Setting up a Low Cost SMQ IoT Broker

The following Internet of Things IoT tutorial will show how easy it is to build your own IoT cloud solution and connect thousands of devices. For the purpose of demonstration, we have selected a low-end Virtual Private Server (VPS) with 64Mb of memory that is capable of serving up to 10,000 unique devices (tested). Alternatively, the same software solution could easily scale to accommodate millions of connections by making use of a more sophisticated service providers, such as Amazon Elastic Cloud or Google Cloud.

The cost of the cloud solution, for the purpose of this tutorial, is approximately $12 per year, which includes a VPS and domain name. The addition of security is optional, and the tutorial also explains how to install an SSL certificate for the SMQ Broker.

We use the Mako Server Engine running as a background service on the Linux operating system to provide the device to SMQ Broker communications. Prior Linux experience is not required, however a working knowledge of a command line interface is necessary for terminal operations.

Signing up for VPS Service

Selecting a VPS Provider

We have selected Secure Dragon as the VPS provider in this tutorial, however, you may use any VPS provider. See Installing Mako Server on an Online VPS for alternatives.

  1. Navigate to securedragon.net, click OpenVZ, click O64, and click the Order Now button.
  2. On the next page in the Wizard, select Billing Cycle, select VPS location, and select Debian (7) as the operating system.
  3. Complete the wizard.

You will receive an email some time after signing up. The following shows an excerpt from such an email with details that you will need when configuring and installing software on the VPS.

We are pleased to tell you that the server you ordered has now been set up and is running the OS you picked during the order process. Server Details ============================= Server Plan: O64 Main IP: 162.253.179.15 Root Password: https://securedragon.net/xxxxxx

Use the "Root Password" link to retrieve the VPS root password. You will need this password when connecting using SSH (explained below).

Setting up a Domain Name

When you sign up for a VPS service you get a dedicated IP address that uniquely identifies your online server. You can navigate to the VPS by simply using the IP address, but it is more convenient to use a domain name. In the following section, we will show you how to connect a domain name to an IP address.

Navigate to http://www.freenom.com, signup, and select one of the free domain names. During the registration process, select Use DNS and enter the VPS IP address in the two fields. Select 12 month period and click Continue. Your VPS should now be accessible via the domain name you registered. Note that it may take up to 48 hours before it works.

If you did not setup the DNS during the registration, do as follows:

  1. In the control panel, click Domain -> My Domains.
  2. Click on your domain and click Manage Domain
  3. Click Manage Freenom DNS. You should see the page below (Figure 2).
  4. Leave the name field blank and enter the IP address in the Target. 
  5. If you also want the server to be accessible as http://www.your-domain-name, go to the "Add Record" and add www in the Name field and the IP address in the Target field.

Figure 2: The two name records that make the server accessible with or without the www prefix

Installing the Mako Server and the SMQ Broker

The server must be installed from a Linux console and your VPS is accessible via Secure Shell (SSH). You can login to the VPS using the information provided in the email you received after signing up for the VPS service. Install the Putty SSH client if you are using Windows as your host operating system.

Using SSH, enter the server's IP address (from the email you received). You can also use the new domain name if the DNS is ready. You can test this by pinging your domain name. The ping command should respond with your server's IP address if the DNS is ready.

Figure 3: Running Putty on Windows and connecting to online VPS using the domain name simplemq.tk

At the login prompt, enter the user 'root' and the password that is set for your VPS. You can proceed to installing the Mako Server and the broker as soon as you are logged in.

The Mako Server and the broker can be installed in two ways: automatically (by using a script we have prepared) or manually.

Option one: Install Mako Server and SMQ broker automatically.

Copy the following and paste into the Linux console (Putty)

wget http://makoserver.net/install/brokerX86/install.sh; chmod +x install.sh; ./install.sh

You will be asked for a username and password during the installation process. The username and password enable you to securely mount/map your online SMQ broker's 'www' directory as a WebDAV network drive.

Option two: Install Mako Server and SMQ broker manually.

Installing the server manually will give you a deeper understanding of how to manage and install software on an online VPS.

To manually install the Mako Server and configure the Mako Server, proceed to the tutorial Installing Mako Server as a Service on Linux and navigate back to this tutorial when you have completed the installation process.

When the server is installed, enter the following commands (or copy and paste) into the SSH terminal window (you must be running as root):

su mako; cd; cd www; wget http://makoserver.net/download/IoT-LED-Broker.tar.gz; tar xvzf IoT-LED-Broker.tar.gz; rm IoT-LED-Broker.tar.gz; exit; /etc/init.d/mako.sh restart;

The above commands download a prepackaged SMQ broker application (IoT-LED-Broker.tar.gz ) and install the package in the 'www' directory. The last command restarts the Mako Server, where the Mako Server loads the new SMQ broker application.

Testing the broker

After completing the installation, navigate to your domain name using your browser. Use the VPS IP address if your domain name is still not working (it takes time for DNS to replicate). You should see the LED demo. The LED demo's web pages are included in the broker setup package (IoT-LED-Broker.tar.gz) and enable you to quickly verify that everything is working. You can delete the LED demo when no longer needed.

You should also test that you can mount/map the online server as a WebDAV network drive. You should be able to directly work on the server's 'www' directory from your own computer as soon as you have the online server setup as a network drive.

WebDAV URL: http://server-address/fs/

We also recommend downloading the non secure SMQ LED client source code; then modify the example's C source code URL to point to your own domain name, compiling the example, and making sure you can connect the example to your own broker. Note, you cannot use the secure SMQ client at this time since you do not have an SSL certificate. The secure SMQ LED demo C code is setup such that the example requires an Elliptic Curve Cryptography (ECC) Certificate. We will go into details about how to install an ECC certificate at the end of the SSL Certificate instructions below.

SSL Certificate

Using "Let’s Encrypt"

Note that we tried to use the new free and automated Certificate Authority "Let’s Encrypt", however, that failed on the low end VPS we selected due to lack of memory. "Let’s Encrypt" requires you to install tools on the VPS and these tools use much more memory than what is available on the VPS we selected. You should select a VPS with at least 512Mb memory if you plan on using Let’s Encrypt.

Installing an SSL certificate is not required unless you need secure communication for your SMQ broker and/or web applications running on the server.

We need to use a well known Certificate Authority (CA) to sign our certificate in order to get browsers to accept a secure connection without popping up a warning. Well known CAs have their public certificate pre-installed in all major operating systems (Windows/Linux/Mac). If you are not using a well known CA, you will have to manually install the CAs certificate in all operating systems (or browsers) that you plan on using.

We recommend reading the tutorial Certificate Management for Embedded Systems if you are new to certificate management. The tutorial provides a good introduction to SSL certificate management and the chain of trust that leads up to the CA (root) certificate.

We must perform the following steps for creating and installing a certificate.

  1. Create a private key and Certificate Signing Request (CSR)
  2. Have a well known CA sign our public certificate by using the CSR
  3. Wait for the CA to send us the signed certificate
  4. Assemble the signed certificate and the chain of trust
  5. Copy the certificate and the private key to the online server
  6. Configure and restart the Mako Server
  7. Test the certificate

Create a private key and Certificate Signing Request (CSR)

Creating a private key and a Certificate Signing Request (CSR) can be done by using the OpenSSL command line tool. As an alternative (or if you find the OpenSSL command line tool difficult to use), download and install our Certificate Management Tool. This tool is designed for users that want to act as their own CA, but the tool can also be used for creating a private key and a CSR that can be signed by a well known CA.

If you use our Certificate Management Tool, make sure you create an RSA root certificate. Well known CAs that can sign ECC certificates are currently not common. After creating the RSA root certificate (CA certificate), proceed to creating a certificate for your own domain name. Make sure to carefully follow the instructions in the Certificate Management Tool. When you have created the certificate, the files of interest will be:

HOMEDIR/.certmgr-db/RSA/keys-and-certs/simplemq.tk.key HOMEDIR/.certmgr-db/RSA/tmp/csr-simplemq.tk.req

The domain simplemq.tk is what we used when we signed our certificate. Look for files with the name including your domain name. Note: the Certificate Management Tool also created a public certificate signed with the CA initially created by the Certificate Management Tool, but we will not use this certificate. Instead, we will have a well known CA sign our CSR (csr-simplemq.tk.req).

Make sure you save the private key and the CSR in a safe (and trusted) place. You can use the CSR whenever you need to create/sign a new certificate.

Have a well know CA sign our public certificate by using the CSR

The following instructions shows how to obtain a free 90 day certificate from Comodo. You need to repeat the process (except for creating a private key and CSR) after 90 days. Signing and installing certificates are a bit tedious; thus you may consider using a paid for CA service that provides a certificate valid for three years.

Navigate to Comodo's free SSL certificate page and click the free certificate button. Open the CSR you created in the step above in an editor, select all, and copy the data. Paste this data into the CSR field at the Comodo's web site. Select "OTHER" for server software and click Next. Follow the wizard.

You will eventually get to a page where you have to validate that you own the domain name.

Figure 4: Select HTTP CSR Hash as validation method

Map the server using WebDAV

To map/mount the online server as a file system, use the URL: http://server-address/fs/. In Windows, you can go to Map Network Drive and enter the URL to map the online server as a drive in Windows. See the WebDAV information page for the BarracudaDrive product for more information on how to map/mount a WebDAV drive.

Since you do not have an email account setup with the domain name, select HTTP CSR Hash as validation method. Assuming you have your online www directory mapped to your local computer, go ahead and create a file with the name <MD5 hash of CSR>.txt on the mapped drive. Copy the SHA-1 hash from Comodos web site and paste into this file. The file should have two lines:

<Value of SHA1 hash of CSR> comodoca.com

Before clicking continue in the Comodo wizard, make sure you can open the file you just created by navigating to:

http://yourdomain/<MD5 hash of CSR>.txt

Figure 5: Screenshot of our domain validation file

Click continue in the Comodo wizard and complete your registration.

Wait for the CA to send us the signed certificate

You should receive an email from Comodo with the certificate after some time if you successfully completed the Comodo SSL wizard.

Assemble the signed certificate and the chain of trust

Unpack the content of the ZIP file (attached to the Comodo email) in an empty directory. The ZIP file should contain the following:

*yourdomainname*.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt

The ZIP file contains your certificate, two intermediate Certificate Authorities (CAs), and the Comodo's public root certificate (AddTrustExternalCARoot.crt). We will not use the public root certificate since this certificate is already known by your browser. The browser keeps well known CAs in a CA database. However, we need the two intermediate CAs since we need the chain of trust leading up to the Comodo's root certificate. See the Wikipedia article Chain of trust, section Computer security, for more information on how this works.

Using your favorite text editor, create a new file and call it yourdomain.cert. Open the above list of certificate and intermediate CAs in an editor one at a time. Copy the content of these files in the order listed into your new file. Do not add AddTrustExternalCARoot.crt. Save the file. The new file must contain: *yourdomainname*.crt, COMODORSADomainValidationSecureServerCA.crt, and COMODORSAAddTrustCA.crt.

Copy the certificate and the private key to the online server

The next step is to copy your private key and your assembled certificate to your online server.

The files we created for our server are:

simplemq.tk.key The private key created by the Certificate Management Tool
simplemq.tk.cert Created by assembling certificate and intermediate CAs

An easy way to transfer the files to your online server is to copy them using the WebDAV connection that is setup to the 'www' directory on your server. However, the files need to be placed in the parent directory and not in www -- i.e. the files must be placed in /home/mako. A simple solution to this problem is to create a soft link from 'www' to the parent directory. The following Linux command does this:

ln -s .. .ROOT

Notice that we create a link (.ROOT) that starts with a dot. Files and directories that start with a dot cannot be navigated into when accessing the server using a standard HTTP client; however, the authenticated WebDAV client can access this directory.

The following screenshot shows the complete set of commands we used for creating the soft link:

Figure 6: Creating a link from 'www' to the parent directory when logged in as the Linux user 'mako'

You can now simply drag and drop the files onto the mapped online server. The following screenshot shows how we copy the files to the .ROOT directory (the soft link pointing to the parent directory).

Figure 7: Copying the private key and certificate from PC to /home/mako

Configure and restart the Mako Server

The names of the private key and the certificate must be added to the mako.conf file. The following example shows how we can directly open this file using Notepad from a PC. We have mapped the online 'www' directory as Z:.

notepad z:\.ROOT\mako.conf

Add the two following lines to mako.conf. Note, you must change the name of the key and the certificate to your own names.

certfile = "simplemq.tk.cert" keyfile = "simplemq.tk.key"

Save the file and verify that the Mako Server can load your new key and certificate. The best way to do this is to run the Mako Server in the foreground since the server prints out error messages, if any to the console. The following screenshot shows how we stop the server running in the background, navigate to /home/mako, and start the server in the foreground as user (-u) 'mako'. As you can see from the screenshot below, the server successfully loaded our new key and certificate.

Figure 8: Verifying that Mako Server can load the certificate by running the server in the foreground

Stop the server running in the foreground by the using the command CTRL-C. You can then start the server in the background by using the command: /etc/init.d/mako.sh start

Test the certificate

Navigate to https://your-domain-name. You should not get any certificate warning messages in your browser.

As a final test, you may navigate to https://www.ssllabs.com/ssltest/. Enter your domain name (hostname) and click submit. After some time, you should get a full report and no conflicts with your chain of trust.

Figure 8: Verifying that Mako Server can load the certificate by running the server in the foreground

You may now setup a trusted and secure communication between any browser and the server by entering https://your-domain-name in the browser. The non secure SMQ client can still connect to the broker and you may communicate by using the SMQ protocol between a browser using TLS and a non secure SMQ device. This is possible since the communication goes via the SMQ broker, which manages the TLS termination for the browser.

You have some more work to do if you plan on using the secure SMQ device client (SharkMQ) and connecting this client to your online SMQ broker. The secure SMQ LED device demo is setup to use Elliptic Curve Cryptography (ECC) Certificates. You could change the example to use RSA certificates, but this solution introduces another problem. RSA certificates are big and our chained certificate signed by Comodo is even bigger. Chained RSA certificates are no good when communicating with resource constrained edge nodes. The solution is to use ECC certificates and no intermediaries.

The cool thing about the Mako Server is that we can set it up to use an RSA certificate signed by a well known CA and serve this RSA certificate to browsers and set up a different ECC certificate for edge nodes. A complete tutorial on how to set up a dual certificate RSA/ECC server can be found in the online SharkSSL documentation under section Certificate Management for IoT.

Posted in SimpleMQ