Skip to content

Commit

Permalink
Change to aliases separated by realm
Browse files Browse the repository at this point in the history
  • Loading branch information
pankalog committed Jul 18, 2024
1 parent 90c618e commit 0e44fa8
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions docs/user-guide/agents-protocols/mqtt.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ openssl pkcs12 -export -in OpenRemoteAWSCertificate.pem.crt -inkey OpenRemoteAWS
```
- Import the keypair into the existing keystore. Take note of the input for the `alias` parameter, we'll need it later:
```shell
keytool -importkeystore -destkeystore <storage dir>/<realm>.client_keystore -srckeystore OpenRemoteAWSKeyPair.p12 -srcstoretype PKCS12 -alias OpenRemoteAwsIoTClientCertificate
keytool -importkeystore -destkeystore <storage dir>/<realm>.client_keystore -srckeystore OpenRemoteAWSKeyPair.p12 -srcstoretype PKCS12 -alias <realm name of your choice>.OpenRemoteAwsIoTClientCertificate
```
- Import the Amazon Root CA certificate into the truststore;
```shell
Expand All @@ -46,10 +46,12 @@ keytool -importcert -file AmazonRootCA1.pem -keystore <storage dir>/<realm>.clie

Now, we are ready to start OpenRemote again, and create a new MQTT Agent.

**Make sure** that the Agent is situated in the realm that is specified in the Alias, or else OpenRemote will not be able to retrieve the correct certificate.

In that agent, ensure that you have set:
- The correct host and port (AWS IoT Core MQTT broker is set to `8883`)
- Secure mode turned on
- Set the certificate alias to the alias we set above: `OpenRemoteAwsIoTClientCertificate`. The alias is used to allow the MQTT agent to select the correct certificate to use for the authentication.
- Set the certificate alias to the alias we set above, without the realm and the `.`: `OpenRemoteAwsIoTClientCertificate`. The alias is used to allow the MQTT agent to select the correct certificate to use for the authentication.
- Set the client ID, ensuring that it is allowed by the created Policy of the thing (Check AWS IoT Dashboard->`<your thing's name>`->Certificate->Policy to verify)

The agent attempts to connect, and it successfully authenticates and connects to the MQTT broker, ready to pub/sub according to your needs.
Expand Down

0 comments on commit 0e44fa8

Please sign in to comment.