@i-campbell Thank you!, any estimation of when? Im not aware of the quantity of work required from your side, also is there any short term solution I can do to make this work with the library we have currently?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My understanding is it should be compatible now. You will just have to handle the certificates yourself. One of the test cases in the example shows how to generate CSRs, you just need to get it signed by AWS.
I will have a look tonight and either give you an example, or if not then an estimate of remaining work.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I already have a certificate on my device, I generated it with the "Security Agent" no problem and had it connected to AWS Broker before, the bit am not sure about its the parameters with the client, so the Client ID (thing Name) and the hCert.
ok I tried out the GetClientCert FB but the "ProvideCertificate" Output never goes true (followed the documentation in the Lib), the other thing is i am not sure how this is utilising the Amazon Root CA 1 Certificate. I think maybe SparkplugB lib needs to be built on top of the the AWS_IOTcore client.
@i-campbell are you willing to share the source software with me and i can switch out the Clients etc? this will save me time having to write the NBIRTH/.. Methods data etc. Once integrated I would return the source.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
ProvideCertificate is not coming true, because the FB is hard coded to need all three of the certificate parameters, and the AWS library only sets the common name.
If you use this modfied FB (attached), I was able to get my Client Cert that was made by the AWS IoT Core SL library, as it now only requires the common name. I have just added it to the trunk Library as well.
You are right, we do not verify the server certificate. This was only introduced with the library MQTT SL 1.0.2.0, so I will create another ticket to verify the server certificate.
In v1.3.3.0, which is under development as this posted, the Mqtt client is upgraded to v1.0.2.0. This means this client will be the most recent version as shipped with IIoT SL v1.0.0.3.
This Mqtt client will allow for a broader acceptance of TLS connections so it should be capable of connection with AWS without using the AWS client wrapper as part of the same IIoT library.
We will release an intermediate version as a tag for easy public download very soon. Stay tuned.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I must go and lunch, but attached is the working project example with AWS.
Note that AWS IoT Core does not support the SparkplugB specification, as it does not allow retained messages (which are needed by the host) and does not guarantee the order of messages... This does not effect the EoN connecting and publishing, but the Primary Host which we are currently developing will need a special setting for "Support AWS IoT Core by departing from the specification".
CANCELLED @i-campbell Ticket to make FB_Primary Host "Support AWS IoT Core by departing from the specification".
CANCELLED @i-campbell Provide an instruction page for using this example.
CANCELLED @ferraraf to provide feedback if it works for him.
In discussion with @hermsen, we have decided that we will not support AWS IoT Core, as it is not a 3.1.1 compatible MQTT server which is required by the Sparkplug standard. Additionally, some of the key concepts of the Sparkplug standard (e.g. retained Server STATE messages) do not work. If you are stuck with AWS infrastructure, I think you would need to use for example EC2 and a Mosquitto server. Azure IoT Hub is even less compliant as a 3.1.1 server. I think Google Cloud IoT Core is 3.1.1 compliant, but will need to research further.
outstanding items:
@i-campbell Document that Azure IoT Hub and AWS IoT core are not supported.
@i-campbell investigate 3.1.1 compliance of Google Cloud IoT Core. If any non-compliances, investigate if they effect essential concepts of the sparkplug library. Document findings, perhaps with an example project.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes, gladly.
@i-campbell Thank you!, any estimation of when? Im not aware of the quantity of work required from your side, also is there any short term solution I can do to make this work with the library we have currently?
My understanding is it should be compatible now. You will just have to handle the certificates yourself. One of the test cases in the example shows how to generate CSRs, you just need to get it signed by AWS.
I will have a look tonight and either give you an example, or if not then an estimate of remaining work.
I already have a certificate on my device, I generated it with the "Security Agent" no problem and had it connected to AWS Broker before, the bit am not sure about its the parameters with the client, so the Client ID (thing Name) and the hCert.
AWS version :
AWSclient(xEnable := True,
uiKeepAlive := 20,
sClientId := 'thingName',
sHostName := 'xxxxxxxxxxxxxxxxx-ats.iot.eu-west-1.amazonaws.com',
uiPort := 8883,
wsWillTopic := "thingName/lastWill",
pbWillMessage := ADR(lastWillMessage),
uiWillMessageSize := udiLWTlength,
eLasrWillQoS,
xError := ,
xBusy := ,
eError := ,
xConnectedToBroker => ConnectionEstablished);
SparkPlugB client :
Client(ServerUrl := 'xxxxxxxxxxxxxxxxx-ats.iot.eu-west-1.amazonaws.com'//as above
ServerPort := 8883,
KeepAlive := 20,
CleanSession := CleanSession,
Username := '', //leave Blank?
Password := '', //leave blank?
useTLS := TRUE, //Should be TRUE
hCert := hCert, // leave blank if already installed with Security Agent?
GroupId := 'xxx',
NodeId := 'xxx',
DeviceName := 'xxx',
publishPeriod := 3000,
ConnectionState => ConnectionState,
..........
Kind regards
The clientID is generated internally:
https://forge.codesys.com/prj/mqttsparkplugb/code/HEAD/tree/trunk/mqttsparkplugb/mqttsparkplugb/SparkplugB/Function%20Blocks/FB_Edge_Of_Network_Node/FB_Edge_Of_Network_Node_1/Initialise/svnobj
It takes the 23 rightmost characters of Concat(groupID, nodeID)
There is a FB in the sparkplug library GetClientCert. I am not sure but it might be able to get the client cert you have already created.
Hi!
We love to know if you have succeeded and what type of obstacles you had to tackle ;-) 👌💪
ok I tried out the GetClientCert FB but the "ProvideCertificate" Output never goes true (followed the documentation in the Lib), the other thing is i am not sure how this is utilising the Amazon Root CA 1 Certificate. I think maybe SparkplugB lib needs to be built on top of the the AWS_IOTcore client.
@i-campbell are you willing to share the source software with me and i can switch out the Clients etc? this will save me time having to write the NBIRTH/.. Methods data etc. Once integrated I would return the source.
Yes of course, it is MIT licensed. You can get the latest "release" here:
https://forge.codesys.com/prj/mqttsparkplugb/code/HEAD/tree/tags/v1.0.0.0/Code5Automation%20SparkPlugB%20v1.0.0.0/
or if you want the more advanced-stage library, the .library and an example.project are available here:
https://forge.codesys.com/prj/mqttsparkplugb/code/HEAD/tree/trunk/mqttsparkplugb/
ProvideCertificate is not coming true, because the FB is hard coded to need all three of the certificate parameters, and the AWS library only sets the common name.
If you use this modfied FB (attached), I was able to get my Client Cert that was made by the AWS IoT Core SL library, as it now only requires the common name. I have just added it to the trunk Library as well.
You are right, we do not verify the server certificate. This was only introduced with the library MQTT SL 1.0.2.0, so I will create another ticket to verify the server certificate.
In v1.3.3.0, which is under development as this posted, the Mqtt client is upgraded to v1.0.2.0. This means this client will be the most recent version as shipped with IIoT SL v1.0.0.3.
This Mqtt client will allow for a broader acceptance of TLS connections so it should be capable of connection with AWS without using the AWS client wrapper as part of the same IIoT library.
We will release an intermediate version as a tag for easy public download very soon. Stay tuned.
do we have an update on this topic guys?
Hello,
I must go and lunch, but attached is the working project example with AWS.
Note that AWS IoT Core does not support the SparkplugB specification, as it does not allow retained messages (which are needed by the host) and does not guarantee the order of messages... This does not effect the EoN connecting and publishing, but the Primary Host which we are currently developing will need a special setting for "Support AWS IoT Core by departing from the specification".
Later I will post some step by step instructions.
You can get the 1.4.0.4 library here: https://forge.codesys.com/prj/mqttsparkplugb/code/716/tree/trunk/mqttsparkplug/mqttsparkplug_trunk.library?format=raw
The steps for registering the thing are very similar to:
https://forge.codesys.com/forge/talk/Engineering/thread/eb7b1c293b/#56c7
I find using the xGet_a_CSR and sCSR from my attached example easier than steps 2,43-47 of the guide.
outstanding items:
CANCELLED @i-campbell Ticket to make FB_Primary Host "Support AWS IoT Core by departing from the specification".
CANCELLED @i-campbell Provide an instruction page for using this example.
CANCELLED @ferraraf to provide feedback if it works for him.
In discussion with @hermsen, we have decided that we will not support AWS IoT Core, as it is not a 3.1.1 compatible MQTT server which is required by the Sparkplug standard. Additionally, some of the key concepts of the Sparkplug standard (e.g. retained Server STATE messages) do not work. If you are stuck with AWS infrastructure, I think you would need to use for example EC2 and a Mosquitto server. Azure IoT Hub is even less compliant as a 3.1.1 server. I think Google Cloud IoT Core is 3.1.1 compliant, but will need to research further.
outstanding items:
Done, neither of the big three is 100% compatible with the MQTT v3.1.1 spec (they are limited compatible)
It seems AWS cannot support sparkplug due to their limited MQTT compatibility.