I am conducting a Mosquitto integration test using post quantum quantum algorithms (PQC) and Fiware.
I have configured the Dockerfile to install all the necessary dependencies:
FROM fiware/iotagent-ul:latest
USER root
RUN apt update && apt install -y \
build-essential \
cmake \
gcc \
libtool \
libssl-dev \
make \
ninja-build \
git \
doxygen && \
apt clean
RUN apt update && apt install -y wget && \
wget .22.0/cmake-3.22.0-linux-x86_64.tar.gz && \
tar -xzvf cmake-3.22.0-linux-x86_64.tar.gz && \
mv cmake-3.22.0-linux-x86_64 /opt/cmake && \
ln -s /opt/cmake/bin/cmake /usr/local/bin/cmake
ARG OPENSSL_TAG=openssl-3.3.2
ARG LIBOQS_TAG=0.11.0
ARG OQSPROVIDER_TAG=0.7.0
ARG INSTALLDIR=/opt/oqssa
ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
ARG KEM_ALGLIST="kyber768:p384_kyber768"
ARG SIG_ALG="dilithium3"
WORKDIR /opt
RUN git clone --depth 1 --branch ${LIBOQS_TAG} && \
git clone --depth 1 --branch ${OPENSSL_TAG} .git && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} .git
WORKDIR /opt/liboqs
RUN mkdir build && cd build && \
cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \
ninja install
WORKDIR /opt/openssl
RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib" ./config shared --prefix=${INSTALLDIR} && \
make -j $(nproc) && \
make install_sw install_ssldirs && \
if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi
ENV PATH="${INSTALLDIR}/bin:${PATH}"
WORKDIR /opt/oqs-provider
RUN ln -s ../openssl . && \
cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
cmake --build _build && \
cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR}/ssl/opensslf && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR}/ssl/opensslf && \
sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" ${INSTALLDIR}/ssl/opensslf
ENV LD_LIBRARY_PATH=${INSTALLDIR}/lib64:$LD_LIBRARY_PATH
ENV PATH=${INSTALLDIR}/bin:$PATH
EXPOSE 4041
CMD ["node", "/opt/iotaul/bin/iotagent-ul"]
Despite this, I can't get it to connect correctly to the broker (even though openssl works correctly with PQC). Could it be that Fiware is not using openssl from the system? How could Fiware be configured to work with PQC?
I have run the following docker-compose:
version: '3'
services:
mongo:
image: mongo:4.4
container_name: fiware-mongo
networks:
- mosquitto-test
ports:
- "27017:27017"
orion:
image: fiware/orion:latest
container_name: fiware-orion
depends_on:
- mongo
networks:
- mosquitto-test
ports:
- "1026:1026"
command: -dbhost mongo -logLevel DEBUG
iotagent-ul:
build:
context: .
dockerfile: Dockerfile
container_name: fiware-iotagent
depends_on:
- orion
networks:
- mosquitto-test
ports:
- "4041:4041"
environment:
# Configuración del IoT Agent UL
- IOTAGENT_UL=iotagent-ul
- MOSQUITTO=oqs-mosquitto-broker
# Context Broker
- IOTA_CB_HOST=orion
- IOTA_CB_PORT=1026
# Parámetros para la conexión MQTT segura al broker PQC
- IOTA_MQTT_HOST=oqs-mosquitto-broker
- IOTA_MQTT_PORT=8883
- IOTA_MQTT_USE_TLS=true
- IOTA_MQTT_CA_CERT=/certs/ca.crt
- IOTA_MQTT_CLIENT_CERT=/certs/client.crt
- IOTA_MQTT_CLIENT_KEY=/certs/client.key
- IOTA_MQTT_CIPHERS=OQS_AES128_GCM_SHA256:HIGH:!aNULL:!MD5
volumes:
- /home/kali/oqs-certs:/certs
networks:
mosquitto-test:
external: true
When I run it, it does not establish the connection to Mosquitto.
I am conducting a Mosquitto integration test using post quantum quantum algorithms (PQC) and Fiware.
I have configured the Dockerfile to install all the necessary dependencies:
FROM fiware/iotagent-ul:latest
USER root
RUN apt update && apt install -y \
build-essential \
cmake \
gcc \
libtool \
libssl-dev \
make \
ninja-build \
git \
doxygen && \
apt clean
RUN apt update && apt install -y wget && \
wget https://github.com/Kitware/CMake/releases/download/v3.22.0/cmake-3.22.0-linux-x86_64.tar.gz && \
tar -xzvf cmake-3.22.0-linux-x86_64.tar.gz && \
mv cmake-3.22.0-linux-x86_64 /opt/cmake && \
ln -s /opt/cmake/bin/cmake /usr/local/bin/cmake
ARG OPENSSL_TAG=openssl-3.3.2
ARG LIBOQS_TAG=0.11.0
ARG OQSPROVIDER_TAG=0.7.0
ARG INSTALLDIR=/opt/oqssa
ARG LIBOQS_BUILD_DEFINES="-DOQS_DIST_BUILD=ON"
ARG KEM_ALGLIST="kyber768:p384_kyber768"
ARG SIG_ALG="dilithium3"
WORKDIR /opt
RUN git clone --depth 1 --branch ${LIBOQS_TAG} https://github.com/open-quantum-safe/liboqs && \
git clone --depth 1 --branch ${OPENSSL_TAG} https://github.com/openssl/openssl.git && \
git clone --depth 1 --branch ${OQSPROVIDER_TAG} https://github.com/open-quantum-safe/oqs-provider.git
WORKDIR /opt/liboqs
RUN mkdir build && cd build && \
cmake -G"Ninja" .. ${LIBOQS_BUILD_DEFINES} -DCMAKE_INSTALL_PREFIX=${INSTALLDIR} && \
ninja install
WORKDIR /opt/openssl
RUN LDFLAGS="-Wl,-rpath -Wl,${INSTALLDIR}/lib" ./config shared --prefix=${INSTALLDIR} && \
make -j $(nproc) && \
make install_sw install_ssldirs && \
if [ -d ${INSTALLDIR}/lib ]; then ln -s ${INSTALLDIR}/lib ${INSTALLDIR}/lib64; fi
ENV PATH="${INSTALLDIR}/bin:${PATH}"
WORKDIR /opt/oqs-provider
RUN ln -s ../openssl . && \
cmake -DOPENSSL_ROOT_DIR=${INSTALLDIR} -DCMAKE_BUILD_TYPE=Release -DCMAKE_PREFIX_PATH=${INSTALLDIR} -S . -B _build && \
cmake --build _build && \
cp _build/lib/oqsprovider.so ${INSTALLDIR}/lib64/ossl-modules && \
sed -i "s/default = default_sect/default = default_sect\noqsprovider = oqsprovider_sect/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/\[default_sect\]/\[default_sect\]\nactivate = 1\n\[oqsprovider_sect\]\nactivate = 1\n/g" ${INSTALLDIR}/ssl/openssl.cnf && \
sed -i "s/providers = provider_sect/providers = provider_sect\nssl_conf = ssl_sect\n\n\[ssl_sect\]\nsystem_default = system_default_sect\n\n\[system_default_sect\]\nGroups = ${KEM_ALGLIST}\n/g" ${INSTALLDIR}/ssl/openssl.cnf
ENV LD_LIBRARY_PATH=${INSTALLDIR}/lib64:$LD_LIBRARY_PATH
ENV PATH=${INSTALLDIR}/bin:$PATH
EXPOSE 4041
CMD ["node", "/opt/iotaul/bin/iotagent-ul"]
Despite this, I can't get it to connect correctly to the broker (even though openssl works correctly with PQC). Could it be that Fiware is not using openssl from the system? How could Fiware be configured to work with PQC?
I have run the following docker-compose:
version: '3'
services:
mongo:
image: mongo:4.4
container_name: fiware-mongo
networks:
- mosquitto-test
ports:
- "27017:27017"
orion:
image: fiware/orion:latest
container_name: fiware-orion
depends_on:
- mongo
networks:
- mosquitto-test
ports:
- "1026:1026"
command: -dbhost mongo -logLevel DEBUG
iotagent-ul:
build:
context: .
dockerfile: Dockerfile
container_name: fiware-iotagent
depends_on:
- orion
networks:
- mosquitto-test
ports:
- "4041:4041"
environment:
# Configuración del IoT Agent UL
- IOTAGENT_UL=iotagent-ul
- MOSQUITTO=oqs-mosquitto-broker
# Context Broker
- IOTA_CB_HOST=orion
- IOTA_CB_PORT=1026
# Parámetros para la conexión MQTT segura al broker PQC
- IOTA_MQTT_HOST=oqs-mosquitto-broker
- IOTA_MQTT_PORT=8883
- IOTA_MQTT_USE_TLS=true
- IOTA_MQTT_CA_CERT=/certs/ca.crt
- IOTA_MQTT_CLIENT_CERT=/certs/client.crt
- IOTA_MQTT_CLIENT_KEY=/certs/client.key
- IOTA_MQTT_CIPHERS=OQS_AES128_GCM_SHA256:HIGH:!aNULL:!MD5
volumes:
- /home/kali/oqs-certs:/certs
networks:
mosquitto-test:
external: true
When I run it, it does not establish the connection to Mosquitto.
Share Improve this question asked Feb 5 at 16:42 PauPau 11 Answer
Reset to default 0I am sure you are aware of the existing FIWARE tutorial on connecting to MQTT.
Within that tutorial, the IoT Agent is looking for an MQTT broker called "mosquitto"
iotagent-ul:
environment:
- IOTA_MQTT_HOST=mosquitto
And the MQTT broker container is hosted on the same network with the hostname "mosquitto"
mosquitto:
image: eclipse-mosquitto
hostname: mosquitto
container_name: mosquitto
networks:
- default
expose:
- '1883'
- '9001'
ports:
- '1883:1883'
- '9001:9001'
You have the line MOSQUITTO=oqs-mosquitto-broker for an external MQTT broker this needs to be a publicly accessible MQTT broker such as broker.hivemq.com rather than just the hostname alias within the default network.
On start-up with the IOTA_LOG_LEVEL=DEBUG set, you should see a series of debug messages related to MQTT - just look for IOTAUL.MQTT.Binding
2025-02-12 11:22:05 time=2025-02-12T10:22:05.673Z | lvl=INFO | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IOTAUL.MQTT.Binding | from=n/a | srv=n/a | subsrv=n/a | msg=Starting MQTT binding with options {"protocol":"mqtt","host":"mosquitto","port":"1883","key":null,"ca":null,"cert":null,"rejectUnauthorized":true,"username":null,"password":null,"clean":true,"clientId":"iotaul_0dc1b825","keepalive":60,"connectTimeout":3600000} retries 5 retryTIme 5 | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.673Z | lvl=INFO | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IOTAUL.MQTT.Binding | from=n/a | srv=n/a | subsrv=n/a | msg=creating connection | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.698Z | lvl=INFO | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IOTAUL.MQTT.Binding | from=n/a | srv=n/a | subsrv=n/a | msg=connected | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.711Z | lvl=INFO | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IOTAUL.MQTT.Binding | from=n/a | srv=n/a | subsrv=n/a | msg=MQTT Client connected | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.711Z | lvl=DEBUG | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IOTAUL.MQTT.Binding | from=n/a | srv=n/a | subsrv=n/a | msg=Recreating global subscriptions for all devices | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.711Z | lvl=DEBUG | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IOTAUL.MQTT.Binding | from=n/a | srv=n/a | subsrv=n/a | msg=Generating topics | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.711Z | lvl=DEBUG | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IoTAgentNGSI.ContextServer | from=n/a | srv=n/a | subsrv=n/a | msg=Subscribing to topics: ["$share/ul//+/+/attrs/+","$share/ul//ul/+/+/attrs/+","$share/ul//+/+/attrs","$share/ul//ul/+/+/attrs","$share/ul//+/+/configuration/commands","$share/ul//ul/+/+/configuration/commands","$share/ul//+/+/cmdexe","$share/ul//ul/+/+/cmdexe","$share/ul/+/+/attrs/+","$share/ul/ul/+/+/attrs/+","$share/ul/+/+/attrs","$share/ul/ul/+/+/attrs","$share/ul/+/+/configuration/commands","$share/ul/ul/+/+/configuration/commands","$share/ul/+/+/cmdexe","$share/ul/ul/+/+/cmdexe"] | comp=IoTAgent
2025-02-12 11:22:05 time=2025-02-12T10:22:05.716Z | lvl=INFO | corr=280391b1-1627-46db-aca8-4514e33a428b | trans=280391b1-1627-46db-aca8-4514e33a428b | op=IoTAgentNGSI.ContextServer | from=n/a | srv=n/a | subsrv=n/a | msg=Successfully subscribed to the following topics: ["$share/ul//+/+/attrs/+","$share/ul//ul/+/+/attrs/+","$share/ul//+/+/attrs","$share/ul//ul/+/+/attrs","$share/ul//+/+/configuration/commands","$share/ul//ul/+/+/configuration/commands","$share/ul//+/+/cmdexe","$share/ul//ul/+/+/cmdexe","$share/ul/+/+/attrs/+","$share/ul/ul/+/+/attrs/+","$share/ul/+/+/attrs","$share/ul/ul/+/+/attrs","$share/ul/+/+/configuration/commands","$share/ul/ul/+/+/configuration/commands","$share/ul/+/+/cmdexe","$share/ul/ul/+/+/cmdexe"] | comp=IoTAgent
In your case you will find that the creating connection and connected messages will fail because the location of the MQTT broker has not been found.