MQ Telemetry security
Securing telemetry devices can be important, as the devices are likely to be portable, and used in places that cannot be carefully controlled. We can use VPN to secure the connection from the MQTT device to the telemetry (MQXR) service. MQ Telemetry provides two other security mechanisms, TLS and JAAS.
TLS is principally used to encrypt communications between the device and the telemetry channel, and to authenticate the device is connecting to the correct server; see Telemetry channel authentication using TLS. We can also use TLS to check that the client device is permitted to connect to the server; see MQTT client authentication using TLS.
JAAS is principally used to check that the user of the device is permitted to use a server application; see MQTT client authentication using a password. JAAS can be used with LDAP to check a password using a single sign-on directory.
TLS and JAAS can be used in conjunction to provide two factor authentication. We can restrict the ciphers used by TLS to ciphers that meet FIPS standards.
With at least tens of thousands of users, it is not always practical to provide individual security profiles. Nor is it always practical to use the profiles to authorize individual users to access IBM MQ objects. Instead group users into classes for authorizing publication and subscription to topics, and sending publications to clients.
Configure each telemetry channel to map clients to common client user IDs. Use a common user ID for every client that connects on a specific channel; see MQTT client identity and authorization.
Authorizing groups of users does not compromise authentication of each individual. Each individual user can be authenticated, at the client or server, with their Username and Password, and then authorized at the server using a common user ID.