Managing MQTT Security on HiveMQ Cloud Starter
Written by Shashank Sharma
Category: HiveMQ Cloud Cloud IoT HiveMQ Cloud Starter
Published: September 25, 2023
In our blog A Step-by-Step Guide to Using HiveMQ Cloud Starter, we detailed how to create your HiveMQ Cloud Starter cluster, how to create credentials, and how to send your first message. In this blog post, we will consider a simple example to explore access credentials, roles, and permissions in detail.
Let’s take a look at the problem at hand.
Problem: Remote Monitoring for Solar Power Plant
In this post, we examine sample remote monitoring of a solar power plant using MQTT. For solar power plants, a remote monitoring system provides real-time data on energy production, temperature, and efficiency of solar panels, allowing for immediate detection of underperformance or malfunctions. Such systems also provide useful information for predictive maintenance, compliance and data-driven decision-making.
Let’s take a simplified model of a solar power plant. In our case, the solar power plant consists of solar panels and sensors to collect information from panels and the environment, a battery and an inverter.
The data published by sensors goes to an MQTT Broker, and specific topics are subscribed by different types of personas. In our example, the data is subscribed by Plant operator persona, maintenance personnel persona, data analyst persona and a KPI dashboard for executives. The data also needs to be stored in a database for later use and analysis. In this case, the flow between different components and stakeholders would look as shown in the figure below:
It is imperative to securely transport this data; otherwise, unsecure data access can lead to malicious outcomes, such as energy theft, loss of power, etc. Hence IoT project security is a critical aspect. Read on to learn how MQTT and HiveMQ Cloud can easily help in securing your IoT projects in every project lifecycle.
Topic Structure
Since it is a solar power plant, that plant would have some components and some metrics associated with it. Also, we might add more panels in the future and create more solar power plants. Hence the proposed topic structure is:
SolarPlant/<Plant_ID>/<Component_Type>/<Component_ID>/<Metric>
For the sake of simplicity, we would use Plant1 for our blog post as the only plant in operation.
Metrics
The next task is to collect different metrics from the plant for publishing. Now, in reality, the number of metrics collected would be vast. For the purposes of our current post, we limit the metrics to a few important ones.
Plant-Level Metrics
For the whole plant, we can calculate overall Power Output and Temperature. For each panel, we can also compute Voltage and Current. For simplicity, we assume that we can compute these metrics on-site. The topics would look as follows:
SolarPlant/Plant1/Overview/PowerOutput
SolarPlant/Plant1/Overview/Temperature
SolarPlant/Plant1/SolarPanel/Panel1/Voltage
SolarPlant/Plant1/SolarPanel/Panel2/Current
Battery and Inverter Metrics
The battery and inverter are core components of a solar power plant. As such, some important metrics to track for a battery would be the Charge Level and the Discharge Rate.
Similarly, for the inverter, its Efficiency and Status would be important to track. The message structure for these metrics will look like:
SolarPlant/Plant1/Battery/Battery1/ChargeLevel
SolarPlant/Plant1/Battery/Battery2/DischargeRate
SolarPlant/Plant1/Inverter/Inverter1/Efficiency
SolarPlant/Plant1/Inverter/Inverter2/Status
Other Metrics
Some other metrics to consider are environmental ones like Windspeed and Sunlight. And one metric to consider for maintenance alerts is Maintenance.
SolarPlant/Plant1/Environment/WindSpeed
SolarPlant/Plant1/Environment/Sunlight
SolarPlant/Plant1/Alerts/Maintenance
Using HiveMQ Cloud for Remote Monitoring a Solar Power Plant
Setting up your IoT Project security
If you are new to HiveMQ Cloud, read our blog A Step-by-Step Guide to Using HiveMQ Cloud Starter. For the next posts in this blog series, you need a basic understanding of creating credentials. After setting up your Cloud Starter account, you need to create the credentials under the Access Management tab inside your cluster.
Create the right permissions
You need the right permissions to create a correct set of roles for your credentials. This allows you to have a fine-grained cluster access control. To create a permission, you require a Name and Topics that are associated with this permission. It is possible to write an optional description as well.
Once created, the permission is visible in the table at the end of the section. You get a default permission automatically at the time of cluster creation. For remote monitoring, you create following additional permissions to demonstrate a simplified flow of data:
| Name | Topic |
|---|---|
| publish-only-plant | SolarPlant/Plant1/# |
| publish-only-battery | SolarPlant/Plant1/Battery/# |
| publish-only-inverter | SolarPlant/+/Inverter/# |
| Subscribe-only | SolarPlant/# |
| Pub-sub | SolarPlant/# |
Creating roles with the correct permissions
Once we have all the permissions, the next step is to create roles based on them. The Roles can be found under the Access Management tab as well.
To create a permission, you require a Name and Permission that are associated with this role. It is possible to write an optional description as well.
Based on our problem, roles are defined to be used either as a service or to gather data. Humar stakeholders can use one of the services that is relevant to them. Corresponding clients collecting data from different plant components are assigned the data gathering role.
Assigning roles to the credentials
Now, the last step is to create credentials for your clients. This step is similar to its counterpart in the last post; however, this time you can assign specific roles to the credentials. The credentials, for this post, look as follows:
For example, the analysisservice credentials can be used by data analysts to connect to broker with subscribe only permissions for certain topics. Similarly, other credentials can be used by other components and stakeholders.
How to Test Data Flow Using In-built Web Client and MQTT CLI
Now to test the data flow, you can use the Web Client and the MQTT CLI as in our blog, A Step-by-Step Guide to Using HiveMQ Cloud Starter. The analysisservice can subscribe to SolarPlant/Plant1/Overview/Temperature topic as seen here.
In the Terminal window, go to MQTT shell by typing:
mqtt sh
To connect to the broker, use the following command:
con -h webinar-o53286.a01.euc1.aws.hivemq.cloud -p 8883 -s -i plant1 -u plant -pw
For sending messages:
pub -t 'SolarPlant/Plant1/Overview/Temperature' -m "24.0"
Summary
This step-by-step guide covered how to use access credentials in HiveMQ Cloud Starter to create granular permissions and roles for your client credentials. Using a sample solar power plant remote monitoring problem, we discussed the topic structure and potential data flow from various publishers to subscribers. This guide also discussed how to create granular role-based access credentials with detailed permissions and learned how to use these credentials to send and receive data.
Next Steps
In the next post in this blog series, we will look at how this data can be visualized via built-in HiveMQ Control Center.
Sign-up now with Cloud Starter and grab $100 worth of free credits upon the creation of the first Starter cluster.
About Shashank Sharma
Shashank Sharma is a product marketing manager at HiveMQ. He is passionate about technology and enabling developer-centric workflows. He has previous experience in application software tooling, autonomous driving, and numerical computing.
Contact Shashank
