MQTT User Authentication
Choose between password and certificate authentication for MQTT clients.
Connectware supports two authentication methods for MQTT clients: Username/password and x.509 certificate with Mutual TLS for CybusMQ connections. You can set the authentication method via the CYBUS_BROKER_USE_MUTUAL_TLS
environment variable.
Username/Password
CYBUS_BROKER_USE_MUTUAL_TLS=no
Client must provide username and password
Mutual TLS
CYBUS_BROKER_USE_MUTUAL_TLS=yes
Client must provide valid x.509 certificate
Username/Password Authentication
When Mutual TLS is disabled, MQTT clients authenticate using a username and password:
This authentication method works with all MQTT connection schemes (TCP, WebSocket, SSL/TLS).
Mutual TLS Authentication
Mutual TLS offers enhanced security by eliminating password transmission and providing stronger client verification. When enabled, Mutual TLS provides certificate-based authentication:
Requires a valid x.509 client certificate signed by the Connectware CA.
The certificate's Common Name (CN) must match a Connectware username with grant type certificate.
No username or password needed - possession of a valid certificate proves identity.
MQTT Permissions
Once authenticated (by either method), MQTT clients can interact with topics based on their assigned permissions:
read
Subscribe to topics
write
Publish to topics
readWrite
Both subscribe and publish
Last updated
Was this helpful?