This page describes the steps that must be performed to update the Certificate Based Authentication Setting Category, which is configured in DDM at the Gateway level to enable 2-way SSL support.
The Certificate Based Authentication Setting Category needs to be updated with the client trusted Anchor, so that the MQTT Gateway can use the certificate to authenticate the clients.
Multiple root and intermediate CA certificates can be added in the Setting Category, if multiple device certificates are available.
To update the Settings Category, do the following:
- In the Dashboard, navigate to Gateway and click the Edit button of the Setting Category Certificate Based Authentication.
Example of Setting Category for Certificate Based Authentication.
- Update the certificate (client trusted Anchor) content in the Value field.
- Click Save.
- The MQTT clients can connect to the MQTT Gateway securely using SSL/TLS over port 8883. In this approach, only authenticated clients can publish messages to topics on the Gateway, hence securing the communication.
.pemformat of the SSL certificate is supported. This format is an X.509 base64-encoded ASCII file, and includes the statements “—– BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“.
- In connection with the Gateway instantiation, the DDM customer will be provided by Ericsson Operations a Digicert link from which the certificate content can be downloaded.
- To remove expired certificates and certificates for blacklisted devices, contact Ericsson Operations.
- When the certificates are added/removed from the Settings Category, the MQTT Gateway application is restarted. This results in disconnection of the clients from the gateway. The clients should connect to the application, once again.