SSL/TLS MQTT

Hallo.

I would like to connect my Thingworx platform 7.2 with a MQTT broker in a secure mode SSL TLS.

I’m using ActiveMQ 5.3 as MQTT broker and MQTT Thingworx extension as connector.

I successfully tested the connection without SSL mode.

However, I could not implement secure mode connection.

→  I have made two changes to activemq.xml file.

a) Instead of line

<transportConnector name="mqtt" uri="mqtt://0.0.0.0:1883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>,

I used

<transportConnector name="mqtt+nio+ssl" uri="mqtt+nio+ssl://0.0.0.0:8883?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>

b) I added

<sslContext>

<sslContext keyStore="file:${activemq.base}/conf/activemq.ks"

                             keyStorePassword="password"

                             trustStore="file:${activemq.base}/conf/activemq.ts"

                             trustStorePassword="password" />

</sslContext>

1. Activemq.ks is a keystore containing the certificate I generated for the broker.
2. Activemq.ts is a keystore containing the certificate I generated for the broker clients.

→  I tested Activemq server with MQTT.fx client tool. I could connect in SSL/TLS mode, with TLSv2 protocol option and CA certificate keystore option, by importing the certificate broker client I made in keystore for MQTT.

My questions.

1)     Is my ActiveMQ configuration proper?

2)     Where should I put the broker client certificate in Thingworx side?

3)     Perhaps the MQTT Thingworx extension uses Tomcat to communicate to ActiveMQ broker? Following this assumption I modified the server.xml file of Tomcat configuration.

Below there is one of my unsuccessful tests:
a) I added this connector

               <Connector

                                            port="8443"

                                            protocol="org.apache.coyote.http11.Http11NioProtocol"

                                            maxThreads="150"

                                            SSLEnabled="true"

                                            scheme="https"

                                            secure="true"

                                            clientAuth="true"

                                            sslProtocol="TLS"

                                            enableLookups="false"

                                            keystoreFile="conf/tomcat.ks" keystorePass="password"

                                            truststoreFile="conf/tomcat.ts" truststorePass="password"

                                            >

               </Connector>

Tomcat.ks is a keystore containing the certificate I generated for the broker clients.

Tomcat.ts is a keystore containing the certificate I generated for the broker.

I removed this line 

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

4)     Instead of MQTT Thingworx extension, it is possible to use ActiveMQ extension for a secure SSL/TLS connection throw ActiveMQ?

Thank you for your attention.

Best regards,

    Sergio Marino