Configuring security

You can configure a number of security components. You can configure certificate profiles and security profiles to secure your endpoints. You can upload client certificates to the Eclipse Amlen truststore. You can configure Lightweight Third Party Authentication (LTPA) and OAuth. You can enable FIPS-compliant security. All these security components can be configured either by using the Amlen WebUI or by using REST Administration APIs.

Configuring security for an endpoint

Transport Layer Security (TLS) is configured on an endpoint by using a security profile. The security profile specifies the certificate profile, and the authentication method (for example, the LTPA profile) that are used with the endpoint. You can choose to apply different security profiles to different endpoints, or you can apply the same security profile to multiple endpoints.

Security is also provided by using connection policies and messaging policies. These policies control which clients can connect to Eclipse Amlen, and perform messaging actions. For more information about connection policies, messaging policies, and securing Eclipse Amlen, see Security.

To set up TLS on an Eclipse Amlen endpoint, complete the following steps.
  1. Create a certificate profile. Certificate profiles define the server certificates that are used to control TLS. For more information, see Configuring certificate profiles.
  2. Create a security profile with TLS enabled. Security profiles define the security that is applied to an endpoint. Security profiles include information about the certificate profile that is required for TLS.

    Ensure that TLS is enabled on the security profile; by default, TLS is enabled. For more information about enabling TLS, see Configuring security profiles.

    You can ensure that you comply with the NIST 800-131a requirements by using appropriate settings in your security profiles. For more information, see Configuring security profiles.

  3. Optionally, import client certificates. Client certificates can be used to verify that a client is who it claims to be. For more information, see Configuring client certificates.
  4. Apply the security profile to the endpoint. For more information, see Configuring message hubs.

You can also configure FIPS-compliant security. For more information, see Configuring Federal Information Processing Standards (FIPS).

Note: MQTT JavaScriptâ„¢ clients that use SSL might not be able to connect to a secure endpoint if the browser detects certain problems with the certificate. An example of such a problem is a mismatch between the Common Name (CN) field in the certificate and the DNS name of your server. If your client cannot connect to a secure endpoint on the server, you can see any reported problems with the certificate by attempting to connect over HTTPS. You can attempt to connect to the server and port that you are using for the WebSockets connection over HTTPS by entering https://server:port in the URL field of your browser.

Disabling TLS

You can disable TLS in one of the following ways:
  • Disable TLS in the security profile that is associated with the endpoint. If you disable TLS in the security profile, then TLS is disabled on all endpoints that use the security profile.
  • Remove the reference in the endpoint to the security profile.