blob: a0b7575a20d468b4199fd9305641524e9aa1f4a4 [file] [log] [blame]
<!DOCTYPE html>
<html lang="stable" class="js csstransforms3d">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Hugo 0.58.3" />
<meta name="description" content="A set of micro-services for connecting millions of devices.">
<meta name="author" content="The Eclipse Hono Project">
<link rel="apple-touch-icon" sizes="180x180" href="/hono/docs/favicon/apple-touch-icon.png">
<link rel="icon" type="image/png" sizes="48x48" href="/hono/docs/favicon/favicon-48x48.png">
<link rel="icon" type="image/png" sizes="32x32" href="/hono/docs/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="16x16" href="/hono/docs/favicon/favicon-16x16.png">
<link rel="manifest" href="/hono/docs/favicon/site.webmanifest">
<link rel="mask-icon" href="/hono/docs/favicon/safari-pinned-tab.svg" color="#5bbad5">
<link rel="shortcut icon" href="/hono/docs/favicon/favicon.ico">
<meta name="msapplication-TileColor" content="#da532c">
<meta name="msapplication-config" content="/hono/docs/favicon/browserconfig.xml">
<meta name="theme-color" content="#ffffff">
<title>Secure Communication :: Eclipse Hono&trade;</title>
<link href="/hono/docs/css/nucleus.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/fontawesome-all.min.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/hybrid.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/featherlight.min.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/perfect-scrollbar.min.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/auto-complete.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/theme.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/hugo-theme.css?1605147029" rel="stylesheet">
<link href="/hono/docs/css/theme-hono.css?1605147029" rel="stylesheet">
<script src="/hono/docs/js/jquery-2.x.min.js?1605147029"></script>
<style type="text/css">
:root #header + #content > #left > #rlblock_left{
display:none !important;
}
:not(pre) > code + span.copy-to-clipboard {
display: none;
}
</style>
<link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/vendor/cookieconsent/cookieconsent.min.css">
<link rel="stylesheet" href='/hono/docs/css/hono.css'>
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@EclipseHono">
<meta name="twitter:title" content="Secure Communication :: Eclipse Hono&amp;trade;">
<meta name="twitter:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png">
<meta name="twitter:description" content="A set of micro-services for connecting millions of devices.">
<meta property="og:title" content="Secure Communication :: Eclipse Hono&amp;trade;" />
<meta property="og:type" content="website" />
<meta property="og:url" content="https://www.eclipse.org/hono/docs/admin-guide/secure_communication//" />
<meta property="og:image" content="https://www.eclipse.org/hono/docs/images/twitter_image.png" />
</head>
<body class="" data-url="/hono/docs/admin-guide/secure_communication/">
<nav id="sidebar" class="">
<div id="header-wrapper">
<div id="header">
<a href="https://www.eclipse.org/hono/">
<img src="/hono/docs/images/HONO-Logo_Bild-Wort_quer-w-310x120px.svg" alt="Hono logo" class="logo-img">
</a>
</div>
<div class="searchbox">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input id="search-by" type="search" placeholder="Search...">
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
<script type="text/javascript" src="/hono/docs/js/lunr.min.js?1605147029"></script>
<script type="text/javascript" src="/hono/docs/js/auto-complete.js?1605147029"></script>
<script type="text/javascript">
var baseurl = "https:\/\/www.eclipse.org\/hono\/docs\/";
</script>
<script type="text/javascript" src="/hono/docs/js/search.js?1605147029"></script>
</div>
<div class="highlightable">
<ul class="topics">
<li data-nav-id="/hono/docs/concepts/" title="Concepts" class="dd-item
">
<a href="/hono/docs/concepts/">
<i class="far fa-lightbulb"></i> Concepts
</a>
<ul>
<li data-nav-id="/hono/docs/concepts/device-identity/" title="Device Identity" class="dd-item ">
<a href="/hono/docs/concepts/device-identity/">
Device Identity
</a>
</li>
<li data-nav-id="/hono/docs/concepts/tenancy/" title="Multi-Tenancy" class="dd-item ">
<a href="/hono/docs/concepts/tenancy/">
Multi-Tenancy
</a>
</li>
<li data-nav-id="/hono/docs/concepts/device-provisioning/" title="Device Provisioning" class="dd-item ">
<a href="/hono/docs/concepts/device-provisioning/">
Device Provisioning
</a>
</li>
<li data-nav-id="/hono/docs/concepts/connecting-devices/" title="Connecting Devices" class="dd-item ">
<a href="/hono/docs/concepts/connecting-devices/">
Connecting Devices
</a>
</li>
<li data-nav-id="/hono/docs/concepts/device-notifications/" title="Device Notifications" class="dd-item ">
<a href="/hono/docs/concepts/device-notifications/">
Device Notifications
</a>
</li>
<li data-nav-id="/hono/docs/concepts/command-and-control/" title="Command &amp; Control" class="dd-item ">
<a href="/hono/docs/concepts/command-and-control/">
Command &amp; Control
</a>
</li>
<li data-nav-id="/hono/docs/concepts/resource-limits/" title="Resource limits" class="dd-item ">
<a href="/hono/docs/concepts/resource-limits/">
Resource limits
</a>
</li>
<li data-nav-id="/hono/docs/concepts/connection-events/" title="Connection Events" class="dd-item ">
<a href="/hono/docs/concepts/connection-events/">
Connection Events
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/user-guide/" title="User Guide" class="dd-item
">
<a href="/hono/docs/user-guide/">
<i class="fas fa-book-reader"></i> User Guide
</a>
<ul>
<li data-nav-id="/hono/docs/user-guide/mongodb-based-device-registry/" title="MongoDB Based Device Registry" class="dd-item ">
<a href="/hono/docs/user-guide/mongodb-based-device-registry/">
MongoDB Based Device Registry
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/file-based-device-registry/" title="File Based Device Registry" class="dd-item ">
<a href="/hono/docs/user-guide/file-based-device-registry/">
File Based Device Registry
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/http-adapter/" title="HTTP Adapter" class="dd-item ">
<a href="/hono/docs/user-guide/http-adapter/">
HTTP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/mqtt-adapter/" title="MQTT Adapter" class="dd-item ">
<a href="/hono/docs/user-guide/mqtt-adapter/">
MQTT Adapter
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/amqp-adapter/" title="AMQP Adapter" class="dd-item ">
<a href="/hono/docs/user-guide/amqp-adapter/">
AMQP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/coap-adapter/" title="CoAP Adapter" class="dd-item ">
<a href="/hono/docs/user-guide/coap-adapter/">
CoAP Adapter
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/kura-adapter/" title="Kura Adapter" class="dd-item ">
<a href="/hono/docs/user-guide/kura-adapter/">
Kura Adapter
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/sigfox-adapter/" title="Sigfox Adapter" class="dd-item ">
<a href="/hono/docs/user-guide/sigfox-adapter/">
Sigfox Adapter
</a>
</li>
<li data-nav-id="/hono/docs/user-guide/jmeter_load_tests/" title="Load Tests with JMeter" class="dd-item ">
<a href="/hono/docs/user-guide/jmeter_load_tests/">
Load Tests with JMeter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/admin-guide/" title="Admin Guide" class="dd-item
parent
">
<a href="/hono/docs/admin-guide/">
<i class="fas fa-sliders-h"></i> Admin Guide
</a>
<ul>
<li data-nav-id="/hono/docs/admin-guide/common-config/" title="Common Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/common-config/">
Common Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/auth-server-config/" title="Auth Server Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/auth-server-config/">
Auth Server Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/mongodb-device-registry-config/" title="MongoDB Based Device Registry Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/mongodb-device-registry-config/">
MongoDB Based Device Registry Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/file-based-device-registry-config/" title="File Based Device Registry Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/file-based-device-registry-config/">
File Based Device Registry Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/device-connection-config/" title="Configuring the Device Connection Service" class="dd-item ">
<a href="/hono/docs/admin-guide/device-connection-config/">
Device Connection Service Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/http-adapter-config/" title="HTTP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/http-adapter-config/">
HTTP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/mqtt-adapter-config/" title="MQTT Adapter Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/mqtt-adapter-config/">
MQTT Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/amqp-adapter-config/" title="AMQP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/amqp-adapter-config/">
AMQP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/coap-adapter-config/" title="CoAP Adapter Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/coap-adapter-config/">
CoAP Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/kura-adapter-config/" title="Kura Adapter Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/kura-adapter-config/">
Kura Adapter Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/hono-client-configuration/" title="Hono Client Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/hono-client-configuration/">
Hono Client Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/amqp-network-config/" title="AMQP 1.0 Messaging Network Configuration" class="dd-item ">
<a href="/hono/docs/admin-guide/amqp-network-config/">
AMQP 1.0 Messaging Network Configuration
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/secure_communication/" title="Secure Communication" class="dd-item active">
<a href="/hono/docs/admin-guide/secure_communication/">
Secure Communication
</a>
</li>
<li data-nav-id="/hono/docs/admin-guide/monitoring-tracing-config/" title="Monitoring &amp; Tracing" class="dd-item ">
<a href="/hono/docs/admin-guide/monitoring-tracing-config/">
Monitoring &amp; Tracing
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/dev-guide/" title="Developer Guide" class="dd-item
">
<a href="/hono/docs/dev-guide/">
<i class="fas fa-tools"></i> Developer Guide
</a>
<ul>
<li data-nav-id="/hono/docs/dev-guide/building_hono/" title="Building from Source" class="dd-item ">
<a href="/hono/docs/dev-guide/building_hono/">
Building from Source
</a>
</li>
<li data-nav-id="/hono/docs/dev-guide/amqp_adapter_client/" title="AMQP Adapter Client for Java" class="dd-item ">
<a href="/hono/docs/dev-guide/amqp_adapter_client/">
AMQP Adapter Client for Java
</a>
</li>
<li data-nav-id="/hono/docs/dev-guide/java_client_consumer/" title="Consuming Messages from Java" class="dd-item ">
<a href="/hono/docs/dev-guide/java_client_consumer/">
Consuming Messages from Java
</a>
</li>
<li data-nav-id="/hono/docs/dev-guide/custom_http_adapter/" title="Implement a Custom Hono HTTP Protocol Adapter" class="dd-item ">
<a href="/hono/docs/dev-guide/custom_http_adapter/">
Implement a Custom Hono HTTP Protocol Adapter
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/api/" title="API" class="dd-item
">
<a href="/hono/docs/api/">
&nbsp;<i class='fas fa-plug'></i>&nbsp;API
</a>
<ul>
<li data-nav-id="/hono/docs/api/telemetry/" title="Telemetry API Specification" class="dd-item ">
<a href="/hono/docs/api/telemetry/">
Telemetry API
</a>
</li>
<li data-nav-id="/hono/docs/api/event/" title="Event API Specification" class="dd-item ">
<a href="/hono/docs/api/event/">
Event API
</a>
</li>
<li data-nav-id="/hono/docs/api/command-and-control/" title="Command &amp; Control API Specification" class="dd-item ">
<a href="/hono/docs/api/command-and-control/">
Command &amp; Control API
</a>
</li>
<li data-nav-id="/hono/docs/api/tenant/" title="Tenant API Specification" class="dd-item ">
<a href="/hono/docs/api/tenant/">
Tenant API
</a>
</li>
<li data-nav-id="/hono/docs/api/device-connection/" title="Device Connection API Specification" class="dd-item ">
<a href="/hono/docs/api/device-connection/">
Device Connection API
</a>
</li>
<li data-nav-id="/hono/docs/api/device-registration/" title="Device Registration API Specification" class="dd-item ">
<a href="/hono/docs/api/device-registration/">
Device Registration API
</a>
</li>
<li data-nav-id="/hono/docs/api/credentials/" title="Credentials API Specification" class="dd-item ">
<a href="/hono/docs/api/credentials/">
Credentials API
</a>
</li>
<li data-nav-id="/hono/docs/api/authentication/" title="Authentication API Specification" class="dd-item ">
<a href="/hono/docs/api/authentication/">
Authentication API
</a>
</li>
<li data-nav-id="/hono/docs/api/management/" title="Device Registry Management API Specification" class="dd-item ">
<a href="/hono/docs/api/management/">
Device Registry Management API
</a>
</li>
<li data-nav-id="/hono/docs/api/metrics/" title="Metrics" class="dd-item ">
<a href="/hono/docs/api/metrics/">
Metrics
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/deployment/" title="Deployment" class="dd-item
">
<a href="/hono/docs/deployment/">
<i class="fas fa-shipping-fast"></i> Deployment
</a>
<ul>
<li data-nav-id="/hono/docs/deployment/helm-based-deployment/" title="Helm based Deployment" class="dd-item ">
<a href="/hono/docs/deployment/helm-based-deployment/">
Helm based Deployment
</a>
</li>
<li data-nav-id="/hono/docs/deployment/openshift/" title="OpenShift / OKD" class="dd-item ">
<a href="/hono/docs/deployment/openshift/">
OpenShift / OKD
</a>
</li>
<li data-nav-id="/hono/docs/deployment/create-kubernetes-cluster/" title="Setting up a Kubernetes Cluster" class="dd-item ">
<a href="/hono/docs/deployment/create-kubernetes-cluster/">
Setting up a Kubernetes Cluster
</a>
</li>
<li data-nav-id="/hono/docs/deployment/resource-limitation/" title="Limiting Resource Usage" class="dd-item ">
<a href="/hono/docs/deployment/resource-limitation/">
Limiting Resource Usage
</a>
</li>
</ul>
</li>
<li data-nav-id="/hono/docs/architecture/" title="Architecture" class="dd-item
">
<a href="/hono/docs/architecture/">
<i class="fas fa-landmark"></i> Architecture
</a>
<ul>
<li data-nav-id="/hono/docs/architecture/component-view/" title="Component View" class="dd-item ">
<a href="/hono/docs/architecture/component-view/">
Component View
</a>
</li>
<li data-nav-id="/hono/docs/architecture/auth/" title="Authentication/Authorization" class="dd-item ">
<a href="/hono/docs/architecture/auth/">
Authentication/Authorization
</a>
</li>
</ul>
</li>
</ul>
<section id="shortcuts">
<h3></h3>
<ul>
<li>
<a class="padding" href="https://www.eclipse.org/hono/" title="Hono&#39;s Homepage"><i class='fas fa-home'></i> Hono Home</a>
</li>
<li>
<a class="padding" href="https://www.eclipse.org/hono/getting-started/" title="Getting started with Eclipse Hono"><i class='fas fa-plane-departure'></i> Getting Started</a>
</li>
</ul>
</section>
<section id="prefooter">
<hr/>
<ul>
<li>
<div id="select-box-wrapper">
<div id="select-box">
<a class="padding">
Version:&nbsp;
<div class="select-style">
<select id="select-language" onchange="location = this.value;">
<option id="stable" value="/hono/docs/admin-guide/secure_communication/" selected>stable (1.4)</option>
<option id="1.4" value="/hono/docs/1.4/admin-guide/secure_communication/">1.4</option>
<option id="1.3" value="/hono/docs/1.3/admin-guide/secure_communication/">1.3</option>
<option id="1.2" value="/hono/docs/1.2/admin-guide/secure_communication/">1.2</option>
<option id="1.1" value="/hono/docs/1.1/admin-guide/secure_communication/">1.1</option>
<option id="1.0" value="/hono/docs/1.0/admin-guide/secure_communication/">1.0</option>
<option id="dev" value="/hono/docs/dev/admin-guide/secure_communication/">dev</option>
</select>
<svg version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="255px" height="255px" viewBox="0 0 255 255" style="enable-background:new 0 0 255 255;" xml:space="preserve">
<g>
<g id="arrow-drop-down">
<polygon points="0,63.75 127.5,191.25 255,63.75 " />
</g>
</g>
</svg>
</div>
</a>
</div>
</div>
</li>
</ul>
</section>
<section id="footer">
<p>&copy; 2020 <a href="https://www.eclipse.org/hono/">The Eclipse Hono Project</a></p>
<p>
Documentation built with
<a href="https://gohugo.io/" target="_blank">Hugo</a>
using the
<a href="https://github.com/matcornic/hugo-theme-learn" target="_blank">Learn</a> theme.
</p>
<div class="eclipse-logo">
<a href="https://www.eclipse.org" target="_blank">
<img src="https://www.eclipse.org/hono/docs/images/eclipse_foundation_logo.svg"/>
</a>
</div>
</section>
</div>
</nav>
<section id="body">
<div id="overlay"></div>
<div class="padding highlightable">
<div>
<div id="top-bar">
<div id="top-github-link">
<a class="github-link" title='Edit this page' href="https://github.com/eclipse/hono/edit/master/site/documentation/content/admin-guide/secure_communication.md" target="blank">
<i class="fas fa-code-branch"></i>
<span id="top-github-link-text">Edit this page</span>
</a>
</div>
<div id="breadcrumbs" itemscope="" itemtype="http://data-vocabulary.org/Breadcrumb">
<span id="sidebar-toggle-span">
<a href="#" id="sidebar-toggle" data-sidebar-toggle="">
<i class="fas fa-bars"></i>
</a>
</span>
<span id="toc-menu"><i class="fas fa-list-alt"></i></span>
<span class="links">
<a href='/hono/docs/'>Documentation</a> > <a href='/hono/docs/admin-guide/'>Admin Guide</a> > Secure Communication
</span>
</div>
<div class="progress">
<div class="wrapper">
<nav id="TableOfContents">
<ul>
<li>
<ul>
<li><a href="#enabling-tls">Enabling TLS</a>
<ul>
<li><a href="#auth-server">Auth Server</a></li>
<li><a href="#dispatch-router">Dispatch Router</a></li>
<li><a href="#file-based-device-registry">File Based Device Registry</a></li>
<li><a href="#mongodb-based-device-registry">MongoDB Based Device Registry</a></li>
<li><a href="#http-adapter">HTTP Adapter</a></li>
<li><a href="#mqtt-adapter">MQTT Adapter</a></li>
<li><a href="#kura-adapter">Kura Adapter</a></li>
<li><a href="#client-application">Client Application</a></li>
</ul></li>
<li><a href="#using-openssl">Using OpenSSL</a>
<ul>
<li><a href="#configuring-containers">Configuring Containers</a></li>
</ul></li>
<li><a href="#server-name-indication-sni">Server Name Indication (SNI)</a></li>
</ul></li>
</ul>
</nav>
</div>
</div>
</div>
</div>
<div id="body-inner">
<h1>Secure Communication</h1>
<p>The individual components of an Eclipse Hono&trade; installation, e.g. the protocol adapters, <em>AMQP Messaging Network</em>, <em>Hono Auth</em> etc., and the clients attaching to Hono in order to send and receive data all communicate with each other using AMQP 1.0 over TCP. The Hono components and the clients will usually not be located on the same local network but will probably communicate over public networking infrastructure. For most use cases it is therefore desirable, if not necessary, to provide for confidentiality of the data being transferred between these components. This section describes how Hono supports confidentiality by means of <em>Transport Layer Security</em> (TLS) and how to configure it.</p>
<h2 id="enabling-tls">Enabling TLS</h2>
<p>All of Hono&rsquo;s components can be configured to use TLS for establishing an encrypted communication channel with peers. When a client initiates a connection with a server, the TLS handshake protocol is used to negotiate parameters of a secure channel to be used for exchanging data. The most important of those parameters is a secret (symmetric) encryption key that is only known to the client and the server and which is used to transparently encrypt all data being sent over the connection as long as the connection exists. With each new connection, a new secret key is negotiated.</p>
<p>Using TLS in this way requires configuring the server component with a cryptographic <em>private/public key</em> pair and a <em>certificate</em> which <em>binds</em> an <em>identity claim</em> to the public key. It is out of scope of this document to describe the full process of creating such a key pair and acquiring a corresponding certificate. The <code>demo-certs</code> module already contains a set of keys and certificates to be used for evaluation and demonstration purposes. Throughout the rest of this section we will use these keys and certificates . Please refer to the <code>demo-certs/README.md</code> file for details regarding how to create your own keys and certificates.</p>
<p>Within a Hono installation the following communication channels can be secured with TLS:</p>
<ol>
<li>Applications connecting to <em>Dispatch Router</em> - Client applications consuming e.g. Telemetry data from Hono connect to the AMQP Messaging Network. This connection can be secured by configuring the client and the messaging network for TLS.</li>
<li><em>Device Registry</em> connecting to <em>Auth Server</em> - The Device Registry connects to the Auth Server in order to verify client credentials and determine the client&rsquo;s authorities. This (internal) connection can (should) be secured by configuring the Auth Server and Device Registry for TLS.</li>
<li><em>Protocol Adapter</em> to <em>Device Registry</em> - A protocol adapter connects to the Device Registry in order to retrieve assertions regarding the registration status of devices. This (internal) connection can be secured by configuring the protocol adapter and the Device Registry for TLS.</li>
<li><em>Protocol Adapter</em> connecting to <em>AMQP Messaging Network</em> - A protocol adapter connects to the messaging network in order to forward telemetry data and commands hence and forth between downstream components (client applications) and devices. This (internal) connection can be secured by configuring the Dispatch Router and the protocol adapters for TLS.</li>
<li><em>Devices</em> connecting to a <em>Protocol Adapter</em> - Devices use TLS to both authenticate the protocol adapter and to establish an encrypted channel that provides integrity and privacy when transmitting data. Note that the specifics of if and how TLS can be used with a particular protocol adapter is specific to the transport protocol the adapter uses for communicating with the devices.</li>
<li><em>Liveness/readiness probes</em> connecting to <em>Service Health Checks</em> - Systems like Kubernetes are periodically checking the health status of the individual services . This communication can be secured by configuring the health check of the individual services to expose a secure endpoint.</li>
</ol>
<h3 id="auth-server">Auth Server</h3>
<p>The Auth Server supports the use of TLS for connections to clients. Please refer to the <a href="/hono/docs/admin-guide/auth-server-config/">Auth Server admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder includes the following demo keys and certificates to be used with the Auth Server for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>auth-server-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>auth-server-cert.pem</code></td>
<td align="left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="dispatch-router">Dispatch Router</h3>
<p>The Dispatch Router reads its configuration from a file on startup (the default location is <code>/etc/qpid-dispatch/qdrouterd.conf</code>). Please refer to the <a href="https://qpid.apache.org/components/dispatch-router/index.html">Dispatch Router documentation</a> for details regarding the configuration of TLS/SSL.</p>
<p>The <code>demo-certs/certs</code> folder includes the following demo keys and certificates to be used with the Dispatch Router for that purpose:</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>qdrouter-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>qdrouter-cert.pem</code></td>
<td align="left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="file-based-device-registry">File Based Device Registry</h3>
<p>The file based Device Registry supports the use of TLS for connections to protocol adapters and the Auth Server.
Please refer to the <a href="/hono/docs/admin-guide/file-based-device-registry-config/">file based Device Registry admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the file based Device Registry for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>auth-server-cert.pem</code></td>
<td align="left">The certificate of the Auth Server, used to verify the signatures of tokens issued by the Auth Server.</td>
</tr>
<tr>
<td align="left"><code>device-registry-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>device-registry-cert.pem</code></td>
<td align="left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="mongodb-based-device-registry">MongoDB Based Device Registry</h3>
<p>The MongoDB based Device Registry supports the use of TLS for connections to protocol adapters and the Auth Server.
Please refer to the <a href="/hono/docs/admin-guide/mongodb-device-registry-config/">MongoDB based Device Registry admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the MongoDB based Device Registry for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>auth-server-cert.pem</code></td>
<td align="left">The certificate of the Auth Server, used to verify the signatures of tokens issued by the Auth Server.</td>
</tr>
<tr>
<td align="left"><code>device-registry-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>device-registry-cert.pem</code></td>
<td align="left">The example certificate asserting the server&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="http-adapter">HTTP Adapter</h3>
<p>The HTTP adapter supports the use of TLS for its connections to the Tenant service, the Device Registration service, the Credentials service and the AMQP Messaging Network. The adapter also supports the use of TLS for connections with devices. For this purpose, the adapter can be configured with a server certificate and private key.
Please refer to the <a href="/hono/docs/admin-guide/http-adapter-config/">HTTP adapter admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the HTTP adapter for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>http-adapter-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>http-adapter-cert.pem</code></td>
<td align="left">The example certificate asserting the adapter&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="mqtt-adapter">MQTT Adapter</h3>
<p>The MQTT adapter supports the use of TLS for its connections to the Tenant service, the Device Registration service, the Credentials service and the AMQP Messaging Network. The adapter also supports the use of TLS for connections with devices. For this purpose, the adapter can be configured with a server certificate and private key.
Please refer to the <a href="/hono/docs/admin-guide/mqtt-adapter-config/">MQTT adapter admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the MQTT adapter for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>mqtt-adapter-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>mqtt-adapter-cert.pem</code></td>
<td align="left">The example certificate asserting the adapter&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="kura-adapter">Kura Adapter</h3>
<p>The Kura adapter supports the use of TLS for its connections to the Tenant service, the Device Registration service, the Credentials service and the AMQP Messaging Network. The adapter also supports the use of TLS for connections with devices. For this purpose, the adapter can be configured with a server certificate and private key.
Please refer to the <a href="/hono/docs/admin-guide/kura-adapter-config/">Kura adapter admin guide</a> for details regarding the required configuration steps.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys and certificates to be used with the Kura adapter for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>kura-adapter-key.pem</code></td>
<td align="left">The example private key for creating signatures.</td>
</tr>
<tr>
<td align="left"><code>kura-adapter-cert.pem</code></td>
<td align="left">The example certificate asserting the adapter&rsquo;s identity.</td>
</tr>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h3 id="client-application">Client Application</h3>
<p>When the connection between an application client and Hono (i.e. the Dispatch Router) is supposed to be secured by TLS (which is a good idea),
then the client application needs to be configured to trust the CA that signed the Dispatch Router&rsquo;s certificate chain.
Clients can use the <code>org.eclipse.hono.client.HonoConnection.newConnection(ClientConfigProperties)</code> method to establish a connection
to Hono. The <code>org.eclipse.hono.config.ClientConfigProperties</code> instance passed in to the method needs to be configured
with the trust store containing the CA&rsquo;s certificate.
Please refer to the <a href="/hono/docs/admin-guide/hono-client-configuration/">Hono Client configuration guide</a> for details regarding the
corresponding configuration properties that need to be set.</p>
<p>The <code>demo-certs/certs</code> folder contains the following demo keys to be used with client applications for that purpose.</p>
<table>
<thead>
<tr>
<th align="left">File</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left"><code>trusted-certs.pem</code></td>
<td align="left">Trusted CA certificates to use for verifying signatures.</td>
</tr>
</tbody>
</table>
<h2 id="using-openssl">Using OpenSSL</h2>
<p>Hono&rsquo;s individual services are implemented in Java and therefore, by default, use the SSL/TLS engine that comes with the Java Virtual Machine that the services are running on. In case of the Docker images provided by Hono this is the SSL engine of OpenJDK. While the standard SSL engine has the advantage of being a part of the JVM itself and thus being available on every operating system that the JVM is running on without further installation, it provides only limited performance and throughput when compared to native TLS implementations like <a href="https://www.openssl.org/">OpenSSL</a>.</p>
<p>In order to address this problem, the Netty networking library that is used in Hono&rsquo;s components can be configured to employ the OpenSSL instead of the JVM&rsquo;s SSL engine by means of Netty&rsquo;s <a href="http://netty.io/wiki/forked-tomcat-native.html">Forked Tomcat Native</a> (tcnative) module.</p>
<p>The tcnative module comes in several flavors, corresponding to the way that the OpenSSL library has been linked in. The statically linked versions include a specific version of OpenSSL (or <a href="https://boringssl.googlesource.com/">BoringSSL</a> for that matter) and is therefore most easy to use on supported platforms, regardless of whether another version of OpenSSL is already installed or not. In contrast, the dynamically linked variants depend on a particular version of OpenSSL being already installed on the operating system. Both approaches have their pros and cons and Hono therefore does not include tcnative in its Docker images by default, i.e. Hono&rsquo;s services will use the JVM&rsquo;s default SSL engine by default.</p>
<h3 id="configuring-containers">Configuring Containers</h3>
<p>When starting up any of Hono&rsquo;s Docker images as a container, the JVM will look for additional jar files to include in its classpath in the container&rsquo;s <code>/opt/hono/extensions</code> folder. Thus, using a specific variant of tcnative is just a matter of configuring the container to mount a volume or binding a host folder at that location and putting the desired variant of tcnative into the corresponding volume or host folder.r
Assuming that the Auth Server should be run with the statically linked, BoringSSL based tcnative variant, the following steps are necessary:</p>
<ol>
<li><a href="http://netty.io/wiki/forked-tomcat-native.html#how-to-download-netty-tcnative-boringssl-static">Download tcnative</a> matching the platform architecture (<em>linux-x86_64</em>).</li>
<li>Put the jar file to a folder on the Docker host, e.g. <code>/tmp/tcnative</code>.</li>
<li><p>Start the Auth Server Docker image mounting the host folder:</p>
<pre><code class="language-sh">docker run --name hono-auth-server --mount type=bind,src=/tmp/tcnative,dst=/opt/hono/extensions,ro ... eclipse/hono-service-auth
</code></pre></li>
</ol>
<p>Note that the command given above does not contain the environment variables and secrets that are usually required to configure the service properly.</p>
<p>When the Auth Server starts up, it will look for a working variant of tcnative on its classpath and (if found) use it for establishing TLS connections. The service&rsquo;s log file will indicate whether the JVM&rsquo;s default SSL engine or OpenSSL is used.</p>
<p>Using a Docker <em>volume</em> instead of a <em>bind mount</em> works the same way but requires the use of <code>volume</code> as the <em>type</em> of the <code>--mount</code> parameter. Please refer to the <a href="https://docs.docker.com/edge/engine/reference/commandline/service_create/#add-bind-mounts-volumes-or-memory-filesystems">Docker reference documentation</a> for details.</p>
<h2 id="server-name-indication-sni">Server Name Indication (SNI)</h2>
<p><a href="https://tools.ietf.org/html/rfc6066#section-3">Server Name Indication</a> can be used to indicate to a server the host name that the client wants to
connect to as part of the TLS handshake. This is useful in order to be able to host multiple <em>virtual</em> servers on a single network address.
In particular, SNI allows server components to select a server certificate that matches the domain name indicated by the client using SNI.</p>
<p>Hono&rsquo;s protocol adapters support <em>virtual</em> servers by means of SNI as described above. Devices can then connect to a protocol adapter using any one
of the configured <em>virtual</em> domain names.</p>
<p>The following steps a re necessary in order to configure the protocol adapters with multiple <em>virtual</em> servers:</p>
<ol>
<li>Create Server Certificate(s)</li>
</ol>
<p>When a device establishes a connection to one of Hono&rsquo;s protocol adapters using one of its <em>virtual</em> domain names, then it includes the domain name in
its TLS <em>hello</em> message by means of the SNI extension. The server can then use this information to determine the matching server certificate and
corresponding private key that is required to perform the TLS handshake.</p>
<p>It is therefore necessary to create a private key and certificate for each <em>virtual</em> server to be hosted.
The <em>virtual</em> server&rsquo;s domain name needs to be added to the certificate&rsquo;s <em>Subject Alternative Name</em> (SAN) list in order for Hono to be able to
determine the key/certificate pair to use for the TLS handshake with the device.
Please refer to the <a href="https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni">vert.x SNI guide</a> for details on how this works under the hood.</p>
<p>Hono&rsquo;s protocol adapters then need to be configured with the server certificates and keys. In order to do so, the certificates and corresponding private
keys need to be added to a <em>key store</em>. Hono supports the <em>JKS</em> and <em>PKCS12</em> key store formats for that purpose.
Once the key store has been created, Hono&rsquo;s protocol adapters need to be configured with the path to the key store by means of the adapters&rsquo;
<code>KEY_STORE_PATH</code> configuration variable. Please refer to the <a href="/hono/docs/admin-guide/">protocol adapter admin guides</a> for details on how to
configure the key store path.</p>
<ol>
<li>Enable SNI for Hono&rsquo;s Protocol Adapters</li>
</ol>
<p>Hono&rsquo;s protocol adapters can be configured to support SNI by means of the <code>SNI</code> configuration variable. Please refer to the
<a href="/hono/docs/admin-guide/">protocol adapter admin guides</a> for details on how to set this variable.</p>
<ol>
<li>Verify Configuration</li>
</ol>
<p>The setup can be verified by means of the command line tools that are part of <a href="https://www.openssl.org/">OpenSSL</a>.
Assuming that the MQTT protocol adapter&rsquo;s IP address is <code>10.100.84.23</code>, its secure endpoint is bound to port 31884 and it has
been configured with a certificate using domain name <em>my-hono.eclipse.org</em>, then the following command can be used to test
if a TLS secured connection with the adapter using that virtual host name can be established successfully:</p>
<pre><code class="language-sh"> openssl s_client -connect 10.100.84.23:31884 -servername my-hono.eclipse.org
</code></pre>
<footer class=" footline" >
</footer>
</div>
</div>
<div id="navigation">
</div>
</section>
<div style="left: -1000px; overflow: scroll; position: absolute; top: -1000px; border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;">
<div style="border: none; box-sizing: content-box; height: 200px; margin: 0px; padding: 0px; width: 200px;"></div>
</div>
<script src="/hono/docs/js/clipboard.min.js?1605147031"></script>
<script src="/hono/docs/js/perfect-scrollbar.min.js?1605147031"></script>
<script src="/hono/docs/js/perfect-scrollbar.jquery.min.js?1605147031"></script>
<script src="/hono/docs/js/jquery.sticky.js?1605147031"></script>
<script src="/hono/docs/js/featherlight.min.js?1605147031"></script>
<script src="/hono/docs/js/html5shiv-printshiv.min.js?1605147031"></script>
<script src="/hono/docs/js/highlight.pack.js?1605147031"></script>
<script>hljs.initHighlightingOnLoad();</script>
<script src="/hono/docs/js/modernizr.custom.71422.js?1605147031"></script>
<script src="/hono/docs/js/learn.js?1605147031"></script>
<script src="/hono/docs/js/hugo-learn.js?1605147031"></script>
<link href="/hono/docs/mermaid/mermaid.css?1605147031" type="text/css" rel="stylesheet" />
<script src="/hono/docs/mermaid/mermaid.js?1605147031"></script>
<script>
mermaid.initialize({ startOnLoad: true });
</script>
<script>
(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5WLCZXC');
</script>
<script src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/javascript/vendor/cookieconsent/default.min.js"></script>
</body>
</html>