally of most interest to me was the OpenFlow based testbed OFELIA which provides a platform for experimentation of novel networking protocols, addressing schemes and applications in the Internet [pdf].

Lunch was extracted form one of the biggest soup vats I’ve ever seen and then afterwards everyone headed over to Plienan 2 for more in-depth sessions with the project participants.

I headed for the OFELIA session which seemed to have the smallest room allocation and the largest number of participants. Further details on the open call process were provided which makes it sounds like a mini FP7 project proposal. I must say I feel for Hagan the coordinator as it doesn’t sound like an easy call to manage.

The last part of the session was the best as people pitched potential projects that could fit into the call and the project partners around the table offered their thoughts and advise in regards to the suitability of the proposal.

So that’s the FIRE open call day, I’ll complete a separate entry for the other two days in Brussels which was for the 7th FP7 Future Networks concentration meeting.

Tags: , , ,
Posted in Future Internet, ICT, Living Lab, Technology | No Comments »

SFI Future Internet workshop

February 8th, 2011

This entry is cross posted from my TSSG blog.

I have found it hard to keep a handle on all the Internet based research happening in Ireland so I jumped at the chance to participate in the recent SFI workshop on the Future Internet. It proved to be a fantastic opportunity to catch up with old aquaintancies and to meet some new researchers in the field.

Now the topic line is a little controversial in that the term Future Internet now means many things to many people however what’s good about the term is that it can act as a nice umbrella term to capture the massive shift in Internet research which is looking for new ways to move, share, find, define and create digital information. Whether this information is for use in Education, Health , Finance Marine or even Agricultural services it was great to see the wealth of situations to which Irish research was being applied to.

To set the context for day early presentations in the workshop highlighted the meaning of the future Internet, the new architectures being discussed at the EU level and some perspectives on the European Future Internet Assembly.

I gave an overview presentaion on this topic, and my slides can be seen here.

EC FIA Activities overview 2011

Then in ernest a volley of 10 minute presentations were given by

  • Willie Donnelly on “Why the Future Internet?”
  • Stefan Decker on “From Linked Data to Networked Knowledge” and “Real-World Internet (FIA)”.
  • John Kennedy on the “Future Internet – An Intel Perspective”.
  • Pol Mac Aonghusa on “IBM Smart Cities”.
  • John Holland on the “Ericsson view”.
  • Keith Griffin on the “Cisco view”.
  • Fergal Ward on the “Intune view”.
  • Barry Smyth on “The Sensor Web”.
  • Ronan Farrell on the “CTVR Future Internet activities”.
  • Mike Hinchey on “Lero and FI”.
  • Barry O’Sullivan on “4C Future Internet activities”.
  • Steve Gotz on “CNGL and FI”.
  • Padraig Cunningham on “Clique and FI”.
  • Martin Johnsson on “FAME and FI”.
  • David Malone on th “Hamilton Institute Future Internet activities”.
  • Brendan Jennings on “FI Dagstuhl 2011”.

All the slides can be picked up off this SFI FI workshop page.

I found the format perfect 10 mins meant people had to get to point quickly while at the same time give an impression of the depth of research and it has to be said some very interesting solutions are being investigated in Irish research organisations.

Next up was a presentation by the Marine Institute with some use cases to which only Future Internet technologies could be applied. What followed was some discussion on other use cases which would be applicable, and I gave a presentation on upcoming FI PPP use case.

FI PPP Use Case Examples 2011

I usually find that the next steps for this type of event are left hanging in the wind however in this case it couldn’t be further from the truth as plans are now afoot for a broader workshop to take place in Q2 of 2011.

Tags: , , , ,
Posted in EC, EU, Future Internet, ICT, Technology | No Comments »

FIA Ghent and the PII Future Internet award

December 17th, 2010

This entry is cross posted from my TSSG blog.

So with the Pouzin Society meeting coming to a close I took the short train ride over to Ghent for the FIA activities. The assembly is quite big now as compared to FIA Madrid and there were tons of interesting sessions however I spent most of my time in the FIA session II: Smart Infrastructures and FIA session V: Architecture Group.

Three particular items caught my eye “Programmability of the Infrastructure – CHANGE project” and “Resilience in Networks: Elements and Approach for a Trustworthy Infrastructure – ResumeNet project” and the follow up activities of the FI Arch group (on the current internet limitations document [pdf])

Then came the great news that Panlab II had won the Future Internet prize for the best European Future Internet initiative. Wow a great success for the PII team, and especially those in the TSSG which included Eamonn, Shane and Zohra.

Their work focused on PII resource repository, which was implemented using a REST style architecture, the full design of which can be seen below.

The PII Repository Data Model was defined by two data models
* Core Data Model
* Test Suite Data Model

The list of deliverables capturing this work include:
D3.1 System Analysis where a list of the Panlab Community testbeds are maintained and the resources from those testbeds providing PII components are described in UML [pdf].

D3.2 Testbed Service Description Specification in which the specification of the service description system is given. Also requirements are broken down into more refined technical requirements for the specification of the PII testbed services description system [pdf].

D3.7 Implementation Report in which the Service Description, Service Discovery and Service Orchestration of the PII testbed is given. This document also reports on the extensive implementation efforts realised by WP3 PII partners delivering a functional PII framework [pdf].

D4.2 Monitoring requirements and procedures for service level agreement compliance has the functional specification of PII’s quality assurance framework, which hosts the metrics and processes for quality assurance in the PII framework [pdf].

And finally their paper
Eamonn Power, Zohra Boudjemil and Shane Fox. Architecture and Implementation of a Testbeds Repository [pdf]. International Conference on Telecommunications and Multimedia (TEMU) 2010, Chania, Crete, Greece, July 2010.

I’m delighted to see that Eamonn, Shane’s and Zohra’s work has been recognised.

Tags: , , ,
Posted in FP7, Future Internet, ICT, Technology | No Comments »

EU – Japan Symposium on Future Internet and New Generation Networks

October 22nd, 2010

This entry is cross posted to my TSSG blog.

Directly from finishing my open source session at the 6th Future Networks concertation meeting I headed for the Brussels airport to catch a flight to Tampere, Finland (via Stockholm) for the 3rd EU-Japan Symposium on Future Internet and New Generation Networks.
The flight was easy going, and the stop off in Stockholm was nice as I got to watch some Champions League football and then relax a little in the Starbucks cafe, catching up on some emails.

Tampere is the third largest city in Finland, and the scene for a number of technological innovations, I was told the first test GSM calls were made here. The actual hotel / conference location was set in a picturesque location by a lake.

Tampere outskirts

The event itself started with some high level presentations on EU Digital Policy, the Digital Agenda for Europe and the ICT Paradigm Shift in this decade. I found the presentation Masahiko Tominaga, Vice President, NICT on NwGN R&D Strategy [pdf] the most interesting of these.

On the next break, it was great to get the opportunity to share lunch with Sasi. Now I know Sasi normally only sits a couple of floors away from me, but it’s times like this we really get a chance to discuss at length a whole miriad of topics.

After lunch the event was broken up into sepereate Tracks and I headed for Internet/Network Architectures session. Sasi presented on the emerging generation of symbiotic networks: Federated Communication Systems [pdf] while I took the opportunity to present on RINA, the Recursive Inter Network Architecture, which is based on the work originated by John Day.

RINA: Recursive Inter Network Architecture

What I took from the whole session was the interesting work of Takeshi Usui (NICT/KDDI Laboratories) on the Virtual Network Mobility:Advanced Mobility Management over Network Virtualization [pdf] and Nao Kawanishi (ATR) on his vision of An Open Mobile Communication System with All Strata Virtualization [pdf].

I was pleasantly surprised by the symposium and people I meet at this event and the first sign of snow, which made the long trip back, via bus to Helsinki and then plane via London Heathrow and onto Dublin a worthwhile one.

Tags: , , , ,
Posted in EC, EU, FP7, Future Internet, ICT, Research, Technology | No Comments »

« Older Entries