MQTT Client Authentication

MQTT clients connecting to Connectware authenticate as Connectware users. Connectware supports two authentication methods for MQTT clients: username/password and X.509 certificate-based Mutual TLS (mTLS).

Username/Password Authentication

MQTT clients can authenticate using a username and password. This authentication method works with all MQTT connection schemes (TCP, WebSocket, SSL/TLS).

Mutual TLS Authentication

With mTLS, clients authenticate by presenting a valid X.509 certificate instead of a username and password. Connectware reads the certificate's Common Name (CN) as a username and matches it against a user configured with the certificate grant type. That user's roles and permissions govern which topics the client can access.

The client certificate must be signed by a Certificate Authority that Connectware trusts.

Setting Up Mutual TLS

To use mTLS, complete the following steps in Connectware:

1. Add your CA to the cybus_ca.crt certificate bundle so that Connectware can verify client certificates issued by your organization. See CA Certificates.

2. Enable certificate-based authentication for each user by setting the grant type to certificate in the user's settings in the Admin UI. See Client Certificates for the full setup procedure, including CSR generation and certificate signing.

MQTT Permissions

Once authenticated, MQTT clients can interact with topics based on the permissions assigned to their corresponding Connectware user: