Working with MQTT Data
Working with MQTT Data
This guide details the installation of Mosquitto MQTT version 2.0.12 (64-bit) on Microsoft Windows. For other MQTT software versions, please refer to their specific installation guides.
Install the MQTT Broker
To install the mosquitto MQTT Broker:
Download the
mosquitto-2.0.12-install-windows-x64.exefile from https://mosquitto.org/download/.Go to the directory where you downloaded the file. Double-click
mosquitto-2.0.12-install-windows-x64.msi.Follow the Eclipse Mosquitto Setup wizard prompts. Accept all defaults.
If Microsoft Visual C++ is not installed, it will be installed for you as part of the mosquitto installation. Click Accept to accept the license terms, and then click Install.
In your desktop, open the Microsoft Services application. Check to see that “Mosquitto Broker” is in “Running” Status with “Automatic” Startup type. If Status is empty, click Start. The Mosquitto Broker will automatically start after every system reboot.
Configuring Usernames and Passwords
This guide explains how to configure usernames and passwords specifically for the 64-bit Mosquitto MQTT Broker on Windows. Other brokers require different steps.
Prerequisite: Before you begin, ensure your device has firmware version 2.29x or later and you're using a 64-bit Windows system.
Create an Encrypted Password File
For {{company_name}} setups (where devices and the Agent are MQTT clients), each requires its own username and password.
Set up the text file
Create a text file called PFSETUP.TXT.
Add usernames and passwords, one pair per line, separated by a colon. For example,user1:secret.
Configure Device Credentials You must use the {{company_name}} mobile app to set up device credentials.
For every device:
Tap Cellular Settings > MQTT SERVER ADDRESS.
In the MQTT Server Address window, type in the username and password of the device that will connect to the MQTT Broker.
Navigate to My Devices and tap the Export option. A device list will appear.
Tap Export. Choose an application (like Gmail) to send the exported data. We reccomend sending it to yourself.
Access the exported file within the MQTT Broker platform.
Transfer the usernames and passwords from this file to your
PFSETUP.TXTfile (discussed in the Set up the text file, step 1 section above), one pair per line, separated by a colon. For example,user2:private.
Encrypt the Password File
You can encrypt the complete password file or you can encrypt the file per user.
To Encrypt the entire password file:
Navigate to the directory where Mosquitto is installed (by default,
C:\Program Files\mosquitto).Run the following command:
mosquitto_passwd.exe -U name_of_passwordfile. All passwords are now encrypted.
To encrypt only the first user's password:
Run the following command:
mosquitto_passwd.exe -c name_of_passwordfile the_first_user. In our example, the_first_user is steve. You will be prompted to enter a password for the_first_user. NOTE Your password input is accepted even though it's not shown on screen.
To encrypt additional users (after the first user):
Run the following command:
mosquitto_passwd -b name_of_passwordfile the_next_user password
Apply password encryption by restarting the MQTT broker through Windows Services.
Delete Users from the Encrypted Password File
Remove individual users from the password file by running the following command: mosquitto_passwd -D name_of_passwordfile user_to_be_deleted
Configure mosquitto.conf to Use the Encrypted Password File
Copy the password file into a separate folder. For example, copy the file into C:\etc\mosquitto. If you use a different directory, ensure that there are no spaces in the directory path.
Configure
mosquitto.conffor password file usage:Set
allow_anonymoustofalseSet
password_fileto the path of your password file Remove the password file's file extension. For example,allow_anonymous falseandpassword_file C:/etc/passwordfile
Configure
mosquitto.conffor secure communication (port 8883):
NOTE Mosquitto v1.5+ configures authentication per listener. Enable
per_listener_settings.Example for secure communication only:
listener 8883 allow_anonymous false password_file C:/etc/passwordfileIMPORTANT When using listener 8883, embed your certificates (see the "Edit the mosquitto.conf file" section for details).
Restart the Mosquitto Broker: After modifying the configuration or password file, restart the Mosquitto Broker service via the Microsoft Windows Services application
Password File Configuration: For more details, see http://www.steves-internet-guide.com/mqtt-username-password-example/
Certificate Recommendation: It's best to use your organization's signed certificate. Consult your IT department for instructions. If using an enterprise certificate, proceed to the "Edit the mosquitto.conf file" section for details.
Alternative: You can create and use a self-signed certificate. Refer to the "Creating Self-Signed Certificate" section for details.
Create a Self-Signed Certificate
Prerequisites:
64-bit Windows OS
Microsoft Visual C++
Install OpenSSL and Set up Environment Variables
Before creating a self-signed certificate, install OpenSSL and set environment variables:
Download OpenSSL: Get the Win64 version (not Lite).
Run the Installer: If Visual C++ is missing, it will be installed; rerun the OpenSSL installer afterward.
Set Environment Variables:
For the current session: Run these commands in the command prompt:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfgset Path=%Path%;C:\Program Files\OpenSSL-Win64\binPermanently: - Search for environment in the system tray and select Edit the system environment variables. - In System Properties, go to the Advanced tab and click Environment Variables. - Under System variables, click New and set: -
OPENSSL_CONFtoC:\Program Files\OpenSSL-Win64\bin\openssl.cfg-Pathto includeC:\Program Files\OpenSSL-Win64\bin
alt text Click OK to close the New System Variable window, and then click OK to close the Environment Variables window.
Click OK to close the System Properties window. NOTE: The changes you made will take effect only when the window closes, and when you open a new command prompt.
Create the Self-Signed Certificate and Keys
The self-signed certificate files will be created in the directory where you execute the openssl commands.
Create a Certificate Authority (CA) key pair by running the following command:
openssl genrsa -des3 -out ca.key 2048Generating RSA private key, 2048-bit long modulus (2 primes) ....+++ e is 65537 (0x010001) Enter pass phrase for ca.key: Verifying - Enter pass phrase for ca.key:
This pass phrase secures your private key, and you'll need it again to access the key. Think of it as a separate login requirement. TIP: Write your pass phrase carefully (case-sensitive) as it's required for signing both ca.crt and server.crt.
Create a CA certificate and use the ca.key to sign it by running the following command:
openssl req -new -x509 -days 1826 -key ca.key -out ca.crtEnter pass phrase for ca.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields, but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]: California Locality Name (e.g., city) []: San Diego Organization Name (e.g., company) [Internet Widgets Pty Ltd]: Widgets Organizational Unit Name (e.g., section) []: RND Common Name (e.g., server FQDN or YOUR name) []: Widgets Email Address []:
The directory now contains the following files:
08/17/2021 11:51 AM 1,348 ca.crt08/17/2021 11:50 AM 1,773 ca.key
Create a server key pair for use by the broker by running the following command:
openssl genrsa -out server.key 2048Generating RSA private key, 2048-bit long modulus (2 primes) ...+++++ e is 65537 (0x010001)
The directory now contains the following files:
08/17/2021 11:51 AM 1,348 ca.crt08/17/2021 11:50 AM 1,773 ca.key08/17/2021 11:52 AM 1,702 server.key
Create a broker certificate request. When filling the form, the Common Name (CN) is crucial. Typically, it's the server's full domain name, IP address, or the Windows computer name hosting the Mosquitto broker. Ensure you use this exact name when configuring client connections. Run this command:
openssl req -new -out server.csr -key server.key
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields, but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-------
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (e.g., city) []: San Diego
Organization Name (e.g., company) [Internet Widgets Pty Ltd]:Widgets
Organizational Unit Name (e.g., section) []:RND
Common Name (e.g., server FQDN or YOUR name) []:54.72.180.67
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:widget
An optional company name []:widget5. Use the CA certificate to sign the broker certificate request. Use the CA key to verify and sign the server certificate. This step creates the server.crt file. Run the following command:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
Signature ok
subject=C = US, ST = California, L = San Diego, O = widgets, OU = RND,
CN = 54.72.180.67
Getting CA Private Key
Enter pass phrase for ca.key:NOTE: If you see unable to load CA Private Key with bad decrypt error messages, it indicates an incorrect pass phrase for ca.key. Rerun the openssl command and enter the correct pass phrase.
The directory now contains the following files:
08/17/2021 11:54 AM 1,364 ca.crt08/17/2021 11:53 AM 1,781 ca.key08/17/2021 11:55 AM 42 ca.srl08/17/2021 11:55 AM 1,240 server.crt08/17/2021 11:55 AM 1,088 server.csr08/17/2021 11:54 AM 1,702 server.key
Edit the mosquitto.conf File
mosquitto.conf FileSet the following parameters to their specified values in the configuration file:
per_listener_settings true listener 8883 allow_anonymous false password_file c:\Users\...\Certificates\passtest.txt protocol mqtt certfile c:\Users\...\Certificates\server.crt keyfile c:\Users\...\Certificates\server.key require_certificate false cafile c:\Users\...\Certificates\ca.crt use_identity_as_username false log_dest file c:\mosquitto\mosquitto.log log_type error log_type warning log_type notice log_type information # the following setting should be added manually after the logs settings log_type all connection_messages true # the following seeing must added at the end of the file tls_version tlsv1.2After modifying mosquitto.conf, restart the MQTT broker using the Windows Services app. See the mosquitto.conf man page for configuration details.
Import a Self-Signed Certificate to a Windows Host
If your mosquitto.conf is set for unsecured communication, you can ignore this.
To trust your self-signed certificate (ca.crt) for secure communication, import it into the Windows Trusted Root Certification Authorities:
On your Windows desktop, click Start > Run > MMC. The Microsoft Management Console opens.
Click File, and then select Add / Remove Snap In.
From the list of available snap-ins, select Certificates, and then click Add.
In the Certificates snap-in window, select Computer Account, and then click Next.
In the Select Computer window, select Local Computer, and then click Finish.
Click OK to exit the Snap-In window.
Click [+] next to Certificates > Trusted Root Certification Authorities.
Right-click Certificates, and then select All Tasks > Import. The Certificate Import Wizard window opens. Follow the wizard prompts. The self-signed certificate is now trusted by all users.
If you see the following error from self-signed certificates in the log:
2021-09-09 15:24:40.252 +03:00 [WRN] MQTT: TLS certificate has policy errors. RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate.
2021-09-09 15:24:40.252 +03:00 [WRN] MQTT: Verify the certificate or ignore by changing the IgnoreCertificateRevocationErrors setting The Agent will not work until you change the Ignore Certificate Revocation Errors check box in the Agent's configuration file or the UI.
Unsecured Connection
You can configure mosquitto.conf for an unsecured connection if necessary. However, this is not recommended. The configuration for non-secure communication is as follows:
###
per_listener_settings true
# In non-secure communication, the listener is set to 1883
listener 1883
allow_anonymous false
password_file C:/.../passwordfile.txt
###Related Links for Additional Information
http://www.steves-internet-guide.com/mosquitto-tls/
https://mosquitto.org/man/mosquitto-tls-7.html
http://richardn.ca/2017/06/07/mosquitto-on-windows/
MQTT Mosquitto Installation on Microsoft Windows (v2.0.12, 64-bit)
This guide provides complete instructions for installing, configuring, and securing the Mosquitto MQTT Broker (v2.0.12) on a Microsoft Windows system. It includes secure user/password management, SSL/TLS setup, and optional unsecured configurations.
Table of Contents
Install the MQTT Broker
Configure Usernames & Passwords
Set Up Encrypted Password File
Configure mosquitto.conf
Create a Self-Signed Certificate (Optional)
Import the Certificate to Windows
Unsecured Configuration (Not Recommended)
Helpful Resources
Install the MQTT Broker
Download: https://mosquitto.org/download/ File:
mosquitto-2.0.12-install-windows-x64.exeRun the installer and follow the prompts. Accept default options.
If not already installed, Microsoft Visual C++ will be installed automatically.
Open Windows Services and ensure that Mosquitto Broker is:
Running
Startup type set to Automatic
Configure Usernames & Passwords
Prerequisites
Windows 64-bit OS
Device firmware v2.29x or newer
Set Up Encrypted Password File
Create a plaintext file at
C:\etc\passwordfile:user1:password1 user2:password2Use the AyyekaGo app to:
Navigate to Cellular Settings > MQTT SERVER ADDRESS
Set each device’s username and password
Export user credentials and copy them to the password file
Encrypt the file:
Encrypt the entire file:
mosquitto_passwd.exe -U passwordfileCreate a new file with the first user:
mosquitto_passwd.exe -c passwordfile steveAdd more users:
mosquitto_passwd.exe -b passwordfile user2 password2
Restart the Mosquitto Broker via Windows Services.
Delete a User
mosquitto_passwd.exe -D passwordfile user_to_deleteConfigure mosquitto.conf
Copy the password file to a secure directory like
C:\etc\mosquitto\Edit
mosquitto.confto include:allow_anonymous false password_file C:/etc/passwordfile per_listener_settings true listener 8883Restart the Broker via Windows Services.
Note: For TLS, certificates must also be configured (see below).
Create a Self-Signed Certificate (Optional)
Prerequisites
Windows 64-bit OS
Microsoft Visual C++
OpenSSL for Win64
Install OpenSSL and Set Environment Variables
Set up OPENSSL_CONF and update Path:
set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
set Path=%Path%;C:\Program Files\OpenSSL-Win64\binTo make changes permanent, use System Properties > Environment Variables.
Generate Certificates
Run these commands from a working directory:
Create CA Key
openssl genrsa -des3 -out ca.key 2048Create CA Certificate
openssl req -new -x509 -days 1826 -key ca.key -out ca.crtCreate Server Key
openssl genrsa -out server.key 2048Generate CSR
openssl req -new -out server.csr -key server.keySign the CSR
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
Edit mosquitto.conf for TLS
Add these lines:
per_listener_settings true
listener 8883
allow_anonymous false
password_file C:/Users/.../Certificates/passtest.txt
protocol mqtt
certfile C:/Users/.../Certificates/server.crt
keyfile C:/Users/.../Certificates/server.key
require_certificate false
cafile C:/Users/.../Certificates/ca.crt
use_identity_as_username false
tls_version tlsv1.2
log_dest file C:/mosquitto/mosquitto.log
log_type error
log_type warning
log_type notice
log_type information
log_type all
connection_messages trueRestart the Mosquitto Broker via Windows Services.
Import the Certificate to Windows
Only required for secure (TLS) connections.
Press Win + R, type
mmc, and press EnterGo to File > Add/Remove Snap-in
Select Certificates > Add > Computer Account > Local Computer
Expand Certificates > Trusted Root Certification Authorities
Right-click Certificates > All Tasks > Import
Use the wizard to import
ca.crt
If you receive certificate revocation errors, set:
"IgnoreCertificateRevocationErrors": truein the Agent configuration file.
Unsecured Configuration (Not Recommended)
Use only if encryption is not possible.
per_listener_settings true
listener 1883
allow_anonymous false
password_file C:/.../passwordfile.txtHelpful Resources
https://mosquitto.org/documentation/authentication-methods/
https://mosquitto.org/man/mosquitto-conf-5.html
Overview of DATA HUB Lite
FAI Lite enables Raw Value sample data to be sent directly from Wavelets to a customer’s network file system or supported application (e.g., SCADA) using MQTT communication.
Key Components
1. Customer-Supplied MQTT Broker
Acts as the intermediary that receives data from publishers (Wavelets) and delivers it to subscribers (e.g., Ayyeka).
Wavelets publish Raw Value data to the MQTT Broker using the MQTT communication protocol.
2. Ayyeka-Supplied Agent
Subscribes to relevant MQTT topics from the Broker.
Parses Raw Value data and sends it to your system in one of two ways:
CSV Agent: Exports data as CSV files for use in SCADA or other applications.
DNP3 Agent: Sends data directly to a SCADA system.
OPC UA Agent: Sends data directly to a SCADA system.
Deployment Scenarios
1. Ayyeka-Configured (optional)
Devices using Ayyeka SIM cards are pre-configured for MQTT communication with FAI Lite before shipment.
2. Customer-Configured
Existing devices using Ayyeka SIM cards:
Currently connected to FAI Cloud or Local, and the AyyekaGo mobile app.
Reconfigured to communicate with the customer’s MQTT Broker.
Existing devices using customer-provided SIM cards:
Connected manually to configure MQTT communication in collaboration with Ayyeka Support.
Data Handling in FAI Lite
1. Device to MQTT Broker
Devices publish Raw Value data as messages to the MQTT Broker, associating each message with a specific topic (e.g., device identifier or AKID).
2. MQTT Broker to Agent
The Broker stores and publishes messages to the Ayyeka Agent.
3. Agent to Target System
The Agent processes the messages and sends data as:
CSV files: Stored locally for consumption by SCADA systems or other applications.
DNP3 data: Delivered directly to a SCADA system.
OPC UA Data: Delivered directly to a SCADA system.
Timestamps: Included in messages to track when the data was sampled, even if messages are out of order.
4. Post-Processing
Processed messages are deleted from the MQTT Broker.
SCADA systems must convert Raw Values into Final Values (similar to transformations in FAI Cloud).
Limitations of FAI Lite
Configuration Restrictions:
Device configurations and changes are limited to the AyyekaGo mobile app.
Raw Data Only:
No transformation calculations are performed on the data by the device, Broker, or Agent.
Target systems must handle the conversion of Raw Values into Final Values.
Exclusions:
Events (e.g., threshold violations), logs, and health reports are not sent to the MQTT Broker.
This solution provides a streamlined pathway for integrating Raw Value data into customer systems while requiring downstream processing for engineering conversions and system-specific transformations.
Last updated