Configuring SSL offloading with end-to-end encryption for MQTT

The following example shows how to do SSL offloading for MQTT with end-to-end encryption.

Note: This example does not provide details related to adding or updating a certificate-key pair and binding it to a virtual server. For those details, see SSL certificates.

The following commands import the extension file and add the MQTT_SSL protocol with SSL transport.

import extension mqtt_code
add user protocol MQTT_SSL -transport SSL -extension mqtt_code

The following commands add a user load balancing virtual server and bind backend services to it. Both the load balancing virtual server and the services are configured for the service type USER_SSL_TCP.

add service mqtt_svr1 USER_SSL_TCP 1501
add service mqtt_svr2 USER_SSL_TCP 1502
add lb vserver mqtt_lb USER_SSL_TCP –lbmethod RR
bind lb vserver mqtt_lb mqtt_svr1
bind lb vserver mqtt_lb mqtt_svr2

The following command adds a user virtual server for the newly added protocol MQTT_SSL. Using MQTT_SSL means the NetScaler appliance will do SSL offloading, because MQTT_SSL was configured with SSL transport. The command also makes the load balancing virtual server, configured in previous step, the default load balancer.

add user vserver mqtt_vs MQTT_SSL 8765 -defaultLb mqtt_lb

For end-to-end encryption, you also need to enable the SSL feature and bind a certkey to the user and default load balancing virtual servers. For more information, see the following topics:

Add or update a certificate-key pair

Bind the certificate-key pair to the SSL virtual server

enable ns feature SSL

add SSL certKey mqtt_svr_cert_key -cert server1.cert -key server1.key

bind ssl vserver mqtt_lb  -certkeyName mqtt_svr_cert_key

bind ssl vserver mqtt_vs  -certkeyName mqtt_svr_cert_key
Configuring SSL offloading with end-to-end encryption for MQTT

In this article