MQTT is a machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport.
MQTT is a server/client architecture. A server, also called broker is not provided within this binding, but it allows to detect running brokers and to manage connections. The hereby configured broker connections make it possible to link MQTT topics to Things and Channels.
It has the following extensions:
- Broker: This bridge represents an MQTT Broker connection, configured and managed by this binding.
- SystemBroker: A system configured broker cannot be changed by this binding and will be listed as read-only system-broker.
Required configuration parameters are:
- host: The IP/Hostname of the MQTT broker. Be aware that this binding allows only one bridge / one connection per unique host:port.
- port: The optional port of the MQTT broker. If none is provided, the typical ports 1883 and 8883 (SSL) are used. Be aware that this binding allows only one bridge / one connection per unique host:port.
- secure: Uses TLS/SSL to establish a secure connection to the broker. Can be "OFF","ON","AUTO". The AUTO setting prefers a secure connection but will fall-back to an insecure one. Default is ON.
Additionally the following parameters can be set:
- qos: Quality of Service. Can be 0, 1 or 2. Please read the MQTT specification for details. Defaults to 0.
- clientID: Use a fixed client ID. Defaults to empty which means a user ID is generated for this connection.
- retainMessages: Retain messages. Defaults to false.
Reconnect parameters are:
- reconnectTime: Reconnect time in ms. If a connection is lost, the binding will wait this time before it tries to reconnect. Defaults to 60000 (60s).
- keepAlive: Keep alive / heartbeat timer in ms. It can take up to this time to determine if a server connection is lost. A lower value may keep the broker unnecessarily busy for no or little additional value. Defaults to 60000 (60s).
An MQTT last will and testament can be configured:
- lwtMessage: An optional last will and testament message. Defaults to empty.
- lwtTopic: The last will topic. Defaults to empty and therefore disables the last will.
- lwtQos: The optional qos of the last will. Defaults to 0.
- lwtRetain: Retain last will message. Defaults to false.
For more security, the following optional parameters can be altered:
- username: The MQTT username (since MQTT 3.1). Defaults to empty.
- password: The MQTT password (since MQTT 3.1). Defaults to empty.
- certificatepin: If this is set: After the next connection has been successfully established, the certificate is pinned. The connection will be refused if another certificate is used. Clear certificate to allow a new certificate for the next connection attempt. This option will increase security.
- publickeypin: If this is set: After the next connection has been successfully established, the public key of the broker is pinned. The connection will be refused if another public key is used. Clear publickey to allow a new public key for the next connection attempt. This option will increase security.
- certificate: The certificate hash. If certificatepin is set this hash is used to verify the connection. Clear to allow a new certificate pinning on the next connection attempt. If empty will be filled automatically by the next successful connection. An example input would be
- publickey: The public key hash. If publickeypin is set this hash is used to verify the connection. Clear to allow a new public key pinning on the next connection attempt. If empty will be filled automatically by the next successful connection. An example input would be
You can extend your broker connection bridges with a channel:
- publishTrigger: This channel is triggered when a value is published to the configured MQTT topic on this broker connection. The event payload will be the received MQTT topic value.
Configuration parameters are:
- stateTopic: This channel will trigger on this MQTT topic. This topic can contain wildcards like + and # for example "all/in/#" or "sensors/+/config".
- payload: An optional condition on the value of the MQTT topic that must match before this channel is triggered.
In a first example a very secure connection to a broker is defined. It pins the returned certificate and public key. If someone tries a man in the middle attack later on, this broker connection will recognize it and refuse a connection. Be aware that if your brokers certificate changes, you need to remove the connection entry and add it again. Secure connections are default, if you do not provide the "secure" parameter.
The second connection is a plain, unsecured one. Use this only for local MQTT Brokers.
A third connection uses a username and password for authentication. Secure is set to false as the username and password is requested by the broker. The credentials are plain values on the wire, therefore you should only use this on a secure connection.
In a forth connection, the public key pinning is enabled again. This time, a public key hash is provided to pin the connection to a specific server. It follows the form "hashname:hashvalue". Valid hashnames are SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 and all others listed in Java MessageDigest Algorithms.
mqtt:broker:mySecureBroker [ host="192.168.0.41", secure=true, certificatepin=true, publickeypin=true ] mqtt:broker:myUnsecureBroker [ host="192.168.0.42", secure=false ] mqtt:broker:myAuthentificatedBroker [ host="192.168.0.43", secure=false, username="user", password="password" ] mqtt:broker:pinToPublicKey [ host="192.168.0.44", secure=true, publickeypin=true, publickey="SHA-256:9a6f30e67ae9723579da2575c35daf7da3b370b04ac0bde031f5e1f5e4617eb8" ]