HiveMQ Edge 2025.18 is Released

by HiveMQ Team

Oct 29, 2025

What’s new in HiveMQ Edge 2025.18

HiveMQ Edge 2025.18 offers several improvements for OPC UA.

OPC UA MTLS

How it works

In the past we used a fixed applicationURI which caused issues with OPC UA servers.

With this release we now evaluate the certificate and use the SAN as the applicationUri, which is the suggested best practice by the OPC UA specification.

Since there might be situations where the applicationUri cannot be derived from the certificate, we added the applicationUri configuration option.

The following configuration will use the SAN configured in the certificate from the keystore.

    <opcua>
    <config>
    ...
        <tls>
            <enabled>true</enabled>
            <keystore>
            <path>/path/to/my/keystore.jks</path>
                <password>keystore-password</password>
                <private-key-password>key-password</private-key-password>
            </keystore>
            <truststore>
                <path>/path/to/my/truststore.jks</path>
                <password>truststore-password</password>
            </truststore>
        </tls>
    ...
    </config>
</opcua>

The following configuration will override the applicationUri with the value like urn:my-organization:my-opcua-client.

    <opcua>
    <config>
        ...
        <applicationUri>like urn:my-organization:my-opcua-client</applicationUri>
        <tls>
            <enabled>true</enabled>
            <keystore>
                <path>/path/to/my/keystore.jks</path>
                <password>keystore-password</password>
            <private-key-password>key-password</private-key-password>
            </keystore>
            <truststore>
                <path>/path/to/my/truststore.jks</path>
                <password>truststore-password</password>
            </truststore>
        </tls>
        ...
    </config>
</opcua>

OPC UA Security options

This release adds the ability to configure the messageSecurityMode for OPC UA connections.

Before this release only the policy was used to pick the communication mode.

This results in ambiguity if multiple options are available for a given server.

With this release you can now explicitly configure the messageSecurityMode as one of None | Sign | SignAndEncrypt.

    <opcua>
    <config>
    ...
        <security>
            <policy>BASIC128RSA15</policy>
            <messageSecurityMode>SignAndEncrypt</messageSecurityMode>
        </security>
    ...
    </config>
</opcua>

Additional Improvements

The detection of existing combiners (or asset mappers) has been redesigned for improved feedback in the workspace

Deprecation Notice

HiveMQ Edge was migrated to JDK v21 in version 2025.16, HiveMQ Edge will need to be run in the Java run time environment for v21 or higher.

JDK v21 provides many enhancements and improvements to the efficiency and performance of HiveMQ Edge, and enables future data operations capabilities to be brought to the product.

Should you need to run HiveMQ Edge on a 32bit Architecture, or are already running Edge on a 32bit architecture then you should not use any version after 2025.15.

Get Started Today

Use the download link Get HiveMQ Edge 2025.18, or find us on GitHub and Docker:

Get started by running

    docker run --name hivemq-edge --pull=always -d -p 1883:1883 -p 8080:8080 hivemq/hivemq-edge

Or clone our repository

    git clone git@github.com:hivemq/hivemq-edge.git

You may also try out our Helm Chart

    helm repo add hivemq https://hivemq.github.io/helm-charts && helm repo update

Get HiveMQ Edge 2025.18 now

HiveMQ Team

The HiveMQ team loves writing about MQTT, Sparkplug, Unified Namespace (UNS), Industrial IoT protocols, IoT Data Streaming, how to deploy our platform, and more. We focus on industries ranging from energy, to transportation and logistics, to automotive manufacturing. Our experts are here to help, contact us with any questions.