MQTT cloud gateway overview
The MQTT cloud gateway connects devices to IoT Platform using the standard MQTT protocol. It supports custom certificates, one-way and mutual authentication, device-side OCSP, and certificate management.
Features
Only Premium Enterprise instances in the China (Shanghai), China (Beijing), and China (Shenzhen) regions support connecting devices to IoT Platform using the MQTT cloud gateway.
|
Feature |
Description |
|
Custom port number |
Default port: 1883. Custom ports are supported in the range 1024–65535. |
|
One-way authentication |
IoT Platform provides the authentication service. Create a One-way authentication cloud gateway product and import devices in batches. Devices then connect to IoT Platform via the standard MQTT protocol. |
|
Third-party authentication |
The developer manages the authentication service. Devices register using certificate CN authentication or a username. Supported methods:
|
|
Data parsing |
Process device-reported data into the required format using custom topic parsing. What is message parsing?. |
|
Device X.509 authentication |
Supports server-side one-way authentication and mutual device-server authentication for identity verification. |
|
SM certificate |
With TLS 1.3, devices support SM certificates, SM2/SM3/SM4 cryptographic algorithms, and the SM SSL protocol. Note
Only single SM certificates with TLS_SM4_GCM_SM3 and TLS_SM4_CCM_SM3 cipher suites are supported. Dual SM certificates (TLCP) are not supported. |
|
OCSP |
Provides OCSP capabilities for device-side and server-side certificates. OCSP queries the issuing CA to check whether a certificate has been revoked. |
Device authentication flow
One-way authentication
-
Create a cloud gateway product (MQTT): Set Authentication Type to One-way authentication and configure other parameters.
-
Create a cloud gateway device (MQTT): Import device information in batches, including the SN (optional), MQTT Username, and MQTT Password.
-
Configure the MQTT access domain on the device:
-
If the devices already have a configured endpoint, create a CNAME record to map that endpoint to the gateway URL. For more information about DNS configuration, see Alibaba Cloud DNS.
-
If the devices do not have a configured endpoint, you must configure the gateway URL on the devices. For more information, see Connect a device over MQTT.
-
Third-party authentication (Alibaba Cloud FC)
-
Create an FC service and create an FC function for third-party device authentication.
The FC function's request and response parameters must meet the specifications in Create a cloud gateway product (MQTT). You can customize the function name.
-
Create a cloud gateway product (MQTT): Set Authentication Type to Third-party authentication, set Third-party Authentication Method to Alibaba Cloud FC, and select your FC service and function for Device Authentication FC Service and Device Authentication FC Function.
-
On first connection, IoT Platform automatically creates and connects the device based on the deviceName response parameter from the authentication function.
Third-party authentication (External HTTPS)
-
Create a third-party device authentication service callable over HTTPS.
The HTTPS request and response parameters must meet the specifications in Create a cloud gateway product (MQTT).
-
Create a cloud gateway product (MQTT): Set Authentication Type to Third-party authentication, set Third-party Authentication Method to External HTTPS, and set Device Authentication HTTPS URL to your authentication service URL.
-
On first connection, IoT Platform automatically creates and connects the device based on the deviceName response parameter from the HTTPS authentication service.
Device communication
MQTT cloud gateway devices communicate with IoT Platform through custom message topics. IoT Platform relays upstream and downstream data. Message communication.