ThingsBoard提供了基于SSL认证运行MQTT服务的功能,同时支持单向和双向SSL。你可以使用有效的证书或生成自签名的SSL证书并将其添加到密钥库来启用SSL功能。你需要在 thingsboard.yml 文件中指定密钥库信息。请参阅下面的有关如何生成SSL证书并在你的ThingsBoard安装并使用。
注意 此步骤必须在基于Linux的操作中安装java.
从官方ThingsBoard仓库中下载server.keygen.sh到你的工作目录。
将keygen.properties文件下载到你的工作目录,并填充所需的值。
例如:
DOMAIN_SUFFIX="$(hostname)"
ORGANIZATIONAL_UNIT=ThingsBoard
ORGANIZATION=ThingsBoard
CITY=San Francisco
STATE_OR_PROVINCE=CA
TWO_LETTER_COUNTRY_CODE=US
SERVER_KEYSTORE_PASSWORD=server_ks_password
SERVER_KEY_PASSWORD=server_key_password
SERVER_KEY_ALIAS="serveralias"
SERVER_FILE_PREFIX="mqttserver"
SERVER_KEYSTORE_DIR="/etc/thingsboard/conf/"
CLIENT_KEYSTORE_PASSWORD=password
CLIENT_KEY_PASSWORD=password
CLIENT_TRUSTSTORE="client_truststore"
CLIENT_KEY_ALIAS="clientalias"
CLIENT_FILE_PREFIX="mqttclient"
where
其余值对于服务器密钥库的生成并不重要
要运行服务器密钥库生成,请使用以下命令。
chmod +x server.keygen.sh
sudo ./server.keygen.sh
你可以不带任何参数运行此脚本或者可以指定以下可选参数:
该脚本将使用指定的配置运行keytool。它将生成以下输出文件:
如果你指定不复制密钥库文件,则将其手动上传到服务器的类路径中的目录。你可能要修改密钥库文件的所有者和权限:
sudo chmod 400 /etc/thingsboard/conf/mqttserver.jks
sudo chown thingsboard:thingsboard /etc/thingsboard/conf/mqttserver.jks
«««< HEAD 找到你的 thingsboard.yml 文件,并取消注释”#取消注释以下行以为MQTT启用ssl之后的行”: ======= Locate your thingsboard.conf file and set the MQTT_SSL_ENABLED value equals true.
You can add the next row for to the thingsboard.conf, so that the MQTT over SSL will be enabled.
...
export MQTT_SSL_ENABLED=true
>>>>>>> master
«««< HEAD 你可能还希望将 mqtt.bind_port 更改为8883,基于SSL认证的MQTT推荐使用。 ======= You may also want to change mqtt.bind_port to 8883 which is recommended for MQTT over SSL servers.
The MQTT bind port can be changed with the next row within the thingsboard.conf being added:
...
export MQTT_BIND_PORT=8883
The key_store Property must point to the .jks file location. key_store_password and key_password must be the same as were used in keystore generation.
master
此 key_store 属性必须指向.jks文件位置。key_store_password和key_password必须与生成密钥库时使用的相同。
«««< HEAD 注意: ThingsBoard也支持 .p12 密钥库。如果是这种情况,请将key_store_typee值设置为 ‘PKCS12’ ======= After these values are set, launch or restart your ThingsBoard server.
The next combination of the keygen.properties example was used to generate a proper .jks and .pem in a case of the ThingsBoard uses the next default thingsboard.conf with the enchantments being specified below.
This example is based on the default ThingsBoard installation of the 2.5 version.
thingsboard.conf:
...
export MQTT_SSL_ENABLED=true
export MQTT_BIND_PORT=8883
...
keygen.properties:
DOMAIN_SUFFIX=localhost
ORGANIZATIONAL_UNIT=Thingsboard
ORGANIZATION=Thingsboard
CITY=SF
STATE_OR_PROVINCE=CA
TWO_LETTER_COUNTRY_CODE=US
SERVER_KEYSTORE_PASSWORD=server_ks_password
SERVER_KEY_PASSWORD=server_key_password
SERVER_KEY_ALIAS="serveralias"
SERVER_FILE_PREFIX="mqttserver"
SERVER_KEYSTORE_DIR="/etc/thingsboard/conf"
CLIENT_KEYSTORE_PASSWORD=password
CLIENT_KEY_PASSWORD=password
CLIENT_KEY_ALIAS="clientalias"
CLIENT_FILE_PREFIX="mqttclient"
master
设置这些值之后,启动或重新启动Thingsboard服务器。
请参阅以下资源: