HiveMQ Swarm - TLS serverside encryption

HiveMQ Swarm
1

Hey there,

What

I’m using HiveMQ Swarm in k8s via Helm using the official repo on github.

Story:

As my HiveMQ Cluster is running in the same k8s cluster in a different namespace is using TLS 1.2, Authentication with RBAC extension. I want the same for my Swarm instances to authenticate correctly before executing my scenarios. Anyway, the certs a self-signed and the connection is tested using python (paho mqtt), MQTTx and MQTT.fx (java) clients.

Behavior:

  • Swam is trying to connect but has no chance to execute the scenario correctly as there’s no option to specify self-signed certs. I always need to set the trust-store.jks and client.jks.
  • The connection gets aborted with message 2022-09-01 21:49:13,090 ERROR - client-00011: connection timed out before receiving CONNACK after 60s

tl;dr

Is there a way to enable a flag like self-signed certificates allowed or similar? The docu is not helpful but wrong in some points.

2

Hi @stefanjay ,

Thanks for your post, as far as I understand, your “normal” clients can at least connect to the broker but the swarm clients can not?

Could you please share full details of your configuration so we have a full picture?

  1. Which security provider do you use for swarm, “standard” one a custom one?
  2. Example of a client config, with which connection works (you can make screenshots of MQTT.fx settings screens or provide your python code)
  3. Your HiveMQ and Swarm configs (HiveMQ config.xml, FileRBAC configs, scenario.xml)

tl;dr
“The docu is not helpful but wrong in some points” – which “docu”, you have a link?

Regards,
Dasha from HiveMQ team

3

Hi again, @stefanjay ,

We understand that you are already in contact with Peter from our sales team working on this topic together and in active conversation to resolve the issue.
Peter will reach out to you regarding the next steps.

Wishing you a nice day ahead,
Kind regards
Dasha from HiveMQ team

4

Hey Daria,

thanks for your replies. Ha, yeah, correct wording should be incomplete in regards of TLS for swarm instead of wrong - sorry for that.

Yes, Peter is doing a great job :slight_smile: I’m was in the hope to reach some1 from the community with the same problem :slight_smile:

5

How to Swarm with TLS:

  1. You will need:
  2. Download the script cetly.sh to generate key- and trust-stores (find the link below).
  3. Download the Keystore-manager.jar(find the link below). This Keystore-manager.jar is a Swarm extension that implements a customized security provider.
  4. scenario.xml - the sample Swarm scenario (find xml below)
  5. copy the .jar into $HIVEMQ_HOME/tools/hivemq-swarm/extensions/
  6. create a subdirectory $HIVEMQ_HOME/tools/hivemq-swarm/scenario-dependencies/stores/01/
  7. run the certly.sh script (it will generate several files in the same dir)
  8. copy the following files to the $HIVEMQ_HOME/conf/
    broker-truststore.jks
    broker-keystore.jks
  9. copy the following files to $HIVEMQ_HOME/tools/hivemq-swarm/scenario-dependencies/stores/01/
    client-keystore.jks and rename to client.jks
    client-truststore.jks and rename 'client-truststore.jks' to 'truststore.jks'
  10. create 3 text files with the password “changeme” inside (echo changeme > key-store-password)
    1. key-store-password
    2. private-key-password
    3. trust-store-password
  11. Configure a TLS listener in the $HIVEMQ_HOME/conf/config.xml:
<listeners>
  <tls-tcp-listener>
      <port>8883</port>
      <bind-address>0.0.0.0</bind-address>
      <proxy-protocol>true</proxy-protocol>
      <tls>
          <keystore>
              <path>hivemq/conf/broker-keystore.jks</path>
              <password>changeme</password>
              <private-key-password>changeme</private-key-password>
          </keystore>
          <client-authentication-mode>REQUIRED</client-authentication-mode>
          <truststore>
              <path>hivemq/conf/broker-truststore.jks</path>
              <password>changeme</password>
          </truststore>
      </tls>
  </tls-tcp-listener>
</listeners>

Scenario.xml (see the “connect” command):

<scenario xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:noNamespaceSchemaLocation="scenario.xsd">
    <brokers>
        <broker id="b1">
            <address>localhost</address>
            <port>8883</port>
            <transport>TLS</transport>
        </broker>
    </brokers>
    <clientGroups>
        <clientGroup id="cg1">
            <clientIdPattern>Agent[0-9]{4}</clientIdPattern>
            <clientIdPatternOffset>1</clientIdPatternOffset>
            <count>10</count>
        </clientGroup>
    </clientGroups>
    <topicGroups>
        <topicGroup id="tg1">
            <topicNamePattern>topic/subtopic-[0-9]</topicNamePattern>
            <count>10</count>
        </topicGroup>
    </topicGroups>
    <stages>
        <stage id="s1">
            <lifeCycle id="s1.l1" clientGroup="cg1">
                <connect broker="b1" securityProvider="key-store-manager" dir="stores" dontVerifyHostname="true"/>

            </lifeCycle>
        </stage>
        <stage id="s2">
            <lifeCycle id="s2.l1" clientGroup="cg1">
                <publish topicGroup="tg1" count="10" message="hello"/>
            </lifeCycle>
        </stage>
        <stage id="s3">
            <lifeCycle id="s3.l1" clientGroup="cg1">
                <disconnect/>
            </lifeCycle>
        </stage>
    </stages>
</scenario>

Download link: Dropbox - tlsswarm

I hope this helps,
Regards,
Dasha from HiveMQ team

1 Like