Security and Access Control
thin-edge.io uses X.509 certificates as the key mechanism to authenticate peers.
- The MQTT connection between the gateway device and the cloud is established over TLS and uses certificates to authenticate the device on the cloud, as well as to authenticate the cloud on the device.
- The local MQTT connections, from the miscellaneous services and child devices to the local MQTT broker, can also be configured to be established over TLS. In the stronger setting, the clients have to authenticate themselves using certificates.
- The local HTTP services (namely the File Transfer Service and the Cumulocity Proxy) can be configured to use HTTPS. As for MQTT, certificate-based authentication of the clients can also be enforced.
A complete setting requires numerous private keys, certificates and trust chains. Nothing really complex, but this requires rigorous settings. It is therefore recommended to set things up step by step.
- The only mandatory step is to configure the authentication between the gateway device and the cloud.
- This can be done using a self-signed device certificate or a proper CA-signed certificate.
- Most of the time the cloud certificate will be trusted out-of-the-box, but a self-signed cloud certificate will need specific care.
- The second step is to enable TLS on the local MQTT and HTTP connections.
- The final step is to enforce certificate-based client authentication on the local MQTT and HTTP connections.
📄️ Certificate signing request
Generate certificate signing request for thin-edge.io
📄️ Cloud Authentication
Configuring certificates for your cloud connection
📄️ Cumulocity IoT Token
Requesting a token for manual Cumulocity IoT API requests
📄️ Device Certificate Settings
Controlling device certificate settings
📄️ HTTPS Configuration
Setting up HTTPS for secure local communication
📄️ MQTT TLS Configuration
Setting up TLS for secure local MQTT communication
📄️ Self-signed Device Certificate
Using self-signed device certificates with thin-edge.io