Skip to content

Managing MQTT Security on HiveMQ Cloud Starter

12 min read

In our blog A Step-by-Step Guide to Using HiveMQ Cloud Starter, we detailed how to create your HiveMQ Cloud Starter cluster, how to create credentials, and how to send your first message. In this blog post, we will consider a simple example to explore access credentials, roles, and permissions in detail.

Let’s take a look at the problem at hand.

Problem: Remote Monitoring for Solar Power Plant

In this post, we examine sample remote monitoring of a solar power plant using MQTT. For solar power plants, a remote monitoring system provides real-time data on energy production, temperature, and efficiency of solar panels, allowing for immediate detection of underperformance or malfunctions. Such systems also provide useful information for predictive maintenance, compliance and data-driven decision-making.

Let’s take a simplified model of a solar power plant. In our case, the solar power plant consists of solar panels and sensors to collect information from panels and the environment, a battery and an inverter.Different components and stakeholders for remote monitoring of a solar power plantDifferent components and stakeholders for remote monitoring of a solar power plant

The data published by sensors goes to an MQTT Broker, and specific topics are subscribed by different types of personas. In our example, the data is subscribed by Plant operator persona, maintenance personnel persona, data analyst persona and a KPI dashboard for executives. The data also needs to be stored in a database for later use and analysis. In this case, the flow between different components and stakeholders would look as shown in the figure below:Data flow for remote monitoring ina solar power plantData flow for remote monitoring ina solar power plant

It is imperative to securely transport this data; otherwise, unsecure data access can lead to malicious outcomes, such as energy theft, loss of power, etc. Hence IoT project security is a critical aspect. Read on to learn how MQTT and HiveMQ Cloud can easily help in securing your IoT projects in every project lifecycle.

Topic Structure

Since it is a solar power plant, that plant would have some components and some metrics associated with it. Also, we might add more panels in the future and create more solar power plants. Hence the proposed topic structure is:

SolarPlant/<Plant_ID>/<Component_Type>/<Component_ID>/<Metric>

For the sake of simplicity, we would use Plant1 for our blog post as the only plant in operation.

Metrics

The next task is to collect different metrics from the plant for publishing. Now, in reality, the number of metrics collected would be vast. For the purposes of our current post, we limit the metrics to a few important ones.

Plant-Level Metrics

For the whole plant, we can calculate overall Power Output and Temperature. For each panel, we can also compute Voltage and Current. For simplicity, we assume that we can compute these metrics on-site. The topics would look as follows:

SolarPlant/Plant1/Overview/PowerOutput

SolarPlant/Plant1/Overview/Temperature

SolarPlant/Plant1/SolarPanel/Panel1/Voltage

SolarPlant/Plant1/SolarPanel/Panel2/Current

Battery and Inverter Metrics

The battery and inverter are core components of a solar power plant. As such, some important metrics to track for a battery would be the Charge Level and the Discharge Rate.

Similarly, for the inverter, its Efficiency and Status would be important to track. The message structure for these metrics will look like:

SolarPlant/Plant1/Battery/Battery1/ChargeLevel

SolarPlant/Plant1/Battery/Battery2/DischargeRate

SolarPlant/Plant1/Inverter/Inverter1/Efficiency

SolarPlant/Plant1/Inverter/Inverter2/Status

Other Metrics

Some other metrics to consider are environmental ones like Windspeed and Sunlight. And one metric to consider for maintenance alerts is Maintenance.

SolarPlant/Plant1/Environment/WindSpeed

SolarPlant/Plant1/Environment/Sunlight

SolarPlant/Plant1/Alerts/Maintenance

Topics relevant to each component in the remote monitoring data flowTopics relevant to each component in the remote monitoring data flow

Using HiveMQ Cloud for Remote Monitoring a Solar Power Plant

Setting Up Your IoT Project Security

If you are new to HiveMQ Cloud, read our blog A Step-by-Step Guide to Using HiveMQ Cloud Starter. For the next posts in this blog series, you need a basic understanding of creating credentials. After setting up your Cloud Starter account, you need to create the credentials under the Access Management tab inside your cluster.

Create the Right Permissions

You need the right permissions to create a correct set of roles for your credentials. This allows you to have a fine-grained cluster access control. To create a permission, you require a Name and Topics that are associated with this permission. It is possible to write an optional description as well.Creating a PermissionOnce created, the permission is visible in the table at the end of the section. You get a default permission automatically at the time of cluster creation. For remote monitoring, you create following additional permissions to demonstrate a simplified flow of data:

Name Topic
publish-only-plant SolarPlant/Plant1/#
publish-only-battery SolarPlant/Plant1/Battery/#
publish-only-inverter SolarPlant/+/Inverter/#
Subscribe-only SolarPlant/#
Pub-sub SolarPlant/#

The permissions are visible in the table at the bottom of the sectioThe permissions are visible in the table at the bottom of the section

Creating roles with the correct permissions

Once we have all the permissions, the next step is to create roles based on them. The Roles can be found under the Access Management tab as well.Creating a role in HiveMQ Cloud

To create a permission, you require a Name and Permission that are associated with this role. It is possible to write an optional description as well.

Based on our problem, roles are defined to be used either as a service or to gather data. Humar stakeholders can use one of the services that is relevant to them. Corresponding clients collecting data from different plant components are assigned the data gathering role.Permissions list

Assigning Roles to the Credentials

Now, the last step is to create credentials for your clients. This step is similar to its counterpart in the last post; however, this time you can assign specific roles to the credentials. The credentials, for this post, look as follows:Assigning roles to the credentials

For example, the analysisservice credentials can be used by data analysts to connect to broker with subscribe only permissions for certain topics. Similarly, other credentials can be used by other components and stakeholders.

How to Test Data Flow Using In-built Web Client and MQTT CLI

Now to test the data flow, you can use the Web Client and the MQTT CLI as in our blog, A Step-by-Step Guide to Using HiveMQ Cloud Starter. The analysisservice can subscribe to SolarPlant/Plant1/Overview/Temperature topic as seen here.Testing the Data FlowIn the Terminal window, go to MQTT shell by typing:

mqtt sh

To connect to the broker, use the following command:

con -h webinar-o53286.a01.euc1.aws.hivemq.cloud -p 8883 -s -i plant1 -u plant -pw

For sending messages:

pub -t 'SolarPlant/Plant1/Overview/Temperature' -m "24.0"

Summary

This step-by-step guide covered how to use access credentials in HiveMQ Cloud Starter to create granular permissions and roles for your client credentials. Using a sample solar power plant remote monitoring problem, we discussed the topic structure and potential data flow from various publishers to subscribers. This guide also discussed how to create granular role-based access credentials with detailed permissions and learned how to use these credentials to send and receive data.

Next Steps

In the next post in this blog series, we will look at how this data can be visualized via built-in HiveMQ Control Center.

Take your MQTT projects to the next level with HiveMQ Cloud Starter. Experience unmatched performance and reliability with our 15-day free trial, no credit card required. Sign-up now with Cloud Starter and grab $100 worth of free credits upon the creation of the first Starter cluster.

Sign-up Now
HiveMQ logo
Review HiveMQ on G2