Slave Mode (mTLS)
IoT Slave Mode is explained in detail in the Getting Started section.
Downloading Client Certificate
You will need a SSL/TLS client certificate, to enable mTLS authentication for an IoT Slave Mode connection.
Execute the below CA command to login and download a TLS client certificate from the SocketXP Cloud Gateway's CA module.
sudo socketxp ca login <your-auth-token> --client "[email protected]"
Downloaded client certificate from the CA.
[email protected]" is the email ID of the user who wants to connect to an IoT device using the certificate.
Enabling mTLS Authentication
To enable mTLS authentication for an IoT Slave Mode connection, execute the SocketXP agent command using the --mtls option as shown below:
sudo socketxp connect tcp://127.0.0.1:3000 --iot-slave --peer-device-id <device-id> --peer-device-port 22 --authtoken <auth token> --gateway-port 9444 --mtls --cert /var/lib/socketxp/tls_client.crt --key /var/lib/socketxp/tls_client.key
Listening for TCP connections at:
Local URL -> tcp://localhost:3000
Note:
You need to specify the --gateway-port 9444 flag to instruct the agent to connect to the mTLS gateway port of the SocketXP Cloud Gateway. By default, SocketXP agent will connect to the TLS gateway port 9443.
Configuration File
Here is a sample configuration file to enable mTLS authentication for an agent running in Slave Mode:
$ cat /etc/socketxp/config.json
{
"gateway_port": 9444,
"iot_slave": true,
"authtoken": "eyJhbGciOiJIUzI1Ni...",
"mtls": {
"enable": true,
"cert": "/var/lib/socketxp/tls_client.crt",
"key": "/var/lib/socketxp/tls_client.key"
},
"tunnels" : [
{
"destination": "tcp://127.0.0.1:3000",
"peer_device_id": "1234-abcd-12345-efgh-123545",
"peer_device_port": "22"
},
{
"destination": "tcp://127.0.0.1:3001",
"peer_device_id": "5678-abcd-12345-efgh-567890",
"peer_device_port": "8080"
}
]
}