Google Git
Sign in
eclipse / gerrit / www.eclipse.org / hono / 297ddc65f85a847b8f74164b2cfceb53088fed76 / . / docs / 1.0 / admin-guide / secure_communication / index.html
blob: e1a5858806a4c1421b0bc4e74fa7f1c0873d8dc3 [file] [log] [blame]
<!DOCTYPE html>
<html lang="1.0" class="js csstransforms3d">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Hugo 0.81.0" />
<meta name="description" content="A set of micro-services for connecting millions of devices.">
<meta name="author" content="The Eclipse Hono Project">
<link rel="apple-touch-icon" sizes="180x180" href="/hono/docs/favicon/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="48x48" href="/hono/docs/favicon/favicon-48x48.png">
<link rel="icon" type="image/png" sizes="32x32" href="/hono/docs/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/hono/docs/favicon/favicon-16x16.png">
<link rel="manifest" href="/hono/docs/favicon/site.webmanifest">
<link rel="mask-icon" href="/hono/docs/favicon/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="/hono/docs/favicon/favicon.ico">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="msapplication-config" content="/hono/docs/favicon/browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<title>Secure Communication :: Eclipse Hono&trade; Vers.: 1.0</title>
<link href="/hono/docs/css/nucleus.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/fontawesome-all.min.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/hybrid.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/featherlight.min.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/perfect-scrollbar.min.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/auto-complete.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/atom-one-dark-reasonable.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/theme.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/hugo-theme.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/theme-hono.css?1626138735" rel="stylesheet">
<link href="/hono/docs/css/hono.css?1626138735" rel="stylesheet">
<script src="/hono/docs/js/jquery-3.3.1.min.js?1626138735"></script>
<style>
:root #header + #content > #left > #rlblock_left{
display:none !important;
}
:not(pre) > code + span.copy-to-clipboard {
display: none;
}
</style>
<link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/vendor/cookieconsent/cookieconsent.min.css">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@EclipseHono">
<meta name="twitter:title" content="Secure Communication :: Eclipse Hono&amp;trade; Vers.: 1.0">
<meta name="twitter:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png">
<meta name="twitter:description" content="A set of micro-services for connecting millions of devices.">
<meta property="og:title" content="Secure Communication :: Eclipse Hono&amp;trade; Vers.: 1.0" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.eclipse.org/hono/docs/1.0/admin-guide/secure_communication//" />
<meta property="og:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png" />
</head>
<body class="" data-url="/hono/docs/1.0/admin-guide/secure_communication/">
<nav id="sidebar" class="">
<div id="header-wrapper">
<div id="header">
<a href="https://www.eclipse.org/hono/">
<img src="/hono/docs/images/HONO-Logo_Bild-Wort_quer-w-310x120px.svg" alt="Hono logo" class="logo-img">
</a>
</div>
<div class="searchbox">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input id="search-by" type="search" placeholder="Search...">
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
<script type="text/javascript" src="/hono/docs/js/lunr.min.js?1626138735"></script>
<script type="text/javascript" src="/hono/docs/js/auto-complete.js?1626138735"></script>
<script type="text/javascript">
var baseurl = "https:\/\/www.eclipse.org\/hono\/docs\/\/1.0";
</script>
<script type="text/javascript" src="/hono/docs/js/search.js?1626138735"></script>
</div>
<div class="highlightable">
<ul class="topics">
<li data-nav-id="/hono/docs/1.0/concepts/" title="Concepts" class="dd-item
">
<a href="/hono/docs/1.0/concepts/">
<i class="far fa-lightbulb"></i> Concepts
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/concepts/device-identity/" title="Device Identity" class="dd-item ">
<a href="/hono/docs/1.0/concepts/device-identity/">
Device Identity
</a>
</li>
<li data-nav-id="/hono/docs/1.0/concepts/tenancy/" title="Multi-Tenancy" class="dd-item ">
<a href="/hono/docs/1.0/concepts/tenancy/">
Multi-Tenancy
</a>
</li>
<li data-nav-id="/hono/docs/1.0/concepts/device-notifications/" title="Device Notifications" class="dd-item ">
<a href="/hono/docs/1.0/concepts/device-notifications/">
Device Notifications
</a>
</li>
<li data-nav-id="/hono/docs/1.0/concepts/command-and-control/" title="Command &amp; Control" class="dd-item ">
<a href="/hono/docs/1.0/concepts/command-and-control/">
Command &amp; Control
</a>
</li>
<li data-nav-id="/hono/docs/1.0/concepts/resource-limits/" title="Resource limits" class="dd-item ">
<a href="/hono/docs/1.0/concepts/resource-limits/">
Resource limits
</a>
</li>
<li data-nav-id="/hono/docs/1.0/concepts/connection-events/" title="Connection Events" class="dd-item ">
<a href="/hono/docs/1.0/concepts/connection-events/">
Connection Events
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/" title="User Guide" class="dd-item
">
<a href="/hono/docs/1.0/user-guide/">
<i class="fas fa-book-reader"></i> User Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/user-guide/device-registry/" title="Device Registry" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/device-registry/">
Device Registry
</a>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/http-adapter/" title="HTTP Adapter" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/http-adapter/">
HTTP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/mqtt-adapter/" title="MQTT Adapter" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/mqtt-adapter/">
MQTT Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/amqp-adapter/" title="AMQP Adapter" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/amqp-adapter/">
AMQP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/kura-adapter/" title="Kura Adapter" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/kura-adapter/">
Kura Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/sigfox-adapter/" title="Sigfox Adapter" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/sigfox-adapter/">
Sigfox Adapter
</a>
</li>
<li data-nav-id="/hono/docs/1.0/user-guide/jmeter_load_tests/" title="Load Tests with JMeter" class="dd-item ">
<a href="/hono/docs/1.0/user-guide/jmeter_load_tests/">
Load Tests with JMeter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/" title="Admin Guide" class="dd-item
parent
">
<a href="/hono/docs/1.0/admin-guide/">
<i class="fas fa-sliders-h"></i> Admin Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/admin-guide/common-config/" title="Common Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/common-config/">
Common Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/auth-server-config/" title="Auth Server Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/auth-server-config/">
Auth Server Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/device-registry-config/" title="Device Registry Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/device-registry-config/">
Device Registry Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/device-connection-config/" title="Configuring the Device Connection Service" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/device-connection-config/">
Device Connection Service Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/http-adapter-config/" title="HTTP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/http-adapter-config/">
HTTP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/amqp-adapter-config/" title="AMQP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/amqp-adapter-config/">
AMQP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/mqtt-adapter-config/" title="MQTT Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/mqtt-adapter-config/">
MQTT Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/kura-adapter-config/" title="Kura Adapter Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/kura-adapter-config/">
Kura Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/hono-client-configuration/" title="Hono Client Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/hono-client-configuration/">
Hono Client Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/amqp-network-config/" title="AMQP 1.0 Messaging Network Configuration" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/amqp-network-config/">
AMQP 1.0 Messaging Network Configuration
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/secure_communication/" title="Secure Communication" class="dd-item active">
<a href="/hono/docs/1.0/admin-guide/secure_communication/">
Secure Communication
</a>
</li>
<li data-nav-id="/hono/docs/1.0/admin-guide/monitoring-tracing-config/" title="Monitoring &amp; Tracing" class="dd-item ">
<a href="/hono/docs/1.0/admin-guide/monitoring-tracing-config/">
Monitoring &amp; Tracing
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.0/dev-guide/" title="Developer Guide" class="dd-item
">
<a href="/hono/docs/1.0/dev-guide/">
<i class="fas fa-tools"></i> Developer Guide
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/dev-guide/building_hono/" title="Building from Source" class="dd-item ">
<a href="/hono/docs/1.0/dev-guide/building_hono/">
Building from Source
</a>
</li>
<li data-nav-id="/hono/docs/1.0/dev-guide/java_client_consumer/" title="Consuming Messages from Java" class="dd-item ">
<a href="/hono/docs/1.0/dev-guide/java_client_consumer/">
Consuming Messages from Java
</a>
</li>
<li data-nav-id="/hono/docs/1.0/dev-guide/custom_http_adapter/" title="Implement a Custom Hono HTTP Protocol Adapter" class="dd-item ">
<a href="/hono/docs/1.0/dev-guide/custom_http_adapter/">
Implement a Custom Hono HTTP Protocol Adapter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.0/api/" title="API" class="dd-item
">
<a href="/hono/docs/1.0/api/">
&nbsp;<i class='fas fa-plug'></i>&nbsp;API
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/api/telemetry/" title="Telemetry API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/telemetry/">
Telemetry API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/event/" title="Event API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/event/">
Event API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/command-and-control/" title="Command &amp; Control API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/command-and-control/">
Command &amp; Control API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/tenant/" title="Tenant API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/tenant/">
Tenant API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/device-connection/" title="Device Connection API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/device-connection/">
Device Connection API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/device-registration/" title="Device Registration API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/device-registration/">
Device Registration API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/credentials/" title="Credentials API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/credentials/">
Credentials API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/authentication/" title="Authentication API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/authentication/">
Authentication API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/management/" title="Device Registry Management API Specification" class="dd-item ">
<a href="/hono/docs/1.0/api/management/">
Device Registry Management API
</a>
</li>
<li data-nav-id="/hono/docs/1.0/api/metrics/" title="Metrics" class="dd-item ">
<a href="/hono/docs/1.0/api/metrics/">
Metrics
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.0/deployment/" title="Deployment" class="dd-item
">
<a href="/hono/docs/1.0/deployment/">
<i class="fas fa-shipping-fast"></i> Deployment
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/deployment/helm-based-deployment/" title="Helm based Deployment" class="dd-item ">
<a href="/hono/docs/1.0/deployment/helm-based-deployment/">
Helm based Deployment
</a>
</li>
<li data-nav-id="/hono/docs/1.0/deployment/openshift/" title="OpenShift / OKD" class="dd-item ">
<a href="/hono/docs/1.0/deployment/openshift/">
OpenShift / OKD
</a>
</li>
<li data-nav-id="/hono/docs/1.0/deployment/create-kubernetes-cluster/" title="Setting up a Kubernetes Cluster" class="dd-item ">
<a href="/hono/docs/1.0/deployment/create-kubernetes-cluster/">
Setting up a Kubernetes Cluster
</a>
</li>
<li data-nav-id="/hono/docs/1.0/deployment/resource-limitation/" title="Limiting Resource Usage" class="dd-item ">
<a href="/hono/docs/1.0/deployment/resource-limitation/">
Limiting Resource Usage
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/1.0/architecture/" title="Architecture" class="dd-item
">
<a href="/hono/docs/1.0/architecture/">
<i class="fas fa-landmark"></i> Architecture
</a>
<ul>
<li data-nav-id="/hono/docs/1.0/architecture/component-view/" title="Component View" class="dd-item ">
<a href="/hono/docs/1.0/architecture/component-view/">
Component View
</a>
</li>
<li data-nav-id="/hono/docs/1.0/architecture/auth/" title="Authentication/Authorization" class="dd-item ">
<a href="/hono/docs/1.0/architecture/auth/">
Authentication/Authorization
</a>
</li>
</ul>
</li>
</ul>
<section id="shortcuts">
<h3></h3>
<ul>
<li>
<a class="padding" href="https://www.eclipse.org/hono/" title="Hono&#39;s Homepage"><i class='fas fa-home'></i> Hono Home</a>
</li>
<li>
<a class="padding" href="https://www.eclipse.org/hono/getting-started/" title="Getting started with Eclipse Hono"><i class='fas fa-plane-departure'></i> Getting Started</a>
</li>
</ul>
</section>
<section id="prefooter">
<hr/>
<ul>
<li>
<div id="select-box-wrapper">
<div id="select-box">
<a class="padding">
Version:&nbsp;
<div class="select-style">
<select id="select-language" onchange="location = this.value;">
<option id="stable" value="https://www.eclipse.org/hono/docs/admin-guide/secure_communication/">stable (1.8)</option>
<option id="1.8" value="https://www.eclipse.org/hono/docs/1.8/admin-guide/secure_communication/">1.8</option>
<option id="1.7" value="https://www.eclipse.org/hono/docs/1.7/admin-guide/secure_communication/">1.7</option>
<option id="1.6" value="https://www.eclipse.org/hono/docs/1.6/admin-guide/secure_communication/">1.6</option>
<option id="1.5" value="https://www.eclipse.org/hono/docs/1.5/admin-guide/secure_communication/">1.5</option>
<option id="1.4" value="https://www.eclipse.org/hono/docs/1.4/admin-guide/secure_communication/">1.4</option>
<option id="1.3" value="https://www.eclipse.org/hono/docs/1.3/admin-guide/secure_communication/">1.3</option>
<option id="1.2" value="https://www.eclipse.org/hono/docs/1.2/admin-guide/secure_communication/">1.2</option>
<option id="1.1" value="https://www.eclipse.org/hono/docs/1.1/admin-guide/secure_communication/">1.1</option>
<option id="1.0" value="https://www.eclipse.org/hono/docs/1.0/admin-guide/secure_communication/" selected>1.0</option>
<option id="dev" value="https://www.eclipse.org/hono/docs/dev/admin-guide/secure_communication/">dev</option>
</select>
<svg version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="255px" height="255px" viewBox="0 0 255 255" style="enable-background:new 0 0 255 255;" xml:space="preserve">
<g>
<g id="arrow-drop-down">
<polygon points="0,63.75 127.5,191.25 255,63.75 " />
</g>
</g>
</svg>
</div>
</a>
</div>
</div>
</li>
</ul>
</section>
<section id="footer">
<p>&copy; 2021 <a href="https://www.eclipse.org/hono/">The Eclipse Hono Project</a></p>
<p>
Documentation built with
<a href="https://gohugo.io/" target="_blank">Hugo</a>
using the
<a href="https://github.com/matcornic/hugo-theme-learn" target="_blank">Learn</a> theme.
</p>
<div class="eclipse-logo">
<a href="https://www.eclipse.org" target="_blank">
<img src="https://www.eclipse.org/hono/docs/images/eclipse_foundation_logo.svg"/>
</a>
</div>
</section>
</div>
</nav>
<section id="body">
<div id="overlay"></div>
<div class="old-version-hint">
<p>This page refers to version <em>1.0</em>.
You might want to use the <a href="https://www.eclipse.org/hono/docs/">current stable</a> version.
</p>
</div>
<div class="padding highlightable">
<div>
<div id="top-bar">
<div id="top-github-link">
<a class="github-link" title='Edit this page' href="https://github.com/eclipse/hono/edit/master/site/documentation/content/admin-guide/secure_communication.md" target="blank">
<i class="fas fa-code-branch"></i>
<span id="top-github-link-text">Edit this page</span>
</a>
</div>
<div id="breadcrumbs" itemscope="" itemtype="http://data-vocabulary.org/Breadcrumb">
<span id="sidebar-toggle-span">
<a href="#" id="sidebar-toggle" data-sidebar-toggle="">
<i class="fas fa-bars"></i>
</a>
</span>
<span id="toc-menu"><i class="fas fa-list-alt"></i></span>
<span class="links">
<a href='/hono/docs/1.0/'>Documentation</a> > <a href='/hono/docs/1.0/admin-guide/'>Admin Guide</a> > Secure Communication
</span>
</div>
<div class="progress">
<div class="wrapper">
<nav id="TableOfContents">
<ul>
<li><a href="#enabling-tls">Enabling TLS</a>
<ul>
<li><a href="#auth-server">Auth Server</a></li>
<li><a href="#dispatch-router">Dispatch Router</a></li>
<li><a href="#device-registry">Device Registry</a></li>
<li><a href="#http-adapter">HTTP Adapter</a></li>
<li><a href="#mqtt-adapter">MQTT Adapter</a></li>
<li><a href="#kura-adapter">Kura Adapter</a></li>
<li><a href="#client-application">Client Application</a></li>
</ul>
</li>
<li><a href="#using-openssl">Using OpenSSL</a>
<ul>
<li><a href="#configuring-containers">Configuring Containers</a></li>
</ul>
</li>
</ul>
</nav>
</div>
</div>
</div>
</div>
<div id="head-tags">
</div>
<div id="body-inner">
<h1>
Secure Communication
</h1>
<p>The individual components of an Eclipse Honoâ„¢ installation, e.g. the protocol adapters, <em>AMQP Messaging Network</em>, <em>Hono Auth</em> etc., and the clients attaching to Hono in order to send and receive data all communicate with each other using AMQP 1.0 over TCP. The Hono components and the clients will usually not be located on the same local network but will probably communicate over public networking infrastructure. For most use cases it is therefore desirable, if not necessary, to provide for confidentiality of the data being transferred between these components. This section describes how Hono supports confidentiality by means of <em>Transport Layer Security</em> (TLS) and how to configure it.</p>
<h2 id="enabling-tls">Enabling TLS</h2>
<p>All of Hono&rsquo;s components can be configured to use TLS for establishing an encrypted communication channel with peers. When a client initiates a connection with a server, the TLS handshake protocol is used to negotiate parameters of a secure channel to be used for exchanging data. The most important of those parameters is a secret (symmetric) encryption key that is only known to the client and the server and which is used to transparently encrypt all data being sent over the connection as long as the connection exists. With each new connection, a new secret key is negotiated.</p>
<p>Using TLS in this way requires configuring the server component with a cryptographic <em>private/public key</em> pair and a <em>certificate</em> which <em>binds</em> an <em>identity claim</em> to the public key. It is out of scope of this document to describe the full process of creating such a key pair and acquiring a corresponding certificate. The <code>demo-certs</code> module already contains a set of keys and certificates to be used for evaluation and demonstration purposes. Throughout the rest of this section we will use these keys and certificates . Please refer to the <code>demo-certs/README.md</code> file for details regarding how to create your own keys and certificates.</p>
<p>Within a Hono installation the following communication channels can be secured with TLS:</p>
<ol>
<li>Applications connecting to <em>Dispatch Router</em> - Client applications consuming e.g. Telemetry data from Hono connect to the AMQP Messaging Network. This connection can be secured by configuring the client and the messaging network for TLS.</li>
<li><em>Device Registry</em> connecting to <em>Auth Server</em> - The Device Registry connects to the Auth Server in order to verify client credentials and determine the client&rsquo;s authorities. This (internal) connection can (should) be secured by configuring the Auth Server and Device Registry for TLS.</li>
<li><em>Protocol Adapter</em> to <em>Device Registry</em> - A protocol adapter connects to the Device Registry in order to retrieve assertions regarding the registration status of devices. This (internal) connection can be secured by configuring the protocol adapter and the Device Registry for TLS.</li>
<li><em>Protocol Adapter</em> connecting to <em>AMQP Messaging Network</em> - A protocol adapter connects to the messaging network in order to forward telemetry data and commands hence and forth between downstream components (client applications) and devices. This (internal) connection can be secured by configuring the Dispatch Router and the protocol adapters for TLS.</li>
<li><em>Devices</em> connecting to a <em>Protocol Adapter</em> - Devices use TLS to both authenticate the protocol adapter and to establish an encrypted channel that provides integrity and privacy when transmitting data. Note that the specifics of if and how TLS can be used with a particular protocol adapter is specific to the transport protocol the adapter uses for communicating with the devices.</li>
<li><em>Liveness/readiness probes</em> connecting to <em>Service Health Checks</em> - Systems like Kubernetes are periodically checking the health status of the individual services . This communication can be secured by configuring the health check of the individual services to expose a secure endpoint.</li>
</ol>
<h3 id="auth-server">Auth Server</h3>
<p>The Auth Server supports the use of TLS for connections to clients. Please refer to the <a href="/hono/docs/1.0/admin-guide/auth-server-config/">Auth Server admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder includes the following demo keys and certificates to be used with the Auth Server for that purpose.</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>auth-server-key.pem</code></td>
<td style="text-align:left">The example private key for creating signatures.</td>
</tr>
<tr>
<td style="text-align:left"><code>auth-server-cert.pem</code></td>
<td style="text-align:left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="dispatch-router">Dispatch Router</h3>
<p>The Dispatch Router reads its configuration from a file on startup (the default location is <code>/etc/qpid-dispatch/qdrouterd.conf</code>). Please refer to the <a href="https://qpid.apache.org/components/dispatch-router/index.html">Dispatch Router documentation</a> for details regarding the configuration of TLS/SSL.</p>
<p>The <code>demo-certs/certs</code> folder includes the following demo keys and certificates to be used with the Dispatch Router for that purpose:</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>qdrouter-key.pem</code></td>
<td style="text-align:left">The example private key for creating signatures.</td>
</tr>
<tr>
<td style="text-align:left"><code>qdrouter-cert.pem</code></td>
<td style="text-align:left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="device-registry">Device Registry</h3>
<p>The Device Registry supports the use of TLS for connections to protocol adapters and the Auth Server.
Please refer to the <a href="/hono/docs/1.0/admin-guide/device-registry-config/">Device Registry admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the Device Registry for that purpose.</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>auth-server-cert.pem</code></td>
<td style="text-align:left">The certificate of the Auth Server, used to verify the signatures of tokens issued by the Auth Server.</td>
</tr>
<tr>
<td style="text-align:left"><code>device-registry-key.pem</code></td>
<td style="text-align:left">The example private key for creating signatures.</td>
</tr>
<tr>
<td style="text-align:left"><code>device-registry-cert.pem</code></td>
<td style="text-align:left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="http-adapter">HTTP Adapter</h3>
<p>The HTTP adapter supports the use of TLS for its connections to the Tenant service, the Device Registration service, the Credentials service and the AMQP Messaging Network. The adapter also supports the use of TLS for connections with devices. For this purpose, the adapter can be configured with a server certificate and private key.
Please refer to the <a href="/hono/docs/1.0/admin-guide/http-adapter-config/">HTTP adapter admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the HTTP adapter for that purpose.</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>http-adapter-key.pem</code></td>
<td style="text-align:left">The example private key for creating signatures.</td>
</tr>
<tr>
<td style="text-align:left"><code>http-adapter-cert.pem</code></td>
<td style="text-align:left">The example certificate asserting the adapter&rsquo;s identity.</td>
</tr>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="mqtt-adapter">MQTT Adapter</h3>
<p>The MQTT adapter supports the use of TLS for its connections to the Tenant service, the Device Registration service, the Credentials service and the AMQP Messaging Network. The adapter also supports the use of TLS for connections with devices. For this purpose, the adapter can be configured with a server certificate and private key.
Please refer to the <a href="/hono/docs/1.0/admin-guide/mqtt-adapter-config/">MQTT adapter admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the MQTT adapter for that purpose.</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>mqtt-adapter-key.pem</code></td>
<td style="text-align:left">The example private key for creating signatures.</td>
</tr>
<tr>
<td style="text-align:left"><code>mqtt-adapter-cert.pem</code></td>
<td style="text-align:left">The example certificate asserting the adapter&rsquo;s identity.</td>
</tr>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="kura-adapter">Kura Adapter</h3>
<p>The Kura adapter supports the use of TLS for its connections to the Tenant service, the Device Registration service, the Credentials service and the AMQP Messaging Network. The adapter also supports the use of TLS for connections with devices. For this purpose, the adapter can be configured with a server certificate and private key.
Please refer to the <a href="/hono/docs/1.0/admin-guide/kura-adapter-config/">Kura adapter admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the Kura adapter for that purpose.</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>kura-adapter-key.pem</code></td>
<td style="text-align:left">The example private key for creating signatures.</td>
</tr>
<tr>
<td style="text-align:left"><code>kura-adapter-cert.pem</code></td>
<td style="text-align:left">The example certificate asserting the adapter&rsquo;s identity.</td>
</tr>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="client-application">Client Application</h3>
<p>When the connection between an application client and Hono (i.e. the Dispatch Router) is supposed to be secured by TLS (which is a good idea),
then the client application needs to be configured to trust the CA that signed the Dispatch Router&rsquo;s certificate chain.
Clients can use the <code>org.eclipse.hono.client.HonoConnection.newConnection(ClientConfigProperties)</code> method to establish a connection
to Hono. The <code>org.eclipse.hono.config.ClientConfigProperties</code> instance passed in to the method needs to be configured
with the trust store containing the CA&rsquo;s certificate.
Please refer to the <a href="/hono/docs/1.0/admin-guide/hono-client-configuration/">Hono Client configuration guide</a> for details regarding the
corresponding configuration properties that need to be set.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys to be used with client applications for that purpose.</p>
<table>
<thead>
<tr>
<th style="text-align:left">File</th>
<th style="text-align:left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="text-align:left"><code>trusted-certs.pem</code></td>
<td style="text-align:left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h2 id="using-openssl">Using OpenSSL</h2>
<p>Hono&rsquo;s individual services are implemented in Java and therefore, by default, use the SSL/TLS engine that comes with the Java Virtual Machine that the services are running on. In case of the Docker images provided by Hono this is the SSL engine of OpenJDK. While the standard SSL engine has the advantage of being a part of the JVM itself and thus being available on every operating system that the JVM is running on without further installation, it provides only limited performance and throughput when compared to native TLS implementations like <a href="https://www.openssl.org/">OpenSSL</a>.</p>
<p>In order to address this problem, the Netty networking library that is used in Hono&rsquo;s components can be configured to employ the OpenSSL instead of the JVM&rsquo;s SSL engine by means of Netty&rsquo;s <a href="http://netty.io/wiki/forked-tomcat-native.html">Forked Tomcat Native</a> (tcnative) module.</p>
<p>The tcnative module comes in several flavors, corresponding to the way that the OpenSSL library has been linked in. The statically linked versions include a specific version of OpenSSL (or <a href="https://boringssl.googlesource.com/">BoringSSL</a> for that matter) and is therefore most easy to use on supported platforms, regardless of whether another version of OpenSSL is already installed or not. In contrast, the dynamically linked variants depend on a particular version of OpenSSL being already installed on the operating system. Both approaches have their pros and cons and Hono therefore does not include tcnative in its Docker images by default, i.e. Hono&rsquo;s services will use the JVM&rsquo;s default SSL engine by default.</p>
<h3 id="configuring-containers">Configuring Containers</h3>
<p>When starting up any of Hono&rsquo;s Docker images as a container, the JVM will look for additional jar files to include in its classpath in the container&rsquo;s <code>/opt/hono/extensions</code> folder. Thus, using a specific variant of tcnative is just a matter of configuring the container to mount a volume or binding a host folder at that location and putting the desired variant of tcnative into the corresponding volume or host folder.r
Assuming that the Auth Server should be run with the statically linked, BoringSSL based tcnative variant, the following steps are necessary:</p>
<ol>
<li>
<p><a href="http://netty.io/wiki/forked-tomcat-native.html#how-to-download-netty-tcnative-boringssl-static">Download tcnative</a> matching the platform architecture (<em>linux-x86_64</em>).</p>
</li>
<li>
<p>Put the jar file to a folder on the Docker host, e.g. <code>/tmp/tcnative</code>.</p>
</li>
<li>
<p>Start the Auth Server Docker image mounting the host folder:</p>
<div class="highlight"><pre style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-sh" data-lang="sh">docker run --name hono-auth-server --mount type<span style="color:#f92672">=</span>bind,src<span style="color:#f92672">=</span>/tmp/tcnative,dst<span style="color:#f92672">=</span>/opt/hono/extensions,ro ... eclipse/hono-service-auth
</code></pre></div></li>
</ol>
<p>Note that the command given above does not contain the environment variables and secrets that are usually required to configure the service properly.</p>
<p>When the Auth Server starts up, it will look for a working variant of tcnative on its classpath and (if found) use it for establishing TLS connections. The service&rsquo;s log file will indicate whether the JVM&rsquo;s default SSL engine or OpenSSL is used.</p>
<p>Using a Docker <em>volume</em> instead of a <em>bind mount</em> works the same way but requires the use of <code>volume</code> as the <em>type</em> of the <code>--mount</code> parameter. Please refer to the <a href="https://docs.docker.com/edge/engine/reference/commandline/service_create/#add-bind-mounts-volumes-or-memory-filesystems">Docker reference documentation</a> for details.</p>
<footer class="footline">
</footer>
</div>
</div>
<div id="navigation">
</div>
</section>
<div style="left: -1000px; overflow: scroll; position: absolute; top: -1000px; border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;">
<div style="border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;"></div>
</div>
<script src="/hono/docs/js/clipboard.min.js?1626138736"></script>
<script src="/hono/docs/js/perfect-scrollbar.min.js?1626138736"></script>
<script src="/hono/docs/js/perfect-scrollbar.jquery.min.js?1626138736"></script>
<script src="/hono/docs/js/jquery.sticky.js?1626138736"></script>
<script src="/hono/docs/js/featherlight.min.js?1626138736"></script>
<script src="/hono/docs/js/highlight.pack.js?1626138736"></script>
<script>hljs.initHighlightingOnLoad();</script>
<script src="/hono/docs/js/modernizr.custom-3.6.0.js?1626138736"></script>
<script src="/hono/docs/js/learn.js?1626138736"></script>
<script src="/hono/docs/js/hugo-learn.js?1626138736"></script>
<link href="/hono/docs/mermaid/mermaid.css?1626138736" rel="stylesheet" />
<script src="/hono/docs/mermaid/mermaid.js?1626138736"></script>
<script>
mermaid.initialize({ startOnLoad: true });
</script>
<script>
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5WLCZXC');
</script>
<script src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/javascript/vendor/cookieconsent/default.min.js"></script>
</body>
</html>