Listeners

TBMQ provides flexible configuration options for its listeners, supporting TCP, SSL/TLS, and MQTT over WebSockets protocols.

By default, TBMQ has the TCP listener enabled on port 1883. To disable the TCP listener, set LISTENER_TCP_ENABLED to false.

To change the host address or port, modify LISTENER_TCP_BIND_ADDRESS and LISTENER_TCP_BIND_PORT.

To enable the SSL/TLS listener, set the LISTENER_SSL_ENABLED environment variable to true. By default, the broker is listening on the 8883 port. To change the host and/or port that the broker is listening to, update the LISTENER_SSL_BIND_ADDRESS and LISTENER_SSL_BIND_PORT variables, respectively.

Choose the type of credentials you want to use by setting the LISTENER_SSL_CREDENTIALS_TYPE parameter. Currently, the supported options are PEM and KEYSTORE. Note that you can find a list of all available properties in the configuration documentation.

If you choose KeyStore as the credentials type, you need to configure the following:

• Set LISTENER_SSL_KEY_STORE to the path to your .jks file with the server certificate chain.
• Set LISTENER_SSL_KEY_STORE_PASSWORD to the password used to access the key store.
• Set LISTENER_SSL_KEY_PASSWORD to the password for the server certificate.

If you choose PEM as the credentials type, you need to configure the following:

• Set LISTENER_SSL_PEM_CERT to the path of your server certificate file.
• Set LISTENER_SSL_PEM_KEY to the path of your server certificate private key file.
• Set LISTENER_SSL_PEM_KEY_PASSWORD to the password of your server certificate private key.

If you require two-way TLS, you also need to configure the TrustStore by adding the trusted certificates/chains to the configured KeyStore/PEM files. For more information about configuration possibilities and certificate generation, see the MQTT over SSL page.

By default, TBMQ has the WebSocket listener enabled on port 8084. To disable the WS listener, set LISTENER_WS_ENABLED to false.

To change the host address or port, modify LISTENER_WS_BIND_ADDRESS and LISTENER_WS_BIND_PORT.

WS listener is configured to negotiate via all MQTT versions by default, i.e. WS_NETTY_SUB_PROTOCOLS is set to mqttv3.1,mqtt. The subprotocol setting mqtt represents MQTT 3.1.1 and MQTT 5.

To enable the WebSocket Secure listener, set the LISTENER_WSS_ENABLED environment variable to true. By default, the broker is listening on the 8085 port. To change the host and/or port that the broker is listening to, update the LISTENER_WSS_BIND_ADDRESS and LISTENER_WSS_BIND_PORT variables, respectively.

Choose the type of credentials you want to use by setting the LISTENER_WSS_CREDENTIALS_TYPE parameter. Supported options are the same as for the TLS listener.

If you choose KeyStore as the credentials type, you need to configure the following:

• Set LISTENER_WSS_KEY_STORE to the path to your .jks file with the server certificate chain.
• Set LISTENER_WSS_KEY_STORE_PASSWORD to the password used to access the key store.
• Set LISTENER_WSS_KEY_PASSWORD to the password for the server certificate.

If you choose PEM as the credentials type, you need to configure the following:

• Set LISTENER_WSS_PEM_CERT to the path of your server certificate file.
• Set LISTENER_WSS_PEM_KEY to the path of your server certificate private key file.
• Set LISTENER_WSS_PEM_KEY_PASSWORD to the password of your server certificate private key.

If you require two-way TLS, configure the TrustStore by adding the trusted certificates/chains. WSS listener is set to the same negotiation subprotocols as the WS listener. If you need to change this default behavior, update the WSS_NETTY_SUB_PROTOCOLS parameter appropriately.