Siemens S71200 PLC:Connection refused by Cloud Broker

Hello, I’m trying to connect a S71200 Siemens PLC using Siemens LMQTT client library (https://support.industry.siemens.com/cs/document/109748872/use-the-simatic-controller-as-an-mqtt-client?dti=0&lc=en-WW) to HiveMQ Cloud Broker.

I made sure:

a) to install in the PLC the server CA certificate provided by HiveMQ (isrgrootx1.pem)

b) to enable TLS in my PLC MQTT client library parameters

c) to configure port 8883 in my PLC MQTT client library parameters

d) to configure the URL generated by HiveMQ Broker in my PLC MQTT client library parameters

e) to create credentials for the MQTT broker and configure them in my PLC MQTT client library parameters

But when the PLC (MQTT Client) tries to connect to HiveMQ Cloud Broker the error that the PLC MQTT client library reports is that the user and password are not authorized, very similar problem to the one reported in the following thread :

It’s worth mentioning that I can successfully connect to HiveMQ Cloud broker using MQTT Explorer software configuring the same credentials and using same CA server certificate. Also I can successfully connect my Siemens S71200 PLC as a MQTT client to other MQTT brokers such as Mosquitto and Ubidots using the same Siemens LMQTT client library.

Any ideas or suggestions of what could be the problem ?
Has someone successfully connected Siemens PLCs to HiveMQ Cloud broker using Siemens LMQTT library?

Hello @jzamora

Thank you for reaching out, and welcome to the HiveMQ community forum.

We would greatly appreciate it if you could share the specific error message you encounter when trying to connect to the HiveMQ Cloud broker. To assist you more effectively, please ensure that you are using the correct username and password created in the HiveMQ Cloud console under Access Management and have the correct permissions set.

Regarding your mention of successfully connecting to your PLC with other brokers, could you clarify whether these connections were made using TLS or non-TLS? Additionally, it would be beneficial to confirm whether your device supports the TLS-SNI Extension. This extension is crucial as it includes the server’s hostname during client connection attempts.

Your detailed information will help us provide more accurate assistance.

Regards,
Sheetal from HiveMq Team

Hello @SShet thank you for your response.

Regarding your question about the specific error message that the PLC is reporting when trying to connect, I’m getting error 8730 / 5 which from the library documentation translates to:

8730 = Connection rejected by MQTT broker. New connection requiered.
5 = The client is not authorized to connect (username or password incorrect).

I’m also attaching the parameters configured to the PLC library:

PLC Parameters

Please note that there is a dot character at the end of the “qdnAddress” parameter, this is a requirement of the PLC LMQTT library.

Also note that parameter “brokerCert” is set to 3, this is the ID assigned to the CA server certificate (isrgrootx1.pem) in the PLCs certificate manager.

Regarding making sure that I used the correct credentials and permissions set in the HiveMQ Cloud console under Access Management, I’m very positive that they are correctly set.

The successful connections made using this PLC and library to Mosquitto and Ubidots broker where not TLS encrypted.

I’m asking Siemens about TLS-SNI extension support, that I don’t know for sure, but I would guess that the library parameter “validateServerIndentity” is to enable SNI extension. That is why I have its value set to “TRUE”.

Regards