MindConnect MQTT API¶
Idea¶
The MindConnect MQTT API provides functionality for applications to manage the certificates for securely connecting the MQTT agents with Industrial IoT. With appropriate authentication, the API can be easily integrated into applications hosted in an enterprise system or likewise.
For further information about the MindConnect MQTT Sync API, refer to the MindConnect MQTT API specification.
Info
- The MindConnect MQTT Service is currently available in region Europe 1.
- MindConnect MQTT Service is not available for VPC.
Access¶
For accessing this service, your application or service needs to have the respective roles listed in MindConnect MQTT roles and scopes.
Basics¶
CA Certificate¶
All MQTT-based devices that wish to connect to Insights Hub must authenticate using a unique certificate identity.
Registration Code¶
The user needs to get the registration code to use it as the common name of the verification certificate.
Verification Certificate¶
For Insights Hub to make sure that the certificate uploader also possesses the corresponding private key, the user needs to prove the possession of the private key by issuing a verification certificate with the common name provided by Insights Hub using the private key.
Auto-Generated Agent Certificate¶
The MQTT agent needs to authenticate with an agent certificate. MindConnect MQTT agents can request auto-generated agent certificate using the "create auto-generated agent certificate" endpoint. It is available in the region Europe 1.
Agent Certificate¶
An agent can be onboarded using an agent certificate issued by the environment's CA certificate.
To successfully connect, onboard, and communicate with the MQTT broker, each client needs to use a clientId
in the following format:
<clientId>=<tenant>_<AgentCertificate.Subject.CommonName>
Features¶
The MindConnect MQTT exposes its API for realizing the following:
- Upload a new CA certificate
- Get the uploaded CA certificates
- Get the CA Certificate with id
- Delete the CA certificate by id
- Verify the existing CA certificate
- Get a CA certificate's registration code
The following tasks are currently available in the region Europe 1:
- Create auto-generated agent certificate
- Get auto-generated agent certificates
- Get auto-Generated Agent Certificate with id
- Delete auto-Generated Agent Certificate by id
Limitations¶
In order to give optimal performance, MindConnect MQTT API provides technical limits on API usage and resources which needs to be incorporated while using it. API technical limits are documented here.
The following are the technical limits for resource usage:
Resource | Technical Limit |
---|---|
Maximum CA certificates count per environment | 2 |
Note
These limits are enforced on Capability Package based environments only.
Example Scenario¶
The ACME company has an IT department regulating the security of the enterprise. The security system manages the issuing of the device certificates using an enterprise application. This system has authorized the administrators to upload the CA and verification certificates using these APIs. This application issues the device certificates to IT users when they want to connect the device.