easy, elegant and effective code…

I am writing this post to share the solution for various issues I came across while testing AWS IoT using MQTT.fx Client.

In this post, I am going to show various configuration required on MQTT.fx client side as well as on AWS IoT side. I have done my testing with the MQTT.fx verion – 1.3.1 (on Windows 7, 64 bit) but the steps/configuration I have mentioned in this post should work with other versions of the MQTT.fx clients as well.

First, you need create a Device (Thing), a Policy and a Certificate as per the instructions given in AWS IoT Developer Guide. Here are the links, you can refer –

Create Thing
http://docs.aws.amazon.com/iot/latest/developerguide/register-device.html

Create and Activate a Device Certificate
http://docs.aws.amazon.com/iot/latest/developerguide/register-device.html
NOTE: Download the certificate for the thing, root CA and private key (important). You cannot retrieve the private key later.

certdownload

Attach an AWS IoT Policy
http://docs.aws.amazon.com/iot/latest/developerguide/attach-iot-policy.html

At this point, you should have newly created a Thing, a Policy and a Certificate created (Make sure the thing and the policy is attached to the certificate).

Now, open the MQTT.fx client and create a new connection profile by going to the following menu option –
Extras -> Edit Connection Profiles
and then clicking the ‘+’ button (at bottom left side).

Find the broker address for your device (thing) by selecting your device/thing in the AWS IoT console and then clicking on ‘Interact’ menu.
(AWS IoT -> Registry -> Things -> THING_NAME -> Interact)

awsiothostname

The Rest API endpoint name under HTTPS section is your broker address.

Port Number for the secured MQTT connection is 8883.

You can specify any value for the ‘Profile Name’ and the ‘Client ID’ fields.

In the lower tabs, only change the values for various fields in the ‘SSL/TLS’ tab and leave other tabs with the default value. Configure the values in the ‘SSL/TLS’ tab as shown in the screen shot below and then click on the ‘Apply’/’OK’ button.

mqttfxconf

If everything goes fine, hopefully you should be able to connect successfully.

mqttfxconn

However, in case of any issue in connection, click on the ‘Log’ tab to see the logs.

If you come across ‘certificate_unknown‘ error as following –

org.eclipse.paho.client.mqttv3.MqttException: MqttException
	at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:664) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_112]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
	at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_112]
	at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_112]
	at sun.security.ssl.SSLSocketImpl.recvAlert(Unknown Source) ~[?:1.8.0_112]
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) ~[?:1.8.0_112]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) ~[?:1.8.0_112]
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:1.8.0_112]
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) ~[?:1.8.0_112]
	at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:93) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:650) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]

Solution: Check if your certificate is enabled or not. If you have configured the correct certificates as shown before, enabling the certificate should resolve the issue.

If you encounter ‘Connection lost‘ issue with the error logs as follows –

org.eclipse.paho.client.mqttv3.MqttException: Connection lost
	at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:146) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_112]
Caused by: java.io.EOFException
	at java.io.DataInputStream.readByte(Unknown Source) ~[?:1.8.0_112]
	at org.eclipse.paho.client.mqttv3.internal.wire.MqttInputStream.readMqttWireMessage(MqttInputStream.java:65) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:107) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	... 1 more
ERROR --- MqttFX ClientModel             : Please verify your Settings (e.g. Broker Address, Broker Port & Client ID) and the user credentials!
org.eclipse.paho.client.mqttv3.MqttException: Connection lost
	at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:146) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_112]
Caused by: java.io.EOFException
	at java.io.DataInputStream.readByte(Unknown Source) ~[?:1.8.0_112]
	at org.eclipse.paho.client.mqttv3.internal.wire.MqttInputStream.readMqttWireMessage(MqttInputStream.java:65) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	at org.eclipse.paho.client.mqttv3.internal.CommsReceiver.run(CommsReceiver.java:107) ~[org.eclipse.paho.client.mqttv3-1.1.0.jar:?]
	... 1 more

Solution: Check if the policy is attached to the certificate or not.

If policy is also attached to the certificate, then edit the policy as follows –

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iot:*",
      "Resource": "*"
    }
  ]
}

This should resolve the issue.

Leave your comments, if you still have any issue in the MQTT connection.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: