Configuring Security for the rtcomm-1.0 Feature
This topic describes the many aspects of securing the rtcomm-1.0 Feature.
About this task
The following steps describe how to enable security for the rtcomm-1.0 Feature.
Procedure
- Configure SSL.
- SSL between the rtcomm-1.0 Feature and the MQTT Broker
- This function is enabled for the rtcomm-1.0 Feature by setting the sslEnabled="true" attribute for Rtcomm in the server.xml file, and this often requires a different port for SSL (default 8883) to connect to the broker.
- SSL between the Rtcomm JavaScript Client and the MQTT Broker
- If the rtcomm.js client is served over https, then it will enable SSL by
default (and will try to use port 8883) otherwise SSL needs to be enabled in the configuration when
initializing the EndpointProvider. The configuration resembles the
following:
var providerConfig = { server: mqttbroker server, port: mqttbroker SSL Port, useSSL: true};
The previous steps ensure that the communication between the clients, the MQTT Broker, and the Liberty server that is running the rtcomm-1.0 Feature is encrypted.
- Configure authentication.
- Authentication and Authorization of the JavaScript Client with the MQTT Broker
- Typically, an application that is implementing Real-Time Communications authenticates a user.
For further details, see Authenticating users in Liberty.
Many external MQTT Brokers can require authentication but will not use the same authentication as the application without a specific configuration.
An external MQTT Broker can use similar authentication mechanisms and offer ways to use LTPA Tokens to verify identity. IBM® MessageSight supports LTPA and when the LTPA Keys are shared with the MessageSight MQTT Broker they are members of the same domain (servername.domainname.com), and they both are using the same LDAP resource for identifying users, then an LTPA Token can be used to pass the original authentication to IBM MessageSight. Other MQTT Brokers can work similarly. For further details on using LTPA with IBM MessageSight, see Lightweight Third Party Authentication (LTPA).
The Liberty server must be configured by using the following information, Configuring LTPA in Liberty.Note: Use the ssoDomainNames attribute to define the common domain between servers:<webAppSecurity logoutOnHttpSessionExpire="true" singleSignonEnabled="true" ssoDomainNames="domainname.com" />
Authentication that uses LTPA is separate from authorization or authorization in IBM MessageSight, and it is necessary to follow the directions at this URL, Authorization.
This configuration only works if the original authenticator that is providing the LTPA token and the MessageSight server share the same LDAP configuration.
- Client authentication without LTPA
- If LTPA cannot be configured, the rtcomm.js client
provides an API that allows a user and password to be provided for
authentication with the MQTT Broker, and is done in the configuration
that is passed to the EndpointProvider during the init():
var providerConfig = { server: servername, port: port, useSSL: true, credentials: { userName: "username", password: "password" } };
This configuration passes the identity and password to the MQTT client to authenticate the connection to the MQTT Broker.

File name: twlp_config_rtcomm_security.html