TLS / PreSharedKey (PSK)
PreSharedKeys (PSK) are passwords that are applied on both sides of a connection through a configuration process. A TLS 1.2 connection is used for communication.
TwinCAT configuration with PSK
For a TwinCAT router a PSK can be applied to the route in the configuration file, wherein the key is entered as a hex string.
<?xml version="1.0" encoding="ISO-8859-1"?>
<TcConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.beckhoff.com/schemas/2015/12/TcConfig">
<RemoteConnections>
<Mqtt>
<Address Port="8883">BROKER-ADDRESS</Address>
<Topic>VirtualAmsNetwork1</Topic>
<Psk>
<Identity>EngineeringStation</Identity>
<Key>4D65696E5061737377C3B67274[…]</Key>
</Psk>
</Mqtt>
</RemoteConnections>
</TcConfig> | Secure PSK A meaningful PreSharedKey is formed from a hex string of 64 characters. |
Alternatively, the key can also be determined by TwinCAT to allow simpler input. To do this a password is entered as a normal string in the <Pwd> element. TwinCAT calculates the PSK to be used from this and the identity by means by Sha256('Identity'+'Pwd'). If the attribute "IdentityCaseSensitive" is set to "false" (or not), the identity is used as an upper-case string for the key calculation.
<?xml version="1.0" encoding="ISO-8859-1"?>
<TcConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.beckhoff.com/schemas/2015/12/TcConfig">
<RemoteConnections>
<Mqtt>
<Address Port="8883">BROKER</Address>
<Topic>VirtualAmsNetwork1</Topic>
<Psk>
<Identity>EngineeringStation</Identity>
<Pwd IdentityCaseSensitive="false">!ABCDEFGHijklmn123545</Pwd>
</Psk>
</Mqtt>
</RemoteConnections>
</TcConfig>Minimal Mosquitto configuration
The following entries can be used for PSKs as the simplest Mosquitto configuration:
port 8883
psk_hint AHint
use_identity_as_username true
auth_plugin C:\TwinCAT\AdsApi\TcMqttPlugin\TcMqttPlugin.dll
auth_opt_xml_file ACL.xmlBroker configuration with PSK
The TcMqttPlugin offers the option to use a PSK in the broker in order to be able to access a broker. The configuration is saved in the configuration file of the plugin, wherein the PSK is specified as a hex string.
The IdentityCaseSensitive offers the option of regarding the identities irrespective of whether they are written in lower or upper case.
<TcMqttAclConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:\TwinCAT\3.1\Config\Modules\TcMqttAclConfig.xsd" IdentityCaseSensitive="false">
<Psk>
<Identity>EngineeringStation</Identity>
<Key>4D65696E5061737377C3B67274</Key>
</Psk>
<!-- <Ams> Elements following -->
</TcMqttAclConfig>Alternatively, the key can also be determined by the TcMqttPlugin to allow simpler input. To do this a password is entered as a normal string in the <Pwd> element. TwinCAT calculates the PSK to be used from this and the identity by means by Sha256('Identity'+'Pwd'). If the attribute at the level of <TcMqttAclConfig> "IdentityCaseSensitive" is set to "false" (or not), the identity is used as an upper-case string for the key calculation.
<TcMqttAclConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:\TwinCAT\3.1\Config\Modules\TcMqttAclConfig.xsd" IdentityCaseSensitive="false">
<Psk>
<Identity>EngineeringStation</Identity>
<Pwd>!ABCDEFGHijklmn123545</Pwd>
</Psk>
<!-- <Ams> Elements following -->
</TcMqttAclConfig>