Add links

Author: jlian

articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md

@@ -331,6 +331,9 @@ For more information about enabling secure settings by configuring an Azure Key
 
 ## X.509
 
+> [!TIP]
+> For an end-to-end example of how to configure X.509 authentication, see [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md).
+
 With X.509 authentication, the MQTT broker uses a **trusted CA certificate** to validate client certificates. This trusted CA can be a root or intermediate CA. The broker checks the client certificate chain against the trusted CA certificate. If the chain is valid, the client is authenticated.
 
 To use X.509 authentication with a trusted CA certificate, the following requirements must be met:
@@ -604,6 +607,8 @@ To get a TLS-enabled listener port, see [Enable TLS manual certificate managemen
 > - **Server validation**: Clients (like mosquitto or MQTTX) check the MQTT broker's server certificate against the trusted CA certificate in their trust store. For mosquitto clients, use the `--cafile` parameter to specify the CA certificate file. For MQTTX, add the CA certificate to the trust store in the settings.
 >
 > So, after enabling X.509 authentication, ensure that clients trust the broker's server certificate by having the *server-side* CA certificate in their trust store. Don't confuse this with the *client-side* CA certificate used for client authentication, which is specified in the `trustedClientCaCert` field.
+>
+> For a full example, see [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md).
 
 ### Connect mosquitto client to MQTT broker with X.509 client certificate
 
@@ -889,3 +894,4 @@ Successful reauthentication updates the client's credential expiry with the expi
 
 - About [BrokerListener resource](howto-configure-brokerlistener.md)
 - [Configure authorization for a BrokerListener](./howto-configure-authorization.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)

articles/iot-operations/manage-mqtt-broker/howto-configure-authorization.md

@@ -786,3 +786,4 @@ With MQTT 3.1.1, when a publish is denied, the client receives the PUBACK with n
 
 - About [BrokerListener resource](howto-configure-brokerlistener.md)
 - [Configure authentication for a BrokerListener](./howto-configure-authentication.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)

articles/iot-operations/manage-mqtt-broker/howto-configure-brokerlistener.md

@@ -921,3 +921,4 @@ From here, follow the same steps as previously to create a server certificate wi
 
 - [Configure MQTT broker authorization](howto-configure-authorization.md)
 - [Configure MQTT broker authentication](howto-configure-authentication.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)

articles/iot-operations/manage-mqtt-broker/howto-test-connection.md

@@ -615,3 +615,4 @@ spec:
 
 - [Configure TLS with manual certificate management to secure MQTT communication](howto-configure-tls-manual.md)
 - [Configure authentication](howto-configure-authentication.md)
+- [Tutorial: TLS, X.509 client authentication, and attribute-based access control (ABAC) authorization](./tutorial-tls-and-x509.md)

articles/iot-operations/toc.yml

@@ -189,6 +189,8 @@ items:
         href: connect-to-cloud/tutorial-mqtt-bridge.md
       - name: Send data to Data Lake Storage
         href: connect-to-cloud/tutorial-opc-ua-to-data-lake.md
+      - name: TLS/X.509/ABAC
+        href: manage-mqtt-broker/tutorial-tls-and-x509.md
     - name: Troubleshoot
       items:
       - name: Troubleshoot