AWS IoT as your MQTT Broker
Using the MQTT Connector
Want to use AWS IoT Core as the MQTT broker for your Mendix low-code IoT project? With Mendix, you can publish a message on the MQTT broker and subscribe to messages from the MQTT broker, and execute a microflow when the messages come in. This allows the creation of smart apps fully integrated with the IoT environment. In the Mendix forum, many posts are related to the connector's setup. This blog post will help you to get started.
Mendix
In the Mendix Marketplace, you can find 3 connectors:
MQTT Connector is the latest one, and I advise starting with this one before looking at the others.
MQTT Client is used frequently and has similar features. Using the MQTT Client, you need to include the certificate files in your project resources directory. The MQTT Connector stores the certificates as strings in the database.
AWS IoT Connector, built in Mendix 7, has—apart from publishing and subscribing—features like retrieving a list and descriptions of Things and managing the Shadow (Device Shadows allow connected devices to sync their state with AWS. You can also get, update, or delete the state information about this thing’s Device Shadows by using HTTPS and MQTT topics).
When using the MQTT connector in Mendix, the constant ClientIdPrefix must be set. This should match the Thing name and the Policy (more about the Policy later in this post). You can find the constant in your projects explorer under “Marketplace modules → MQTT Connector → USE_ME”. In this example, I will use the “Mendix” string, but it can be anything of your choice.
You need to enable the application to open the “ConnectionAdministration” page in the same USE_ME directory. When running the application, you will be able to create records in the ConnectionDetail entity. In the section “Running the application” more information on what to fill in will be provided. But first, let’s configure AWS IoT Core.
Configure AWS IoT
If you do not have an AWS account, browse aws.amazon.com and sign up for an account.
When logged in, select the region you want the MQTT broker to run, I choose “Frankfurt” eu-central-1.
In the search box, please type “IoT” and select “IoT Core.”
In the menu on the left, select “Connect one device”.
Store the broker hostname in section 4. of Prepare your Device. It is the string after the “ping ” command.
Click “Next.”
In “Thing name”, fill in the exact string as your Mendix ClientIdPrefix constant. In the example, it is “Mendix.”
Click “Next” and select Platform and SDK to connect to your IoT Broker from Java, Node.JS, or Python.
Whatever you choose here is unimportant if you don’t want to test using any of those languages. Please select the “Next” button.
Press the “Download connection kit” button and find the compressed .zip file in your (default) download directory.0
Open the .zip file, and from the files, you need these two files:
AWS IoT Security
Apart from the certificates above, AWS IoT can be configured very securely. To allow the Mendix MQTT Module to connect and publish/subscribe to topics, we have to change the policy created in the previous step (it was done automatically in the background).
Select in the left menu Security → Policies.
The policy to edit is mendix-Policy.
Select the Mendix-Policy to edit its setting.
Click “Edit active version” to edit the existing policy. Remove the Policies like */test/java you don’t need. See the image “The active policy” for the end result that should be in for Mendix.
The field of iot:Connect must be replaced by the name of your ClientIdPrefix. Trim the string found in “Policy resource:” until the first “:client/” and add the client id. You can add multiple ids if you separate them by a comma.
arn:aws:iot:eu-central-1:<your arn number>:client/mendix, arn:aws:iot:eu-central-1:<your arn number>:client/mx
You can use wildcards to reuse the policy for all clients starting with mendix by adding a wildcard at the end (arn:aws:iot:eu-central-1:<your arn number>:client/mendix*). It will accept client names like “mendix-app1”
Now edit “iot:Publish,iot:Receive”
Trim the string found in “Policy resource:” until the first “:topic/” and add the topic. You can add multiple topics if you separate them by a comma.
Read this Amazon Docs Page for details on the topic of wildcards. The usual MQTT wildcards are not used here. Use * or ? over the MQTT # and +.
arn:aws:iot:eu-central-1:<your arn number>:topic/*
And finally, edit “iot:Subscribe”
Trim the string found in “Policy resource:” until the first “:topicfilter/” and add the topics to listen to. You can add multiple topicfilters if you separate them by a comma.
arn:aws:iot:eu-central-1:<your arn number>:topicfilter/*
Select the checkbox “Set the edited version …” and click the “Save as new version” button.
The end result will look something like this:
Tip: Using fewer wildcards makes your environment more secure!
Back to Mendix: Running the application
Run the application and go to the page “ConnectionAdministration”. It will look like this:
Click the “New” button, enable the SSL toggle, and fill in the screen.
For CA Certificate do the following:
- go to https://ssltool.com/index.php?action=sslCheckRawOpenSSL
In the text field, add your broker hostname followed by a colon and port number and hit the “sumbit” button:
a314ssecret2334-ats.iot.eu-central-1.amazonaws.com:8883
Copy and paste the certificate from — — -BEGIN CERTIFICATE — — — and including — — -END CERTIFICATE — — — to the field CA Certificate
Client Certificate
Open the file found in the downloaded Connection kit compressed file with the name <Thing/Name>.cert.pem (in my example mendix.cert.pem) using a text editor.
Copy and paste the entire text to the field Client Certificate.
Client Certificate Key
Open the file found in the downloaded Connection kit compressed file with the name <Thing/Name>.private.key (in my example mendix.private.key) using a text editor.
Copy and paste the entire text to the field Client Certificate Key.
Hit the “Save” button.
Select the Connection Name and hit the “Connect/Reconnect” button. If all is set up properly for the connection, you should see.
After connecting, you can subscribe to topics and publish them.
Special thanks to Branislav (Brano) Zubic, who validated this blog. Having no AWS background (He created his first-ever AWS account for this validation) and working in Mendix for two months (He did his Boot Camp in February 2023), he used only half a day to migrate a non-secure broker running on test.mosquitto.org, to the high-secure dedicated AWS MQTT broker.
Read more
From the Publisher -
If you enjoyed this article you can find more like it on our Medium page. For great videos and live sessions, you can go to MxLive or our community Youtube page.
For the makers looking to get started, you can sign up for a free account, and get instant access to learning with our Academy.
Interested in getting more involved with our community? Join us in our Slack community channel.