What's New in HiveMQ 4.47?

The HiveMQ team is excited to announce the release of HiveMQ Enterprise MQTT Platform 4.47. This release introduces a new X.509 authentication manager in the HiveMQ Enterprise Security Extension, expands Diagnostic Archive metrics, and provides useful fixes and performance enhancements.

Highlights

• HiveMQ Enterprise Security Extension X509 Authentication Manager

New X.509 Authentication Manager in the Enterprise Security Extension

HivemQ 4.47 introduces a dedicated X.509 authentication manager in the HiveMQ Enterprise Security Extension. The new component allows you to combine mTLS-based certificate authentication with additional authentication methods in a single authentication chain. This enhancement provides greater flexibility for deployments that need to support multiple authentication methods on the same MQTT listener endpoint.

How it works

The X.509 authentication manager extracts identity and role information directly from client certificates and uses these values for authentication and authorization. You can configure which certificate fields (such as Common Name, Organization, or Alternative Names) are mapped to the username and optional roles.

Example x.509 Authentication Manager configuration:

    ...
<chain-authentication-manager>
  <strategy>
    <check-next-on-unknown-authentication-key-or-wrong-secret/>
  </strategy>
  <chain>
    <x509-authentication-manager>
      <authorization-key-field>subject-common-name</authorization-key-field>
      <authorization-role-key-field>subject-alternative-common-names</authorization-role-key-field>
    </x509-authentication-manager>
    <file-authentication-manager>
      <realm>file-realm</realm>
    </file-authentication-manager>
  </chain>
</chain-authentication-manager>
...
  

In the example, clients can authenticate by presenting a valid certificate (where the Subject Common Name becomes their username) or by falling back to username/password authentication from the file realm. The authentication manager extracts multiple roles from the Subject Alternative Names extension, enabling role-based authorization directly from certificate attributes.

How it helps

This feature makes it easy to support mixed authentication scenarios on the same MQTT listener endpoint. IoT devices with embedded certificates can authenticate via mTLS, while administrative tools or legacy applications can authenticate using traditional credentials—all connecting to the same MQTT broker endpoint. This eliminates the need to configure multiple listeners for different authentication methods.

The X.509 Authentication Manager also simplifies permission management by extracting roles directly from certificate fields. You can encode multiple roles into the Subject Alternative Names extension, reducing the need for separate role lookups and minimizing configuration complexity.

Comparison with the X.509 Preprocessor

The existing X.509 preprocessor remains available for extracting certificate fields into ESE variables for use by other authentication managers. The new X.509 authentication manager is a standalone authentication mechanism that can participate directly in an authentication chain.

• Use the new X.509 authentication manager when you want mTLS to function as a primary authentication method alongside other schemes.
• Use the X.509 preprocessor when you need to extract certificate attributes for custom authentication logic performed elsewhere.

Anonymous Usage Statistics Change

NOTE: Starting with HiveMQ 4.47, the broker’s built-in anonymous usage tracking is enabled by default. This data helps us understand how the product is used and guides future improvements to the HiveMQ platform. If you prefer not to send anonymous usage data, you can explicitly disable the feature in your config.xml file:

    ...
<anonymous-usage-statistics>
    <enabled>false</enabled>
</anonymous-usage-statistics>
...
  

If you previously removed this configuration to disable statistics, you must add the configuration with <enabled>false</enabled>to maintain the disabled status after upgrading to HiveMQ 4.47 or later.

• If no configuration is present, statistics are automatically enabled when you upgrade to version 4.47 or higher.
• For complete configuration details and a list of all data collected, see Anonymous Usage Statistics in our documentation.

More Noteworthy Features and Improvements

HiveMQ Enterprise MQTT Broker

• Fixed a rare issue where client sessions could be incorrectly marked as offline after a cluster merge.
• Expanded the Diagnostic Archive to include metrics for up to 72 hours before the last graceful shutdown and start of the broker.
• Fixed an issue that could prevent the delivery of PUBLISH messages to a client due to an internal inconsistency following a temporary cluster connection loss.
• Added limits to the number of parallel topology replication batches per node to improve cluster stability and scalability and prevent overload during cluster join operations.
• Fixed an issue to ensure correct publish payload persistence cleanup, regardless of the number of CPU cores.
• Improved message ordering for shared subscriptions and consumer messages.
• Fixed an issue where consumer polling stopped when a consumer was registered with multiple topic filters.

HiveMQ REST API

• Added REST API support for creating custom diagnostic archives with selectable exporters.

HiveMQ Enterprise Security Extension

• Updated the ESE Helper tool to 1.5.0 and replaced the various binary files with a JAR file and wrapper script.

HiveMQ Control Center v2

• Fixed an issue where an incorrect maximum connection limit was shown in the license information.

HiveMQ Enterprise Extension for MySQL

• Fixed a rare issue where PUBLISH messages could be dropped if the database connection breaks.
• Fixed an issue where some PUBLISH messages were not consumed until the broker was restarted after the extension was disabled and re-enabled.

HiveMQ Enterprise Extension for MongoDB

• Fixed an issue where some PUBLISH messages were not consumed until the broker was restarted after the extension was disabled and re-enabled.

HiveMQ Enterprise Extension for Microsoft SQL Server

• Fixed an issue where some PUBLISH messages were not consumed until the broker was restarted after the extension was disabled and re-enabled.

HiveMQ Enterprise Extension for PostgreSQL

• Fixed an issue where some PUBLISH messages were not consumed until the broker was restarted after the extension was disabled and re-enabled.

HiveMQ Enterprise Extension for Snowflake

• Enhanced connection management to automatically detect and attempt to reopen invalid channels for increased resilience against transient errors.

Get Started Today

To upgrade to HiveMQ 4.47 from a previous version, follow the steps in the HiveMQ Upgrade Guide and review the Known Issues section for any considerations that could affect your deployment.

To learn more about all the features the HiveMQ Platform offers, explore the HiveMQ User Guide.