Collocated One-way and Mutual TLS
CybusMQ supports both one-way TLS and mutual TLS clients on the same listener with configurable mount point routing.
Enabling TLS
Mount Point Routing
Last updated
Was this helpful?
CybusMQ supports both one-way TLS and mutual TLS clients on the same listener with configurable mount point routing.
CybusMQ can receive connections from both one-way TLS and mutual TLS clients on the same listener, eliminating the need for separate TCP ports for different TLS authentication modes.
Clients connecting with different TLS authentication types arrive at configurable mount points in the broker:
One-way TLS clients: Standard TLS where only the server certificate is validated.
Mutual TLS clients: Both server and client certificates are validated.
Based on whether successful client certificate validation takes place, clients are routed to different mount points. With additional configuration, clients can be moved to the same mount point so they can communicate.
CybusMQ automatically enables the TLS listener when certificate files are provided.
Prerequisite
Your Helm chart is version 1.5.0 or later.
TLS certificates are configured as Kubernetes secrets.
Procedure
Open your values.yaml file.
Configure the certificate file paths.
global:
broker:
env:
- name: DOCKER_VERNEMQ_LISTENER_CERT_FILE
value: /cybusmq_certs/server.crt
- name: DOCKER_VERNEMQ_LISTENER_KEY_FILE
value: /cybusmq_certs/server.key
- name: DOCKER_VERNEMQ_LISTENER_CA_FILE
value: /cybusmq_certs/ca.crtCreate or modify a docker-compose.override.yml file.
Set the certificate environment variables.
services:
broker:
environment:
DOCKER_VERNEMQ_LISTENER_CERT_FILE: /certs/server.crt
DOCKER_VERNEMQ_LISTENER_KEY_FILE: /certs/server.key
DOCKER_VERNEMQ_LISTENER_CA_FILE: /certs/ca.crt
volumes:
- ./certs:/certs:roBy default, one-way TLS and mutual TLS clients are assigned to different mount points, preventing cross-communication. In Connectware deployments, the Auth-Server webhooks endpoint automatically moves clients to the same mount point, enabling communication between both authentication types.
For custom deployments without Connectware's Auth-Server, you can enable communication between authentication types by:
Configure the system to use the same mount point for both connection types through a custom configuration file
Implement logic in a webhooks-based authentication server to assign mount points dynamically
For detailed information on webhooks and authentication plugins, refer to the official VerneMQ documentation.
Last updated
Was this helpful?
Was this helpful?