Change file name

Author: jlian

articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md

@@ -332,7 +332,7 @@ For more information about enabling secure settings by configuring an Azure Key
 ## X.509
 
 > [!TIP]
-> For an end-to-end example of how to configure X.509 authentication, see [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md).
+> For an end-to-end example of how to configure X.509 authentication, see [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-x509.md).
 
 With X.509 authentication, the MQTT broker uses a **trusted CA certificate** to validate client certificates. This trusted CA can be a root or intermediate CA. The broker checks the client certificate chain against the trusted CA certificate. If the chain is valid, the client is authenticated.
 
@@ -608,7 +608,7 @@ To get a TLS-enabled listener port, see [Enable TLS manual certificate managemen
 >
 > After enabling X.509 authentication, ensure that clients trust the broker's server certificate by having the *server-side* CA certificate in their trust store. Don't confuse trusting the *server-side* CA certificate with the *client-side* CA certificate used for client authentication that is specified in the `trustedClientCaCert` field.
 >
-> For a full example, see [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md).
+> For a full example, see [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-x509.md).
 
 ### Connect mosquitto client to MQTT broker with X.509 client certificate
 
@@ -894,4 +894,4 @@ Successful reauthentication updates the client's credential expiry with the expi
 
 - About [BrokerListener resource](howto-configure-brokerlistener.md)
 - [Configure authorization for a BrokerListener](./howto-configure-authorization.md)
-- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-x509.md)

articles/iot-operations/manage-mqtt-broker/howto-configure-authorization.md

@@ -786,4 +786,4 @@ With MQTT 3.1.1, when a publish is denied, the client receives the PUBACK with n
 
 - About [BrokerListener resource](howto-configure-brokerlistener.md)
 - [Configure authentication for a BrokerListener](./howto-configure-authentication.md)
-- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-x509.md)

articles/iot-operations/manage-mqtt-broker/howto-configure-brokerlistener.md

@@ -921,4 +921,4 @@ From here, follow the same steps as previously to create a server certificate wi
 
 - [Configure MQTT broker authorization](howto-configure-authorization.md)
 - [Configure MQTT broker authentication](howto-configure-authentication.md)
-- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-x509.md)

articles/iot-operations/manage-mqtt-broker/howto-test-connection.md

@@ -615,4 +615,4 @@ spec:
 
 - [Configure TLS with manual certificate management to secure MQTT communication](howto-configure-tls-manual.md)
 - [Configure authentication](howto-configure-authentication.md)
-- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-x509.md)

articles/iot-operations/manage-mqtt-broker/tutorial-tls-and-x509.md renamed to articles/iot-operations/manage-mqtt-broker/tutorial-tls-x509.md

@@ -264,6 +264,55 @@ Client thermostat sending DISCONNECT
 
 To restrict access to MQTT topics based on the client certificate attributes, create an authorization policy that maps the client certificate attributes to allowed actions on specific topics.
 
+The provided command is using the `mosquitto_pub` utility to publish a message to an MQTT broker with TLS encryption and client certificate authentication. Here's a breakdown of the command and the authorization system being set up:
+
+### Command Breakdown
+- `mosquitto_pub`: The command-line utility to publish messages to an MQTT broker.
+- `-t "example/topic"`: Specifies the topic to which the message is published.
+- `-m "example temperature measurement"`: The message payload.
+- `-i thermostat`: The client ID used to identify the publisher.
+- `-q 1`: Quality of Service level 1, ensuring the message is delivered at least once.
+- `-V mqttv5`: Specifies the MQTT version 5.
+- `-d`: Enables debug mode for detailed output.
+- `-h localhost`: The hostname of the MQTT broker.
+- `--key thermostat.key`: The client's private key file.
+- `--cert thermostat.crt`: The client's certificate file.
+- `--cafile contoso_root_ca.crt`: The CA certificate file to verify the broker's certificate.
+
+### Authorization System
+1. **Certificates Created**:
+   - **Client Certificate (thermostat.crt)**: Issued to the client (thermostat) and signed by an intermediate CA.
+   - **Client Private Key (thermostat.key)**: Corresponding private key for the client certificate.
+   - **Intermediate CA Certificate**: Signed by the root CA, used to sign client certificates.
+   - **Root CA Certificate (contoso_root_ca.crt)**: The trusted root certificate used to verify the chain of trust.
+
+2. **Attributes Mapping**:
+   - **Client Certificate Attributes**: Includes details like Common Name (CN), Organization (O), and Organizational Unit (OU) that can be used for authorization.
+   - **Intermediate CA**: Ensures that client certificates are issued by a trusted entity.
+
+3. **Authorization Rules**:
+   - The MQTT broker uses the client certificate to authenticate the client.
+   - The broker verifies the certificate chain up to the root CA.
+   - Authorization rules can be defined based on certificate attributes (e.g., CN, O, OU) to control access to specific topics.
+
+### Mermaid Diagram
+```mermaid
+graph TD
+    A[Client: thermostat] -->|thermostat.crt| B[Intermediate CA]
+    B -->|Signed by| C[Root CA: contoso_root_ca.crt]
+    A -->|thermostat.key| D[MQTT Broker]
+    D -->|Verify| C
+    D -->|Authorize| E[Authorization Rules]
+    E -->|Access Control| F[MQTT Topics]
+```
+
+### Explanation
+1. The client (thermostat) uses its certificate (`thermostat.crt`) and private key (`thermostat.key`) to authenticate with the MQTT broker.
+2. The broker verifies the client's certificate against the intermediate CA, which is in turn verified against the root CA (`contoso_root_ca.crt`).
+3. The broker applies authorization rules based on the client's certificate attributes to control access to MQTT topics.
+
+This setup ensures secure communication and controlled access to the MQTT broker using TLS and client certificate authentication.
+
 1. In the Azure portal, navigate to your IoT Operations instance.
 1. Under **Components**, select **MQTT Broker**.
 1. Select the **Authorization** tab.
@@ -354,6 +403,7 @@ To restrict access to MQTT topics based on the client certificate attributes, cr
       }
     ]
     ```
+    
 1. Select **Add** to save the changes.
 
 :::image type="content" source="media/tutorial-tls-and-x509/abac-authz.png" alt-text="Screenshot showing Azure portal for setting up an authorization policy.":::

articles/iot-operations/toc.yml

@@ -190,7 +190,7 @@ items:
       - name: Send data to Data Lake Storage
         href: connect-to-cloud/tutorial-opc-ua-to-data-lake.md
       - name: Secure communication with TLS, X.509, and ABAC
-        href: manage-mqtt-broker/tutorial-tls-and-x509.md
+        href: manage-mqtt-broker/tutorial-tls-x509.md
     - name: Troubleshoot
       items:
       - name: Troubleshoot