MQTT User Authentication
Choose between password and certificate authentication for MQTT clients.
Last updated
Was this helpful?
Connectware 1.11.0
Choose between password and certificate authentication for MQTT clients.
Last updated
Was this helpful?
Connectware supports two authentication methods for MQTT clients: Username/password and x.509 certificate with Mutual TLS for CybusMQ connections. You can set the authentication method via the CYBUS_BROKER_USE_MUTUAL_TLS .
Username/Password
CYBUS_BROKER_USE_MUTUAL_TLS=no
Client must provide username and password
Mutual TLS
CYBUS_BROKER_USE_MUTUAL_TLS=yes
Client must provide valid x.509 certificate
When Mutual TLS is disabled, MQTT clients authenticate using a username and password:
This authentication method works with all MQTT connection schemes (TCP, WebSocket, SSL/TLS).
Mutual TLS offers enhanced security by eliminating password transmission and providing stronger client verification. When enabled, Mutual TLS provides certificate-based authentication:
Requires a valid x.509 client certificate signed by the Connectware CA.
The certificate's Common Name (CN) must match a Connectware username with grant type certificate.
No username or password needed - possession of a valid certificate proves identity.
Once authenticated (by either method), MQTT clients can interact with topics based on their assigned permissions:
read
Subscribe to topics
write
Publish to topics
readWrite
Both subscribe and publish
To manage MQTT user permissions efficiently, create specific roles with appropriate topic permissions and assign them to users rather than configuring permissions individually. For more information, see .