The File Authentication Plugin is the first plugin, which adds the capability of client authentication to HiveMQ. In the case of this plugin the credentials consist of username and password and are read from a file.
- Follow the standard installation guide on the official HiveMQ documentation
- Copy the supplied
- Start/Restart HiveMQ
- Use a MQTT client of your choice and provide username/password: hivemq-user1/user1
This sample installation shows a simple and quick way to get started with the plugin. Therefore the pre-configuration uses no hashing for the passwords and has predefined username/password combinations. If you are using this plugin in production a more secure setup is essential. The various configuration options are explained in the following.
The plugin can be configured with the fileAuthConfiguration.properties file, which needs to be placed in the
conf folder in your HiveMQ home directory.
|Property Name||Default Value||Description|
|filename||credentials.properties||This property specifies the name of the file, which contains the credentials of the users. Please notice that the file has to be in the conf folder.|
|reloadCredentialsInterval.seconds||10||Returns the interval after which the credentials file is checked, if new credentials were added.|
|cachingTime.seconds||600||Maximum cache entry lifetime in seconds for failed and successful login credentials (changing this value resets the cache).|
|cacheSize||10000||Maximum amount of cached login credentials (changing this value resets the cache).|
|passwordHashing.enabled||false||Specifies if the password is stored in plaintext or as hash. If this is set to false all other configuration properties except filename and reloadCredentialsInterval.seconds are ignored.|
|passwordHashing.algorithm||SHA-512||Here the hashing algorithm used during the creation of the passwords can be declared. HiveMQ is supporting all hashing algorithms provided by the Java Virtual Maschine (MD2, MD5, SHA, SHA-256, SHA-384, SHA-512). Recommended for use is SHA-256 and above, because the others are not considered secure.|
|passwordHashing.iterations||100||Customizes the number of hashing iterations used.|
|passwordHashingSalt.enabled||true||Configures if a salt has been used during the hash generation. If this is set to false the following options are ignored.|
|passwordHashingSalt.separationChar||$||Defines the character used in the credential file to separate the salt from the hash.|
|passwordHashingSalt.isFirst||true||Specifies the order of hash and salt. If this is set to true, the salt is in front of the hash (salt$hash), if this option is false the salt is placed after the hash (hash$salt)|
The second file needed for the plugin to work successfully is the credentials file, which is a Java Property File. So in each line one username/password combination can be specified. Depending on the configuration options a line looks like one of the following:
It is not possible to specify different formats for passwords of different users in one file, therefore all lines must contain the same format.
The displayed configuration shows a production-ready implementation, which uses SHA 512, 100 iterations and salting.
Create and Modify the credential file
After having copied this configuration into the fileAuthConfiguration.properties, the credential file has to be improved, too. Now as hashing and salting is enabled the passwords have to be stored in same format.
This can be done easily with the supplied utility:
- Make sure the fileAuthConfiguration.properties have your desired settings
- Delete the provided credentials.properties
- Start utility with on a Linux or OS/X based system:
1java -jar utility/file-authentication-plugin-utility-1.0.jar
- Configure the utility with:
1configure --file path/to/fileAuthConfiguration.properties
- Create as many user as you need with:
1addUser --username <USERNAME> --password <PASSWORD>
- Show all user:
ATTENTION: The utility does not support Windows. credentials.properties must be created on Linux or OS/X.