TLS-PSK key setup

TLS-PSK key setup

PSK (Pre-Shared Keys)

If just transmission encryption is needed, symmetrical key encryption with PSK (Pre-Shared Key) is somewhat easier to set up than TLS certificate setup.

For TLS-PSK, only one Pre-Shared Key (some random hexadecimal number) needs to be generated and set up for use both on broker and client side.

Generating PSK key

Any hexadecimal string (i.e. string that consist only of numbers 0–9, and characters A, B, C, D, E, F) can be used for PSK key.

Strong and highly random (32 byte = 256 bit) key can be generated with OpenSSL command like this

> openssl rand -hex 32

Setting up PSK key usage

After PSK key is generated, broker and client has to be set up to use it.

In the MQTTClient configuration, choose a unique client id (i.e. any string, like "Client") and register it with PSK key in MQTTClient configuration properties (properties TLSPSKIdentity and TLSPSKKey).

On broker side, create a text file containing all the PSK files different clients are using. The file has to be structured line-by line, each line must be in the format

client-id:psk-key

Set up MQTTBroker to use the PSK file:

  • Put the PSK file (named for example "keys.psk") into the CDP application folder
  • add it to application project in CDP Studio right-clicking in Code mode on application name and choosing "Add existing files...".
  • configure MQTTBroker to use the PSK file (property TLSKeyFile).