Secured Mode¶
Secured mode enables TLS/SSL for encrypted communication between the Manta Manager, the Mosquitto broker, and the nodes. Follow these steps:
Start the Manta Manager in secured mode using the
--securedoption:
In secured mode, Mosquitto is executed after the manta_manager.
The manta_manager must be executed on a server machine.
$ manta_manager -vv --debug --secured
[09/13/24 15:45:25] INFO 2024-09-13 15:45:25,386 - manta_manager.certification_servicer - INFO - Token: 99e48b0cc48af374a5dc03a07e2b34f7 (certification_servicer.py:235) certification_servicer.py:235
INFO 2024-09-13 15:45:25,420 - manta_manager.certification_servicer - INFO - Deploy MQTT broker with: mosquitto -c .manta/certs/mosquitto.conf (certification_servicer.py:258) certification_servicer.py:258
INFO 2024-09-13 15:45:25,422 - manta_manager.manager - INFO - Certificates folder: .manta/certs (manager.py:195) manager.py:195
INFO 2024-09-13 15:45:25,427 - manta_manager.database - INFO - Connected to MongoDB at localhost:27017 (database.py:710) database.py:710
INFO 2024-09-13 15:45:25,429 - manta_manager.mqtt_client - INFO - Loading SSL certificates from .manta/certs (mqtt_client.py:41) mqtt_client.py:41
INFO 2024-09-13 15:45:25,441 - manta_manager.manager - INFO - CertificationServicer server started on localhost:50050 (manager.py:238) manager.py:238
Note
For more information on available flags, refer to the Manager CLI documentation.
Deploy Mosquitto Broker with TLS/SSL using the generated configuration file
Mosquitto must be executed with the configuration file generated by manta_manager, located at .manta/certs/mosquitto.conf.
$ mosquitto -c .manta/certs/mosquitto.conf
[22504.033687]~DLT~75210~INFO ~FIFO /tmp/dlt cannot be opened. Retrying later...
1726235128: mosquitto version 1.6.9 starting
1726235128: Config loaded from .manta/certs/mosquitto.conf.
1726235128: Opening ipv4 listen socket on port 1883.
1726235130: New connection from 127.0.0.1 on port 1883.
The manta_manager should connect to the broker automatically once the broker has started.
[09/13/24 15:45:30] INFO 2024-09-13 15:45:30,447 - manta_manager.mqtt_client - INFO - Connected to MQTT broker: localhost:1883 (mqtt_client.py:149) mqtt_client.py:149
Keep the unique token
$ cat TOKEN
2d8c3fbce5c295eef2d9f98e9f623235
Warning
In secured mode, the Manta Manager generates a unique token. This token must be provided to the Manta Nodes during their initialization to establish a secured TLS/SSL connection. The token is used to exchange certificates and initiate the certification signing process to generate a private key for each node.
Once Docker is setup on your nodes, you can use this
TOKENto connect your nodes to the manager :
manta_node must be executed on embedded devices.
$ manta_node -vv --debug--secured_token=2d8c3fbce5c295eef2d9f98e9f623235
[09/13/24 15:47:02] INFO 2024-09-13 15:47:02,273 - manta_node.task_runner - INFO - Connected to docker daemon ! (task_runner.py:29) task_runner.py:29
INFO 2024-09-13 15:47:02,308 - manta_node.certification_builder - INFO - Private key generated and saved to .manta/32dcfe19fe164e75bd5068a5d65b74a7/certs/node.key (certification_builder.py:66) certification_builder.py:66
INFO 2024-09-13 15:47:02,317 - manta_node.certification_builder - INFO - CA certificate saved to .manta/32dcfe19fe164e75bd5068a5d65b74a7/certs/ca.crt (certification_builder.py:83) certification_builder.py:83
INFO 2024-09-13 15:47:02,319 - manta_node.certification_builder - INFO - CSR generated (certification_builder.py:107) certification_builder.py:107
INFO 2024-09-13 15:47:02,327 - manta_node.certification_builder - INFO - Signed certificate received and saved to .manta/32dcfe19fe164e75bd5068a5d65b74a7/certs/node.crt (certification_builder.py:126) certification_builder.py:126
Note
By default, the node_id is generated from the machine’s MAC address; however, the MAC address value is not stored on the server.
To specify an alias, use the flag --alias <your_alias>.
To generate and use a random ID, use the flag --random_id.
Note
See the Node CLI for more information on flags.