Skip to main content

CC3200, Energia and Mosquitto MQTT

Submitted by mcfish on Mon, 05/12/2016 - 12:35

This blog entry is about how to install MQTT service (MQ Telemetry Transport) on Linux server with encrypted client/server connection and how to send data from CC3200 to simple PHP application. Of course it would be much easier to just communicate directly to PHP application running on webserver, but using MQTT message broker allows one client to send message to multiple listening clients. Also, if you like, you can replace Mosquitto with Amazon IOT for example, and the platform handles message caching for offline clients automatically.


Create CA and server/client sertificates:

First we will create CA that is used to sign our server and client certificates. This certificate lasts for about 10 years:

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem

For the questions asked by the previous command, you can answer whatever you please. Oh, and remember to keep the rootCA.key safe, as if it's exposed to public your secure connections created with these certificates are next to useless.

Moving on.. Next step is to create certificate for mosquitto server and this one lasts for about 4 years:

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 1460

As with the CA certificate questions, you can answer what ever you like to all other fields but to "common name". This field should contain your servers public name, that is used to access machine over network (for example: mosquitto.example.com).

For client to identify itself to server in place of username/password, you need to create certificate with the following commands:

openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 1460 -addtrust clientAuth

Once again, only "Common Name"- field matters. This field is used to identify your client, so this could be for example "cc3200.testclient", also note that the command to sign client sertificate contained extra parameter "-addtrust clientAuth", which makes authentication with this certificate possible.

Last step is to convert certificates from PEM (ascii) format to DER (binary) format, as this is the format the board uses:

openssl x509 -in rootCA.pem -inform PEM -out ca.pem -outform DER
openssl x509 -in client.crt -inform PEM -out client.pem -outform DER
openssl rsa -in client.key -inform PEM -out private.key -outform DER

Install mosquitto to Centos 7.x server:

For this example, I'm using Centos 7.x minimal running as virtual machine, so to install Mosquitto RPM repo and mosquitto itself, type:

cd /etc/yum.repos.d/
wget http://download.opensuse.org/repositories/home:/oojah:/mqtt/CentOS_CentOS-7/home:oojah:mqtt.repo
yum install mosquitto mosquitto-clients

Copy certificate files (server.crt, server.key and rootCA.pem) to folder "/etc/mosquitto/certs". After this, you can create configuration for mosquitto to file "/etc/mosquitto/conf.d/local.conf". Here's what I have in mine:

port 8883
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
cafile /etc/mosquitto/certs/rootCA.pem
require_certificate true

Now all that's left to do, is to open a hole to firewall and start/enable mosquitto service. Assuming you are using default firewalld, the commands are:

firewall-cmd --zone=public --add-port=8883/tcp
firewall-cmd --zone=public --add-port=8883/tcp --permanent

and to start and enable automatic starting of service after reboot:

chkconfig mosquitto on
service mosquitto start

To subscribe to topics, you can use "mosquitto_sub" application with the following parameters:

mosquitto_sub -h mosquitto.example.com -p 8883 --cafile rootCA.pem --key client.key --cert client.crt -t "topic_goes_here"

If for some reason previous command fails, you can test only connection (and certificates) between workstation and mosquitto server, with the following command:

openssl s_client -connect mosquitto.yourserver.com:8883 -CAfile rootCA.pem -cert client.crt -key client.key

If everything is working, your should receive lots of text, but the only important part is the last line saying: Verify return code: 0 (ok)

Program certificate files to CC3200

To communicate with SSL protected services, you need to add client certificate (client.pem), client key (private.key) and rootCA (ca.pem) files to boards internal flash. Currently you need to use Uniflash version 3.4.1 (4.0.0 doesn't work) to program CC3200 board. You can download Linux version from here:

http://processors.wiki.ti.com/index.php/CCS_UniFlash_v3.4.1_Release_Notes#Installation_Instructions

Here's how to use uniflash to program certificate files:

-- -- -- --

Also while programming certificate files, make sure to update the board with latest bootloader if not done already, otherwise you might have problems with energia.

Oh, and if you don't know on which com port your device is on, you can find it out from terminal with dmesg command after you have attached board to computer. The line you are looking for looks like this:

--

In this example, the debugger is attached to ttyUSB1, so the com port would be: 1

Program test application to CC3200

Sample application for this project has been build with Energia 17. Unfortunately to use SSL-connection properly, you need to replace 2 energias library files with patched versions. Patched files can be downloaded from the last chapter. Files that need to be replaced are located in folder "hardware/cc3200/libraries/WiFi" under energias installation folder. These patches have been submitted to Energias git repo, but at least currently they are not part of Energia.

To build the application you also need 2 libraries for Energia. First one (DateTime) handles the boards realtime clock and retrieves the time from NTP server so we can validate SSL certificates. The other library (PubSubSslClient) is for communicating with MQTT server and this one is also somewhat modified from the original arduino version, so that is uses encrypted communication by default. Package also contains some additional libraries, but you can ignore them if you like. To install these libraries, just copy them to "library" -folder under Energias workspace folder. On linux the destination folder is something like "/home/username/sketchbook/libraries/".

Files attached to article

Energia 17 patches 8,0K
Energia libraries for the demo project 16K

Article changes

  • 8.1.2016 - Added Energia libraries to article
  • 8.12.2016 - Updated article to use Linux version of uniflash
Tags

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
3 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.