You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/authentication.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,7 +45,7 @@ SuperMQ uses the `access_token` provided by Google only to fetch user informatio
45
45
46
46
## Authentication with SuperMQ keys
47
47
48
-
By default, SuperMQ uses SuperMQ Thing secret for authentication. The Thing secret is a secret key that's generated at the Thing creation. In order to authenticate, the Thing needs to send its secret with the message. The way the secret is passed depends on the protocol used to send a message and differs from adapter to adapter. For more details on how this secret is passed around, please check out [messaging section][messaging]. This is the default SuperMQ authentication mechanism and this method is used if the composition is started using the following command:
48
+
By default, SuperMQ uses SuperMQ Client secret for authentication. The Client secret is a secret key that's generated at the Client creation. In order to authenticate, the Client needs to send its secret with the message. The way the secret is passed depends on the protocol used to send a message and differs from adapter to adapter. For more details on how this secret is passed around, please check out [messaging section][messaging]. This is the default SuperMQ authentication mechanism and this method is used if the composition is started using the following command:
49
49
50
50
```bash
51
51
docker-compose -f docker/docker-compose.yml up
@@ -59,52 +59,52 @@ In most of the cases, HTTPS, WSS, MQTTS or secure CoAP are secure enough. Howeve
59
59
AUTH=x509 docker-compose -f docker/docker-compose.yml up -d
60
60
```
61
61
62
-
Mutual authentication includes client-side certificates. Certificates can be generated using the simple script provided [here][ssl-makefile]. In order to create a valid certificate, you need to create SuperMQ thing using the process described in the [provisioning section][provision]. After that, you need to fetch created thing secret. Thing secret will be used to create x.509 certificate for the corresponding thing. To create a certificate, execute the following commands:
62
+
Mutual authentication includes client-side certificates. Certificates can be generated using the simple script provided [here][ssl-makefile]. In order to create a valid certificate, you need to create SuperMQ client using the process described in the [provisioning section][provision]. After that, you need to fetch created client secret. Client secret will be used to create x.509 certificate for the corresponding client. To create a certificate, execute the following commands:
63
63
64
64
```bash
65
65
cd docker/ssl
66
66
make ca CN=<common_name> O=<organization> OU=<organizational_unit> emailAddress=<email_address>
67
67
make server_cert CN=<common_name> O=<organization> OU=<organizational_unit> emailAddress=<email_address>
68
-
make thing_cert THING_SECRET=<thing_secret> CRT_FILE_NAME=<cert_name> O=<organization> OU=<organizational_unit> emailAddress=<email_address>
68
+
make client_cert CLIENT_SECRET=<client_secret> CRT_FILE_NAME=<cert_name> O=<organization> OU=<organizational_unit> emailAddress=<email_address>
69
69
```
70
70
71
71
These commands use [OpenSSL][openssl] tool, so please make sure that you have it installed and set up before running these commands. The default values for Makefile variables are
Normally, in order to get things running, you will need to specify only `THING_SECRET`. The other variables are not mandatory and the termination should work with the default values.
83
+
Normally, in order to get clients running, you will need to specify only `CLIENT_SECRET`. The other variables are not mandatory and the termination should work with the default values.
84
84
85
85
- Command `make ca` will generate a self-signed certificate that will later be used as a CA to sign other generated certificates. CA will expire in 3 years.
86
86
- Command `make server_cert` will generate and sign (with previously created CA) server cert, which will expire after 1000 days. This cert is used as a SuperMQ server-side certificate in usual TLS flow to establish HTTPS or MQTTS connection.
87
-
- Command `make thing_cert` will finally generate and sign a client-side certificate and private key for the thing.
87
+
- Command `make client_cert` will finally generate and sign a client-side certificate and private key for the client.
88
88
89
-
In this example `<thing_secret>` represents secret of the thing and `<cert_name>` represents the name of the certificate and key file which will be saved in `docker/ssl/certs` directory. Generated Certificate will expire after 2 years. The key must be stored in the x.509 certificate `CN` field. This script is created for testing purposes and is not meant to be used in production. We strongly recommend avoiding self-signed certificates and using a certificate management tool such as [Vault][vault] for the production.
89
+
In this example `<client_secret>` represents secret of the client and `<cert_name>` represents the name of the certificate and key file which will be saved in `docker/ssl/certs` directory. Generated Certificate will expire after 2 years. The key must be stored in the x.509 certificate `CN` field. This script is created for testing purposes and is not meant to be used in production. We strongly recommend avoiding self-signed certificates and using a certificate management tool such as [Vault][vault] for the production.
90
90
91
91
Once you have created CA and server-side cert, you can spin the composition using:
92
92
93
93
```bash
94
94
AUTH=x509 docker-compose -f docker/docker-compose.yml up -d
95
95
```
96
96
97
-
Then, you can create user and provision things and channels. Now, in order to send a message from the specific thing to the channel, you need to connect thing to the channel and generate corresponding client certificate using aforementioned commands. To publish a message to the channel, thing should send following request:
97
+
Then, you can create user and provision clients and channels. Now, in order to send a message from the specific client to the channel, you need to connect client to the channel and generate corresponding client certificate using aforementioned commands. To publish a message to the channel, client should send following request:
98
98
99
99
### WSS
100
100
101
101
```javascript
102
102
constWebSocket=require("ws");
103
103
// Do not verify self-signed certificates if you are using one.
104
104
process.env.NODE_TLS_REJECT_UNAUTHORIZED="0";
105
-
// Replace <channel_id> and <thing_secret> with real values.
105
+
// Replace <channel_id> and <client_secret> with real values.
// This is ClientOptions object that contains client cert and client key in the form of string. You can easily load these strings from cert and key files.
109
109
{
110
110
cert:`-----BEGIN CERTIFICATE-----....`,
@@ -127,21 +127,21 @@ As you can see, `Authorization` header does not have to be present in the HTTP r
0 commit comments