Configuring Security for the rtcomm-1.0 Feature

This topic describes the many aspects of securing the rtcomm-1.0 Feature.

About this task

The following steps describe how to enable security for the rtcomm-1.0 Feature.

Procedure

  1. Configure SSL.
    SSL between the rtcomm-1.0 Feature and the MQTT Broker
    This function is enabled for the rtcomm-1.0 Feature by setting the sslEnabled="true" attribute for Rtcomm in the server.xml file, and this often requires a different port for SSL (default 8883) to connect to the broker.
    SSL between the Rtcomm JavaScript Client and the MQTT Broker
    If the rtcomm.js client is served over https, then it will enable SSL by default (and will try to use port 8883) otherwise SSL needs to be enabled in the configuration when initializing the EndpointProvider. The configuration resembles the following:
    var providerConfig = { 
           server: mqttbroker server, 
           port: mqttbroker SSL Port, 
           useSSL: true};

    The previous steps ensure that the communication between the clients, the MQTT Broker, and the Liberty server that is running the rtcomm-1.0 Feature is encrypted.

  2. Configure authentication.
    Authentication and Authorization of the JavaScript Client with the MQTT Broker
    Typically, an application that is implementing Real-Time Communications authenticates a user. For further details, see Authenticating users in Liberty.

    Many external MQTT Brokers can require authentication but will not use the same authentication as the application without a specific configuration.

    An external MQTT Broker can use similar authentication mechanisms and offer ways to use LTPA Tokens to verify identity. IBM® MessageSight supports LTPA and when the LTPA Keys are shared with the MessageSight MQTT Broker they are members of the same domain (servername.domainname.com), and they both are using the same LDAP resource for identifying users, then an LTPA Token can be used to pass the original authentication to IBM MessageSight. Other MQTT Brokers can work similarly. For further details on using LTPA with IBM MessageSight, see Lightweight Third Party Authentication (LTPA).

    The Liberty server must be configured by using the following information, Configuring LTPA in Liberty.
    Note: Use the ssoDomainNames attribute to define the common domain between servers:
    <webAppSecurity logoutOnHttpSessionExpire="true" singleSignonEnabled="true" ssoDomainNames="domainname.com" />

    Authentication that uses LTPA is separate from authorization or authorization in IBM MessageSight, and it is necessary to follow the directions at this URL, Authorization.

    This configuration only works if the original authenticator that is providing the LTPA token and the MessageSight server share the same LDAP configuration.

    Client authentication without LTPA
    If LTPA cannot be configured, the rtcomm.js client provides an API that allows a user and password to be provided for authentication with the MQTT Broker, and is done in the configuration that is passed to the EndpointProvider during the init():
    var providerConfig = { 
         server: servername, 
         port: port, 
         useSSL: true, 
         credentials: { 
              userName: "username", 
              password: "password" }
         };

    This configuration passes the identity and password to the MQTT client to authenticate the connection to the MQTT Broker.


Icon that indicates the type of topic Task topic



Timestamp icon Last updated: Monday, 5 December 2016
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=twlp_config_rtcomm_security
File name: twlp_config_rtcomm_security.html