cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Did you get an answer that solved your problem? Please mark it as an Accepted Solution so others with the same problem can find the answer easily. X

SSL problems with MQTT and ThingWorx

charlo
4-Participant

SSL problems with MQTT and ThingWorx

Hello PTC,

I'e tried all the ways which are described in the forum, but I haven't got anything, I can't connect the MQTT Broker

with SSL enable(and works) with ThingWorx server. I'm using a 90 days version, and I don't know if the security configuration in the MQTT extension ca be enabled.

Thanks very much,

Carlos

ACCEPTED SOLUTION

Accepted Solutions
tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

If you check the Point 3 "useSSL: Should ThingWorx use SSL when connecting to the MQTT broker?" in the article shared. It is mentioned to copy the cacerts file into jssecacerts and I can see the cacerts is present  at this C:\Program Files\Java\jre1.8.0_281\lib\security  location

 

Please copy the cacerts file into jssecacerts

  • Best practice is to not modify cacerts directly
  • The JVM will choose jssecacerts over cacerts on startup

and then Import the Self-Signed Certificate or the Custom Root Certificate into the jssecacerts truststore with the following command:

  • keytool -import -alias <Descriptive Alias> -file <Path To Certificate File> -keystore jssecacerts
  • Where
    • <Descriptive Alias>: Any identifier that will help identify the entry. Typically set to the FQDN of the host that signed the certificate.
    • <Path To Certificate File>: Full path to the certificate file

and then restart Apache Tomcat

 

Regards,

Toolika Dixit

View solution in original post

14 REPLIES 14
tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

Thank you for reaching out to PTC.

 

Could you please provide me below information in order to assist you further on this case

  • Please confirm ThingWorx version
  • Please confirm MQTT version
  • Please share ThingWorx and MQTT logs 

Regards,

Toolika Dixit

charlo
4-Participant
(To:tdixit)

Dear PTC,
my ThingWorx version is 9.1.0 (TRIAL)
my MQTT is Eclipse Mosquitto MQTT v5/v3.1.1 broker.
I've revised the log file, but as I hadn't got to turn on SSL, the SSL
problem is not in log files.
The problem is that there is only the SSL enable checkbox, but I can't
configure a CA file.
Regards,
Carlos
tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

Please check this article which explains how to configure  MQTT broker which is using a Self-Signed or Custom Root Certificate

 

Regards,

Toolika Dixit

charlo
4-Participant
(To:tdixit)

Hello tdixit,
I've tried with the article, but I can't connect the mosquitto broker
with the
MQTT Plugging,
regards,
Carlos
tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

Could you please share the MQTT and ThingWorx logs to look into this issue

 

Regards,

Toolika Dixit

charlo
4-Participant
(To:tdixit)

Hello tdixit,
my logs are:
mosquitto:
1617786835: New connection from 127.0.0.1 on port 8883.
1617786835: Socket error on client , disconnecting.
1617786860: New connection from 127.0.0.1 on port 8883.
ThingWorx:
Unable to connect to MQTT in [Thing_MQTT] : MqttException

I've tried with the tutorial:
https://www.ptc.com/en/support/article/CS0246701
but I'm not able to connect ThingWorx to MQTT with SSL.
Thanks a lot,
Carlos
charlo
4-Participant
(To:charlo)

And my MQTT extenstion version is 2.1.0, I don't know if there are any problems with this version in SSL mode, but in https://www.ptc.com/en/support/article/CS325300

You described a similar case, where the SSL doesn't work.

Thanks a lot,

Carlos

 

charlo
4-Participant
(To:charlo)

Could you send you the MQTT extension version 2.1.2, because I can't download it from your webpage.

Thanks

 

tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

PFA the MQTT extension 2.1.2

 

Regards,

Toolika Dixit

charlo
4-Participant
(To:tdixit)

I don't have any access to download the MQTT extension 2.1.2, could you
give me access or ypu pass me the file and the configuration instruction
for SSL mode?
Thanks a lot
Carlos
tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

I have attached the extension in my previous response.

 

Are you unable to download  it from there. ?? I am attaching it again here for you

 

Please refer this article  to install MQTT

 

Regards,

Toolika Dixit

charlo
4-Participant
(To:tdixit)

Hello ,
in this article: https://www.ptc.com/en/support/article/CS246701
You explain the procedure to configure the MQTT extension in SSL mode.
But in step 3 says:
Copy the cacerts file into jssecacerts

Best practice is to not modify cacerts directly
The JVM will choose jssecacerts over cacerts on startup
I've found only this:

C:\Program Files\Java\jre1.8.0_281\lib\security

05/03/2021 12:00 .
05/03/2021 12:00 ..
05/03/2021 12:00 4,054 blacklist
05/03/2021 12:00 2,527 blacklisted.certs
05/03/2021 12:00 108,679 cacerts
05/03/2021 12:00 2,466 java.policy
05/03/2021 12:00 50,764 java.security
05/03/2021 12:00 98 javaws.policy
05/03/2021 12:00 policy
05/03/2021 12:00 0 trusted.libraries

I need to help with this step, because it can be why it doen't work.
Thanks,
Carlos
tdixit
15-Moonstone
(To:charlo)

Hello @charlo 

 

If you check the Point 3 "useSSL: Should ThingWorx use SSL when connecting to the MQTT broker?" in the article shared. It is mentioned to copy the cacerts file into jssecacerts and I can see the cacerts is present  at this C:\Program Files\Java\jre1.8.0_281\lib\security  location

 

Please copy the cacerts file into jssecacerts

  • Best practice is to not modify cacerts directly
  • The JVM will choose jssecacerts over cacerts on startup

and then Import the Self-Signed Certificate or the Custom Root Certificate into the jssecacerts truststore with the following command:

  • keytool -import -alias <Descriptive Alias> -file <Path To Certificate File> -keystore jssecacerts
  • Where
    • <Descriptive Alias>: Any identifier that will help identify the entry. Typically set to the FQDN of the host that signed the certificate.
    • <Path To Certificate File>: Full path to the certificate file

and then restart Apache Tomcat

 

Regards,

Toolika Dixit

slangley
23-Emerald II
(To:charlo)

Hi @charlo.

 

If you have resolved your issue with the help of one of the previous responses, please mark the appropriate one as the Accepted Solution for the benefit of others with the same problem.

 

Regards.

 

--Sharon

Announcements


Top Tags