search
Contact Uscybus.io

MQTT User Authentication

Choose between password and certificate authentication for MQTT clients.

Connectware supports two authentication methods for MQTT clients: Username/password and x.509 certificate with Mutual TLS for CybusMQ connections. You can set the authentication method via the CYBUS_BROKER_USE_MUTUAL_TLS environment variable.

Method
Configuration
Client requirements

Username/Password

CYBUS_BROKER_USE_MUTUAL_TLS=no

Client must provide username and password

Mutual TLS

CYBUS_BROKER_USE_MUTUAL_TLS=yes

Client must provide valid x.509 certificate

hashtag
Username/Password Authentication

When Mutual TLS is disabled, MQTT clients authenticate using a username and password:

This authentication method works with all MQTT connection schemes (TCP, WebSocket, SSL/TLS).

hashtag
Mutual TLS Authentication

Mutual TLS offers enhanced security by eliminating password transmission and providing stronger client verification. When enabled, Mutual TLS provides certificate-based authentication:

  • Requires a valid x.509 client certificate signed by the Connectware CA.

  • The certificate's Common Name (CN) must match a Connectware username with grant type certificate.

  • No username or password needed - possession of a valid certificate proves identity.

hashtag
MQTT Permissions

Once authenticated (by either method), MQTT clients can interact with topics based on their assigned permissions:

Permission
Allowed actions

read

Subscribe to topics

write

Publish to topics

readWrite

Both subscribe and publish

circle-info

To manage MQTT user permissions efficiently, create specific roles with appropriate topic permissions and assign them to users rather than configuring permissions individually. For more information, see Permissions.

PreviousPermissionsNextAdding a MQTT Publish Prefix for Users

Last updated

Was this helpful?