Mutual Authentication

Mutual Authentication allows the device and Everyware Cloud to authenticate each other over certificate-based TLS/SSL Two-Way Authentication protocol. This feature is supported for the MQTT connections established by the devices to a Messaging Service instance in Everyware Cloud.

Mutual Authentication allows to increase the level of security of the communications between the devices on the field and Everyware Cloud in the backend. In fact, using this feature, the connection will be successful if, and only if:

  • The backend provides a certificate that is trusted by the device
  • The device provides a certificate that is trusted by the backend
  • The device credentials, username and password, used to establish the MQTT connection are successfully validated by the backend

Enable Mutual Authentication

Mutual authentication is configured at the account level. In the In the Settings view select the ClusterService and check whether the TLS/SSL Mutual Authentication connections are enabled.

Client Certificate Validation

Add the public certificate that is used to validate the one sent by the device during TLS/SSL handshake. In the Admin Console, go to the Certificates view and click the Add button. A new dialog will appear to allow the registration of a new certificate. The mandatory fields are:

  • Name: display name for the certificate
  • Usage: select MUTUAL_AUTHENTICATION
  • Public Certificate: BASE64 encoded Certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags.

Device-side Configuration

To configure Mutual Authentication in an ESF device, please refer to ESF Documentation, or refer to this example for a plain Paho client.

Verify that the device trusts the TLS/SSL server certificate configured for the Everyware Cloud Messaging Service.