Connecting to different brokers

Microsoft Azure

Creating a new IoT Hub 

• Step 1: Log into Microsoft Azure and go to Microsoft Azure Portal,

Once logged in, you’ll need to create the Azure resources that your device, in our case a N3uron node, will require in order to connect to the Azure IoT Hub and start exchanging messages.

• Step 2:  From the Azure homepage, select the + Create a resource option and then enter IoT Hub in the Search the Marketplace field.
• Step 3: Select IoT Hub from the search results and then select Create.

• Step 4: In the Basics tab, complete the fields as follows,
  • Subscription: Select the subscription to use for your hub.
  • Resource Group: Select a resource group or create a new one. To create a new one, select Create new and fill in the name you want to use. To use an existing resource group, select the specific resource group. For more information, see Resource manager.
  • Region: Select the region you want your hub to be located in. Select the location closest to you. 
  • IoT Hub Name: Enter a name for your hub.

• Step 5: Select Next: Networking to continue creating your hub. Choose the endpoints that the devices can use to connect to your IoT Hub and select the Public access default setting.

• Step 6: Select Next: Management to continue creating your hub. Accept the default settings here.
• Step 7: Select Next: Tags to continue to the next screen. Accept the default settings here.
• Step 8: Select Next: Review + create to review your choices. You should see something similar to this screen but with the values you selected when creating the hub.
• Step 9:  Select Create to start the deployment of your new hub. Your deployment will remain in progress for a few minutes while the hub is being created. Once the deployment is complete, select Go to resource to open the new hub.

Configuring Your Shared Access Policy

You can choose between two different mechanisms provided by Azure IoT Hub to authenticate devices and services: Security Tokens and X.509 Certificates.

Connection via security token (SAS)

• Step 1: Download the Device Explorer from the following URL: Device Explorer. 
• Step 2: In the resource panel of the IoT Hub you have just created, select Shared access policies. 
• Step 3: Click on iothubowner and copy the Primary connection string from the right-hand panel. 

• Step 4: Start the Azure IoT Explorer, click on the + Add connection button, and paste the Primary connection string in the Connection String text box. Next click Save.

• Step 5: In the Devices section, click on the +New button and enter a name for your device. In Authentication type, select Symmetric key, check the Auto-generate keys field, and click on Create.

• Step 6: After creating the new identity, expand the Connection string with SAS token section. In the Symmetric key drop-down menu, select Primary Key, enter a sufficiently high figure in Expiration (minutes), click on the Generate Button, and copy the part of the SAS token connection string form SharedAccessSignature= onwards.

• Step 7: Finally, configure the MQTT Client with the following settings:
  • URL: HostName
  • ClientId: deviceId
  • Username: HostName/deviceId
  • Password: SAS Token (see the previous screenshot)
    

Connection via X.509 Certificates

• Step 1: Download the Device Explorer from: Device Explorer.
• Step 2: In the resource panel of the IoT Hub you have just created, select Shared access policies. 
• Step 3: Click on iothubowner and copy the Primary connection string from the right-hand panel. 
• Step 4: Download OpenSSL from OpenSSL.

Users can authenticate a device to their IoT Hub using two self-signed device certificates. This is sometimes called thumbprint authentication because the certificates contain thumbprints (hash values) that they submit to the IoT hub. The following tutorial explains how to create self-signed certificates, Using OpenSSL to create self-signed certificates.

• Step 5: Start the Azure IoT Explorer, click on the + Add connection button, and paste the Primary connection string in the Connection String text box. Next click Save.
  
• Step 6: In the Devices section, click on the +New button and enter a name for your device. In Authentication type, select X.509 self-signed, enter the Primary and Secondary thumbprints corresponding to the self-signed certificate you should have created previously, and click on Create.

• Step 7: Finally, configure your MQTT client with the following settings:
  • URL: HostName
  • ClientId: deviceId
  • Username: HostName/deviceId
  • Password: Example password: “HostName=test-hub.azure-devices.net;DeviceID=TestDevice;x509=true”
  • Certificate: Load your certificate
  • Private key: Load your primary key

AWS IoT

• Step 1: Log into Amazon and Open AWS IoT Console.

Once logged in, you’ll create the AWS IoT resources that a device will require to connect to AWS IoT and exchange messages. 

Creating a Policy

 This policy will authorize your device to interact with AWS IoT services. Certificates are used to authenticate your device with AWS IoT Core. AWS IoT policies are attached to the certificate authenticating the device to determine the AWS IoT operations, such as subscribing or publishing to MQTT topics that this device is permitted to perform. The device will present its certificate whenever it connects and sends messages to the AWS IoT Core. You must create the AWS IoT policy first, which will then allow you to attach it to the device certificate that you will be creating later. 

• Step 1: Within the AWS IoT Console, In the left-hand menu, first select Secure, and then Policies. On the You don't have a policy yet page, choose Create a policy. If your account has existing policies, choose Create.
• Step 2: On the Create a Policy page,
  • In the Name field, enter a name for the policy.
  • In the Action field, enter iot:Connect, iot:Receive, iot:Publish, iot:Subscribe. These are the actions that the device will need permission to perform.
  • In the Resource ARN field, enter *. This selects any client (device). For increased security, it’s highly recommended that access is restricted by specifying a client ARN (Amazon resource name) once your Thing has been created.
  • Select the Allow check box. These values allow all clients that have this policy attached to their certificate to perform the actions listed in the Action field. 
• Step 3: After you have entered the information for your policy, choose Create.  

For more information, see IAM policies.

Creating a thing 

Devices connected to AWS IoT are represented by Thing objects in the AWS IoT registry. A Thing object represents a specific device or logical entity. 

• Step 1: Within the AWS IoT Console, in the left-hand menu, select Manage, then choose Things.
• Step 2: On the Things page, select Create Things.
• Step 3: On the Create Things page, select Create a single thing, then select Next.

• Step 4: On the Specify thing properties page, for Thing name, enter a name for your Thing.
• Step 5: Leave the rest of the fields on this page empty. Select Next.   

• Step 6: On the Configure device certificate – optional page, select Auto-generate a new certificate (recommended). Select Next.  

• 
  

• Step 7: On the Attach policies to certificate – optional page, select the policy you created in the previous section. Choose Create thing.

• Step 8: On the Download certificates and keys page:
  • Download each of the certificates and key files and save them for later. You'll need to install these files on your device. See below for the required files:
    • Private key
    • Public key
    • Device certificate
    • Root CA certificate
      
  • Download the Amazon root CA 1.
  • Choose Done.

After this procedure is complete, you should be able to see the new thing object in your list of Things. Click on the Thing you’ve just created, select the Certificates tab, and make sure the certificate is active.

• Step 9: Once that has been done, the certificate can be activated which will allow users to connect to AWS using MqttClient. It can be attached to more than one Thing if necessary by selecting “Attach thing”.
• Step 10: In order to connect to AWS, a broker URL associated with our IoT Service is required. This URL is common to all Things. To obtain the URL, click settings to show the custom endpoint at the top of the page.
• Step 11: Finally, when setting up connections to AWS, use the following MqttClient settings:
  • Protocol: MQTTS
  • Broker URL: AWS Endpoint
  • Port: 8883
  • Certificate: thing.pem.crt
  • Private Key: thing.prive.prm.key
  • CA Certificate: rootCA.pem

These are the essential configuration settings required for establishing a connection. The rest can be customized as desired.

Google IoT Core

Creating a registry

• Step 1: Log into Google IoT Core Platform and create a new registry, as shown in the below image: 

• Step 2: Next, fill in the required fields with the relevant characteristics from your Registry:

• Registry ID: Name of the registry associated with your connection. 
• Region: Determines the location where data will be stored. This can't be modified once the registry has been created.

• Protocol: Allows users to choose which protocol the connection will use. To create a MQTT Client, select the MQTT option.
• Stackdriver Logging: Sets the default logging parameter for the registry.
• Client Pub/Sub Topics: Establishes the topic to public/subscribe for telemetry and state events. This section can be updated and changed at any time after the creation of the registry.

The following screenshot shows the defined characteristics: 

At this point, the registry has already been created, so the next step is to establish one or more devices to connect to the N3uron module and exchange messages.

Creating a device

Each device requires a private-public key to authenticate with IoT Core, which can be defined using the following OpenSSL commands:

openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt
rsa_keygen_bits:2048 
openssl rsa -in rsa_private.pem -pubout -out rsa_public.pem

This will create two files: rsa_private.pem, which contains the private key and rsa_public.pem, which contains the public key. These keys are very important when creating an MQTT Client in N3uron, so make sure they are stored in a secured area.

• Step 1: Click on Create New Device. This will take you to a configuration tab. During device creation, the public key must be applied in the configuration. The parameters applied in this configuration can be observed below:
  • Device ID: This is unique and must be equal to the MQTT Client ID and the topic used for this device. Communication must also be enabled with the device, so there are some optional sections too. 
  • Authentication: Determines how the key should be entered. There are 2 available options: manually enter the key name, or upload the file containing the public key. Here you should introduce the previously generated key. The easiest way to do this is to upload it. 
    
    
• Step 2: Once the configuration is finished, click on Create, and the device will be created.

• Step 3: Once the device is created, MQTT Client can be connected to IoT Core using the following configuration settings:
  • Destination Broker: Google IoT Core. 
  • Authentication Mode: JSON Web Tokens. 
  • Token duration: The maximum value is a full day, so any value equal to or less than this is valid.
  • Algorithm: RS256 to sign the JWT (there are a wide variety of options to choose from)
  • Private key: The generated key in .pem format is stored in the device.
  • Audience: Sets the project_id generated in GCP. In this case, isentropic-card-332311.
  • Protocol: MQTTS (MQTT can also be used).
  • Host: Specifies the URL for the MQTT broker, in this case, mqtt.googleapis.com.
  • Port: The port is 8883.
  • Client ID: projects/PROJECT ID/locations/CLOUD REGION/registries/REGISTRY ID/devices/DEVICE ID .
  • QoS: 0 or 1 (QoS 2 is not supported and will cause the connection to be dropped).

The below screenshot demonstrates this example:

Generic Broker  

To connect to a generic broker (for example Mosquitto), the following settings are used (this assumes that the broker is using an unsecured MQTT and does not require a username or password):

• Protocol: MQTT 
• Host: www.example.com
• Port: 1883

These are the minimum settings required for a successful connection. However, if the broker requires authentication, whether that be with a username and password, certificate, or both, these options can be applied accordingly. The following screenshot shows the basic settings used to connect to a Mosquitto server without authentication:

 MQTT Client Full Product Details