Overview of MQTT Gateway

Last modified: May 15, 2019 @ 14:32

MQTT (Message Queuing Telemetry Transport) is a lightweight machine-to-machine protocol that uses a publish-subscribe model.

The DDM service provides the capability to create a distributed set of MQTT endpoints. These endpoints represent the MQTT enabled devices which connect to the MQTT server through the MQTT Gateway solution, as described in this documentation.

MQTT Devices must be registered in DDM, as described in Register Device.

The MQTT feature enables MQTT clients to communicate with DDM using the MQTT protocol v3.1.1. However, the feature does not support all behaviors specified in MQTT v3.1.1.

MQTT clients can only connect securely to the MQTT Gateway, using SSL/TLS on port 8883.

The MQTT Gateway enables MQTT devices to register when devices with valid certificate connect to the MQTT Gateway, or the Gateway to deregister devices in DDM if the devices no longer respond. The devices must be registered in DDM in advance.

Solution context

Device Data Ingestion

MQTT enabled Devices, once authenticated and authorized, will publish the telemetry data.

  • Once the Gateway is instantiated, the list of allowed MQTT topics is configured on the Gateway.
  • Clients can publish to these topics. This is done by configuring the MQTT Publish Topic Filters Setting Category for the Gateway.
  • The telemetry data comes to the Gateway in JSON/String format, and the Gateway then transforms the payload to a DDM-understandable format.

Downlink Commands

MQTT Gateway offers support for Downlink Commands.

  • The end-user or enterprise application triggers a command to the device using DDM. This command is forwarded to the device by the gateway over MQTT.
  • The device is connected to the MQTT Gateway and should have subscribed to the command topic.
  • The device sends a response as an acknowledgement to the DDM.
  • The supported downlink commands are Read, Write and Execute.


Security is implemented in two layers:

  • Authentication
  • Authorization


MQTT enabled devices are authenticated using the X.509 certificates. The security is two-way SSL. Once a valid SSL certificate, obtained from a trusted Certificate Authority (CA), is uploaded on DDM, then the MQTT clients can connect to the MQTT Gateway securely using SSL/TLS on port 8883 by installing the CA certificate in the MQTT-enabled devices themselves.

When an MQTT device tries to connect to the MQTT Gateway, the broker performs a check to verify if the CN (Common Name) in the device certificate is same as the MQTT client identifier. The connection of the MQTT client with the MQTT Gateway is allowed only when the match is found.


Authorization functions as a second layer of security and ensures that genuine data is accepted from legitimate devices subscribing to the correct topic. Any garbage data is discarded. Authorization is implemented at two levels:

  • MQTT topic level: The topic formats which are expected from the MQTT enabled Devices are defined in the DDM Setting Categories. The Gateway allows the Devices which send data to a valid topic to publish the data. If the Device sends a message to an invalid topic, the message is silently discarded.
  • Device level: Only authenticated Devices are authorized to send messages to DDM. This implies that a Device cannot publish messages to a topic of another Device. If a Device tries to publish data to a topic of another Device, the message is silently discarded.

Payload Format

The payload format expected from the MQTT-enabled devices is defined in the Setting Categories of DDM, and sent to the Gateway at the time it boots up. The Gateway validates all the data against the defined format, and only the devices which use the valid payload format are allowed to publish the data.


Every MQTT server will have its own Public IP which will have an FQDN attached to it and hence can be called via the FQDN.