Error: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.'

Hi team,
I am trying to set up HiveMQ locally on Windows:
CLI setup
HiveMQ Broker setup
HiveMQ rub.bat and Security extension running
PostgreSQL

My PostgreSQL is running in Docker but I am unable to authenticate to a user in my DB successfully using the CLI.
I created DB entries just like suggested here: HiveMQ Enterprise Security Extension (ESE) Start Up Guide :: HiveMQ Documentation and created Backendservice according to this doc.

insert into public.users
  (username, password, password_iterations, password_salt, algorithm)
  values
    ('backendservice', 'wtUo2dri+ttHGHRpngg9uG21piWLiKSX7IaNSnU/BfN9pt+ZOLQByG/3JlPPQ7t/pl8S3tjR2+Um/DPBdAQULg==', 100, 'Nv6NU9XY7tvHdSGaKmNTOw==', 'SHA512'),
    ('frontendclient', 'ZHg/rNJel1BHOYMEvc40ekCRUE5vVLcsPF6mk9GPDcdEmX3stm50MplaqjGb8Lxhy6rNFQZSQRSbOxmFZ8ps1Q==', 100, 'JhpW27QU9WfIaG6FJT5MkQ==', 'SHA512'),
    ('superuser', 'nOgr9xVnkt51Lr68KS/rAKm/LqxAt8oEki7vCerRod3qDbyMFfDBGT8obnkw+AGygxCQDWdaA2sQnXXoAbVK6Q==', 100, 'wxw+3diCV4bWXQHb6LLniA==', 'SHA512');

insert into public.permissions
  (id, topic, publish_allowed, subscribe_allowed, qos_0_allowed, qos_1_allowed, qos_2_allowed, retained_msgs_allowed, shared_sub_allowed, shared_group)
  values
    (1, 'topic/+/status', false, true, true, true, true, false, false, ''),
    (2, 'topic/${mqtt-clientid}/status', true, false, true, true, true, true, false, ''),
    (3, '#', true, true, true, true, true, true, true, '');

insert into public.roles
  (id, name, description)
  values
    (1, 'backendservice', 'only allowed to subscribe to topics'),
    (2, 'frontendclients', 'only allowed to publish to topics'),
    (3, 'superuser', 'is allowed to do everything');

insert into public.user_roles
  (user_id, role_id)
  values
    (1, 1),
    (2, 2),
    (3, 3);

insert into public.role_permissions
  (role, permission)
  values
    (1, 1),
    (2, 2),
    (3, 3);

When I run this command on CLI, I get the following error:

mqtt> connect --identifier=backendservice --user=backendservice --password=wtUo2dri+ttHGHRpngg9uG21piWLiKSX7IaNSnU/BfN9pt+ZOLQByG/3JlPPQ7t/pl8S3tjR2+Um/DPBdAQULg==

Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.'

Here are the various log files:

• DEBUG log from run.bat

023-07-13 04:54:29,824 DEBUG - mqtt-clientid ESE-Variable: backendservice
2023-07-13 04:54:29,825 DEBUG - authentication-key ESE-Variable: backendservice
2023-07-13 04:54:29,830 DEBUG - authentication-byte-secret ESE-Variable: d3RVbzJkcmkrdHRIR0hScG5nZzl1RzIxcGlXTGlLU1g3SWFOU25VL0JmTjlwdCtaT0xRQnlHLzNKbFBQUTd0L3BsOFMzdGpSMitVbS9EUEJkQVFVTGc9PQ==
2023-07-13 04:54:29,832 DEBUG - mqtt-password ESE-Variable: d3RVbzJkcmkrdHRIR0hScG5nZzl1RzIxcGlXTGlLU1g3SWFOU25VL0JmTjlwdCtaT0xRQnlHLzNKbFBQUTd0L3BsOFMzdGpSMitVbS9EUEJkQVFVTGc9PQ==
2023-07-13 04:54:34,826 DEBUG - Client 'backendservice' with ip 127.0.0.1 could not be authenticated

• Access Log

2023-07-12 23:05:59,884 UTC - authentication-failed - Client failed authentication: ID backendservice, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:10:27,234 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:12:45,501 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:20:08,904 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".
2023-07-12 23:20:30,720 UTC - authentication-failed - Client failed authentication: ID superuser, IP 127.0.0.1, reason "unknown authentication key or wrong authentication secret".

• Mqtt CLI Log:

2023-07-13 04:54:29 | 11532 | DEBUG | Client 'backendservice@localhost' sending CONNECT MqttConnect{keepAlive=60, cleanStart=true, sessionExpiryInterval=0, simpleAuth=MqttSimpleAuth{username and password}}
2023-07-13 04:54:34 | 11532 | DEBUG | Client 'backendservice@localhost' DISCONNECTED CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5ConnAckException: CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.
2023-07-13 04:54:34 | 11532 | ERROR | Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.': com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5ConnAckException: CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.
	at com.hivemq.client.internal.mqtt.MqttBlockingClient.connect(MqttBlockingClient.java:101)
	at com.hivemq.cli.mqtt.MqttClientExecutor.mqtt5Connect(MqttClientExecutor.java:66)
	at com.hivemq.cli.mqtt.AbstractMqttClientExecutor.connectMqtt5Client(AbstractMqttClientExecutor.java:311)
	at com.hivemq.cli.mqtt.AbstractMqttClientExecutor.connect(AbstractMqttClientExecutor.java:128)
	at com.hivemq.cli.mqtt.MqttClientExecutor.connect(MqttClientExecutor.java:53)
	at com.hivemq.cli.mqtt.AbstractMqttClientExecutor.connect(AbstractMqttClientExecutor.java:112)
	at com.hivemq.cli.mqtt.MqttClientExecutor.connect(MqttClientExecutor.java:53)
	at com.hivemq.cli.commands.shell.ShellConnectCommand.call(ShellConnectCommand.java:58)
	at com.hivemq.cli.commands.shell.ShellConnectCommand.call(ShellConnectCommand.java:31)
	at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
	at picocli.CommandLine.access$1500(CommandLine.java:148)
	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
	at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
	at picocli.CommandLine.execute(CommandLine.java:2170)
	at com.hivemq.cli.commands.shell.ShellCommand.interact(ShellCommand.java:145)
	at com.hivemq.cli.commands.shell.ShellCommand.call(ShellCommand.java:96)
	at com.hivemq.cli.commands.shell.ShellCommand.call(ShellCommand.java:46)
	at picocli.CommandLine.executeUserObject(CommandLine.java:2041)
	at picocli.CommandLine.access$1500(CommandLine.java:148)
	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
	at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
	at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
	at picocli.CommandLine.execute(CommandLine.java:2170)
	at com.hivemq.cli.MqttCLIMain.main(MqttCLIMain.java:63)

• HiveMQ Broker running at localhost:8080, I can see the connect request reaching there.

Here is my config.xml

<?xml version="1.0" encoding="UTF-8" ?>
<enterprise-security-extension
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:noNamespaceSchemaLocation="config.xsd"
        version="1">
   <realms>
    <!-- a postgresql db-->
    <sql-realm>
        <name>postgres-backend</name>
        <enabled>true</enabled>
        <configuration>
            <db-type>POSTGRES</db-type>
            <db-name>hivemq-ese-db</db-name>
            <db-host>localhost</db-host>
            <db-port>5432</db-port>
            <db-username>postgres</db-username>
            <db-password>postgres</db-password>
        </configuration>
    </sql-realm>
</realms>
<pipelines>
    <!-- secure access to the mqtt broker -->
    <listener-pipeline listener="ALL">
	<authentication-preprocessors>
                <logging-preprocessor>
   			<message>mqtt-clientid ESE-Variable: ${mqtt-clientid}</message>
    			<level>debug</level>
   			<name>com.example.logger</name>
		</logging-preprocessor>	
		<logging-preprocessor>
  			<message>authentication-key ESE-Variable: ${authentication-key}</message>
    			<level>debug</level>
    			<name>com.example.logger</name>
		</logging-preprocessor>	
		<logging-preprocessor>
    			<message>authentication-byte-secret ESE-Variable: ${authentication-byte-secret}</message>
    			<level>debug</level>
    			<name>com.example.logger</name>
		</logging-preprocessor>	
		<logging-preprocessor>
    			<message>mqtt-password ESE-Variable: ${mqtt-password}</message>
    			<level>debug</level>
    			<name>com.example.logger</name>
		</logging-preprocessor>	
        </authentication-preprocessors>
	<!-- authenticate over a sql db -->
        <sql-authentication-manager>
            <realm>postgres-backend</realm>
        </sql-authentication-manager>
        <!-- authorize over a sql db -->
        <sql-authorization-manager>
            <realm>postgres-backend</realm>
            <use-authorization-key>false</use-authorization-key>
            <use-authorization-role-key>true</use-authorization-role-key>
        </sql-authorization-manager>
    </listener-pipeline>
    <!-- secure access to the control center -->
    
</pipelines>
</enterprise-security-extension>

Please let me know what am I missing, why am I getting this error:

Unable to connect. Reason: 'CONNECT failed as CONNACK contained an Error Code: NOT_AUTHORIZED.'```

Hi @gaurav ,

Nice that you are interested in HiveMQ , welcome to our community forum!

I notice that in the mqtt command you are using the encoded password, which is wrong, you should be using the unencoded password:

In the article that you linked, it says that unencoded password is backendpassword

I hope it helps,

Best regards,
Dasha from HiveMQ Team

Hi @Daria_H ,
Thanks, that worked; somehow I missed that part.
Also, the users that I created using the ESE Helper Tool, how can I decode those passwords?

Hello @gaurav

I’m pleased that it’s working, and I congratulate you on your success!

Passwords generated by the ESE Helper Tool cannot be decoded. In the event that you have forgotten a password, the recommended course of action is to choose a new password, generate a new hash and salt using the ESE Helper Tool, and then update the user’s information in the database accordingly.

I hope this information proves useful to you.

Best regards,
Dasha from the HiveMQ Team

This was very helpful, @Daria_H , thank you for your help

Hi @Daria_H ,
I successfully connected with my clients but receiving Mqtt5PubAckException in my publisher. Basically I have 3 roles:

• Subscriber:

2023-07-13 18:11:12,397 UTC - authorization-succeeded - Client succeeded authorization: ID backenduser1, IP 127.0.0.1, permissions [Permission{topicFilter='+/+/data', qos=[0, 1, 2], activity=[subscribe], retainedPublishAllowed=false, sharedSubscribeAllowed=false, sharedGroup='', from='backend'}].
2023-07-13 18:12:47,157 UTC - authentication-succeeded - Client succeeded authentication: ID backenduser1, IP 127.0.0.1.
2023-07-13 18:12:47,157 UTC - authorization-succeeded - Client succeeded authorization: ID backenduser1, IP 127.0.0.1, permissions [Permission{topicFilter='+/+/data', qos=[0, 1, 2], activity=[subscribe], retainedPublishAllowed=false, sharedSubscribeAllowed=false, sharedGroup='', from='backend'}].

• Publisher

2023-07-13 18:18:57,036 UTC - authentication-succeeded - Client succeeded authentication: ID machineuser1, IP 127.0.0.1.
2023-07-13 18:18:57,077 UTC - authorization-succeeded - Client succeeded authorization: ID machineuser1, IP 127.0.0.1, permissions [Permission{topicFilter='machineuser1/telemetry/data', qos=[1], activity=[publish], retainedPublishAllowed=false, sharedSubscribeAllowed=false, sharedGroup='', from='machine'}].

• Admin: Admin is working fine

Issue is that:

1. My Subscriber is receiving messages from Admin successfully but not from the Publisher when I run sub -t machineuser1/telementry/data -s
2. My Publisher is unable to publish successfully when I run
   pub -t machineuser1/telementry/data -m hello -q 1

CLI is logging this error:

2023-07-13 23:31:25 | 18612 | DEBUG | Client 'machineuser1@localhost' sending CONNECT MqttConnect{keepAlive=60, cleanStart=true, sessionExpiryInterval=0, simpleAuth=MqttSimpleAuth{username and password}}
2023-07-13 23:31:25 | 18612 | DEBUG | Client 'machineuser1@localhost' received CONNACK MqttConnAck{reasonCode=SUCCESS, sessionPresent=false, restrictions=MqttConnAckRestrictions{receiveMaximum=10, maximumPacketSize=268435460, topicAliasMaximum=5, maximumQos=EXACTLY_ONCE, retainAvailable=true, wildcardSubscriptionAvailable=true, sharedSubscriptionAvailable=true, subscriptionIdentifiersAvailable=true}}
2023-07-13 23:31:33 | 18612 | DEBUG | Client 'machineuser1@localhost' sending PUBLISH ('hello') MqttPublish{topic=machineuser1/telementry/data, payload=5byte, qos=AT_LEAST_ONCE, retain=true}
2023-07-13 23:31:33 | 18612 | DEBUG | Client 'machineuser1@localhost' DISCONNECTED Server sent DISCONNECT.: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5DisconnectException: Server sent DISCONNECT.
2023-07-13 23:31:33 | 18612 | ERROR | Client 'machineuser1@localhost' failed PUBLISH to TOPIC 'machineuser1/telementry/data': PUBACK contained an Error Code: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5PubAckException: PUBACK contained an Error Code
2023-07-13 23:31:33 | 18612 | ERROR | Server sent DISCONNECT.: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5DisconnectException: Server sent DISCONNECT.
2023-07-13 23:31:33 | 18612 | ERROR | Unable to publish. Reason: 'PUBACK contained an Error Code': java.util.concurrent.CompletionException: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5PubAckException: PUBACK contained an Error Code
at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:331)
at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:346)
at java.base/java.util.concurrent.CompletableFuture.uniWhenComplete(CompletableFuture.java:870)
at java.base/java.util.concurrent.CompletableFuture$UniWhenComplete.tryFire(CompletableFuture.java:837)
at java.base/java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:506)
at java.base/java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:2088)
at com.hivemq.client.internal.rx.RxFutureConverter$RxFuture.onError(RxFutureConverter.java:60)
at io.reactivex.internal.operators.single.SingleObserveOn$ObserveOnSingleObserver.run(SingleObserveOn.java:79)
at io.reactivex.internal.schedulers.ScheduledDirectTask.call(ScheduledDirectTask.java:38)
at io.reactivex.internal.schedulers.ScheduledDirectTask.call(ScheduledDirectTask.java:26)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: com.hivemq.client.mqtt.mqtt5.exceptions.Mqtt5PubAckException: PUBACK contained an Error Code```

Please help me get this resolved, thanks!

Hello @gaurav ,

Based on the logs provided, as well as the details that the Admin user is able to successfully publish whereas the Publisher user cannot, it is most likely that the topic permissions within the ESE implementation are the source of our current error.

Within the public.permission insert statement, we provided the backendservice user permission to publish to the topic ‘topic/+/status’, which will let the user publish to topic/{any_subtopic}/status, where + is acting as a single-level wildcard. ‘Frontendclient’ is able to publish to topic/{this_clients_identifier}/status, and the ‘superuser’ can publish to any topic.

Based on the publish requests posted above, it looks as though we are omitting this ‘topic’ top-level identifier. I would recommend testing a publish topic such as ‘topic/machineuser1/status’. If the public permissions for these users has changed, be sure that the topic permissions within the database match exactly or with wildcards the topic that is being published to.

Best,
Aaron from the HiveMQ Team

All three clients are working now, thanks for the quick support!!