Professional Documents
Culture Documents
MQTT Publisher
User Manual
R1.0
User Guide
Document ID: MOPCDOC-X701-en-10A
Version: 1.0
DOCUMENT VERSION
Version: A
COPYRIGHT INFORMATION
© Copyright 1997 - 2021, Matrikon® International. All rights reserved. No part of this document may be
reproduced, stored in a retrieval system, translated, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without prior written permission of Matrikon® International
CONFIDENTIAL
The information contained herein is confidential and proprietary to Matrikon® International, a business unit of
Honeywell Limited (Matrikon® International). It may not be stored, disclosed, or transferred, directly or
indirectly, to any third party without the explicit written permission of Matrikon® International.
LIMITATIONS
Although every endeavor has been made to ensure that the information contained within this document is up
to date and accurate, Matrikon® International cannot be held responsible for any inaccuracy or error in the
information contained within this document. Matrikon® International makes no warranty of any kind with
regards to the information contained within this document and Matrikon® International shall not be liable for
any direct, indirect, incidental or consequential damages which may arise in connection with the furnishing,
reliance, or use of the information contained within this document.
Specifications and statements as to performance in this document are Matrikon® International estimates,
intended for general guidance. Matrikon® International reserves the right to change the information contained
within this document and any product specification without notice.
Statements in this document are not part of a contract or program product license insofar as they are
incorporated into a contract or license by express preference. Issue of this document does not entitle the
recipient to access or use of the products described, and such access or use shall be subject to separate
contracts or licenses.
The receiving party shall not disclose, publish, report, communicate, or otherwise transfer any information in
this document to any third party, and shall protect all information contained herein from unauthorized
disclosure. The receiving party shall permit access to this document only to its employees, agents,
subcontractors, and affiliates who reasonably require access to such information contained herein, have been
made aware of the confidential nature of this document and have executed a written employment or other
confidentiality agreement party to maintain the confidential status of this document.
LICENSE AGREEMENT
This document and the software described in this document are supplied under a license agreement and may
only be used in accordance with the terms of that agreement. Matrikon® International reserves the right to
make any improvements and/or changes to product specifications at any time without notice.
TRADEMARK INFORMATION
The following are either trademarks or registered trademarks of their respective organizations:
Matrikon® International, Matrikon® Data Broker™, Matrikon® Data Broker MQTT Publisher, and Matrikon®
FLEX™ are trademarks or registered trademarks of Matrikon® International.
Table of Contents
TABLE OF CONTENTS ........................................................................................................................................................... 4
ABOUT THIS MANUAL .......................................................................................................................................................... 6
Revision history ............................................................................................................................................................................ 6
Security Considerations........................................................................................................................................................... 9
Change initial passwords ................................................................................................................................................9
Secure the certificate key store .................................................................................................................................10
Run Matrikon Data Broker MQTT Publisher with lowest privileges possible .....................................10
Secure auxiliary files........................................................................................................................................................10
Logging and diagnostics ..............................................................................................................................................10
Monitor certificate chains ............................................................................................................................................10
INSTALLATION OF MATRIKON DATA BROKER MQTT PUBLISHER .................................................................. 11
Installation on Windows OS ................................................................................................................................................ 11
Deployed Files Location in Windows ......................................................................................................................15
Configuration ............................................................................................................................................................................. 19
Configuration of Matrikon FLEX Dispatch ..........................................................................................................20
Connecting Matrikon OPC UA Explorer to Data Broker MQTT Publisher ............................................21
Topology of Matrikon Data Broker MQTT Publisher Configuration........................................................23
Configuring Matrikon Data Broker MQTT Publisher ......................................................................................24
When you use links, and navigate within the document, to go back to the
section that you were reading, in the keyboard, press alt + left arrow < or
Tip right arrow >.
Revision history
Revision Supported Date Description
Release
Intended audience
This document is intended for system administrators, engineers, and those who want to configure Matrikon
Data Broker MQTT Publisher for publishing data from Matrikon FLEX Dispatch to different platforms like,
Forge IoT, Azure IoT and MQTT brokers in general. It is expected that the users of this document are aware of
the following:
4. How to create Microsoft Azure IoT Hub and working knowledge of Azure IoT Hub.
For more information on Matrikon FLEX Dispatch and Matrikon OPC UA Explorer, kindly refer to the Matrikon
FLEX Dispatch User Manual.
* - Data is sent to Forge IoT as AMQP data as currently only AMQP messages are supported with Forge IoT.
System Requirements
The following are minimum system configuration requirements for Matrikon Data Broker MQTT Publisher.
Software Requirements
Linux Operating System Red hat Linux 8.0, Centos 8.0, Ubuntu 18.04, 20.04 for
running as Container
Hardware Requirements
RAM 4 GB
CPU 2 Cores
Security Considerations
This section describes essential security considerations for ensuring that Matrikon Data Broker MQTT
Publisher operates as securely as possible. As all considerations may not apply to your situation, you must
decide which considerations to follow and to what extent.
Run Matrikon Data Broker MQTT Publisher with lowest privileges possible
To protect the device from external access, ensure that Matrikon Data Broker MQTT Publisher runs with the
lowest user privileges possible. Running communication software with elevated privileges is not
recommended.
Installation on Windows OS
Before you proceed to install Data Broker MQTT Publisher, please note the windows component must be
installed on the system where Matrikon FLEX Dispatch R1.4 is installed. Older versions of FLEX Dispatch are
not supported.
• In the Port Number field, type a valid Port Number that the MQTT Publisher UA Server must
listen to. Valid values are 2048 to 65535. Port numbers below 2048 are generally reserved for
specific applications. The default port number is 44444.
• In the Password field, type the password for the account you specified.
The user entered in User Name field must have “Log on as a service”
privileges so that the MQTT Publisher UA Server service can run as a
NOTE
service.
You can also Launch Matrikon Data Broker MQTT Publisher User Manual
by selecting the checkbox from the same window.
NOTE
Once Matrikon Data Broker MQTT Publisher installation is successful, the Matrikon Data Broker- MQTT
Publisher service starts automatically. To confirm if Matrikon Data Broker- MQTT Publisher is registered and
running, do the following:
If you do not see the Matrikon Data Broker – MQTT Publisher service
in the services list or if you are not able to manage (start or stop) the
STOP
service, contact Matrikon Support for further assistance.
Deploy as a Container
Matrikon Data Broker MQTT Publisher can run as a Docker or podman container in the following Linux flavors:
• Centos
• RedHat Enterprise edition 8
• Ubuntu 18.04 LTS or later
You can also use the MQTT Publisher as a Linux Docker container in the Windows operating system.
This section explains how containers can be setup on a Linux operating system. Similar steps can be used to
setup the containers on systems running the Windows versions that support containerization.
For setup and management of the MQTT Publisher container use the MQTT Publisher docker container image.
Before you begin with the set-up of MQTT Publisher, ensure that the Docker or Podman are properly installed
and setup in the machine.
Deployment Steps
2. Load the image into the Docker by executing the following command:
docker run -d --network host --name <<CONTAINER NAME>> -u root -v <<Folder to store container volume
data>>:/mnt/uapublisher matrikondatabrokermqttpublisher
The following table describes the parameter options used in above example command:
Parameters Description
3. There are many options available for how Docker runs. However, it is not
advisable to use other options without understanding their impact.
• To verify whether the MQTT Publisher container is running, run the following command:
docker container Is-a
• The list of all containers will appear shown below.
• Open a Terminal.
• To locate the mapped volume location, execute the following command:
docker inspect <CONTAINER NAME> | grep volume
• Once you get the location, copy the PKI certificate from Rejected folder to Trusted folder.
• If you have followed the above example, you will find the PKI certificate in the below location:
/home/ubuntu/Desktop/MQTTPublisher
Prerequisites
Before configuring and using Data Broker MQTT Publisher, ensure you have the following components
installed and configured.
Matrikon Data Broker MQTT Publisher does not require a separate license. As a Matrikon
FLEX Dispatch expansion, it uses Matrikon FLEX Dispatch as Data Source for the data it
NOTE
publishes.
→ If you need help in using Matrikon OPC UA Tunneller product, please contact Matrikon support team at
support@matrikonopc.com
Configuration
A typical architecture using the MQTT Publisher component is shown below. This solution is made up of the
following key components:
OPC UA Servers
Note: If you do not have Matrikon FLEX Dispatch up and running yet, please STOP here and refer to Matrikon
FLEX Dispatch user manual for installation and configuration of Matrikon FLEX Dispatch.
• Discovery: You can search for an existing server by either typing its host name or IP address,
and the respective port number.
For Manual:
In the URL field, type the server URL in the following format:
opc.tcp://<hostname or IP address>:<port number>.
For example, opc.tcp://192.1.55.75:44444, OR opc.tcp://localhost:44444.
• Click Search.
The server details are fetched and displayed in the right-side panel.
• Expand the OPC UA server entry of interest to display all the supported Endpoints and
associated security policies configured in the server.
• From the Authentication section, choose a suitable authentication setting to connect to the
server. The only way to connect to the Matrikon Data Broker MQTT Publisher OPC UA Server is
by using User Details. For security reasons, the Anonymous option is not supported.
⎯ User Details: Select this to connect using the UserName and Password.
The only username supported for connecting to the MQTT Publisher component is
“operator” with initial password as “operator”. It is recommended that you change the
NOTE
initial password on first connection. See the section Changing initial password for
operator user of Data Broker MQTT Publisher Component for steps on how to achieve
this.
The MQTT Publisher OPC UA Server does not support OPC UA Reverse Connect functionality
NOTE
1. OPC UA Client Connections -> This configuration establishes connection to an instance of Matrikon FLEX
Dispatch OPC UA Server from which MQTT Publisher collects the data to publish.
2. Write Groups -> This configuration defines a group of data sets (containing tags to publish). This also
defines some of the configuration options which are applicable for all the tags configured with this Writer
Group.
3. Writer Data Set(s) -> This configuration defines a group of tags that should be collected from Matrikon
FLEX Dispatch OPC UA Server to publish.
4. MQTT Client Connection -> This configuration establishes connection to MQTT Brokers (on-prem or
cloud) to which MQTT Publisher component should publish the tag data.
The relation between these different elements is as explained in below picture for a single MQTT Client
Connection.
• A single Write group can contain multiple Dataset Writes (Data Sets).
• Each Dataset can contain one or more Tags from Matrikon FLEX Dispatch to be collected for
publishing.
The structure of each of the configuration element is based on OPC UA Pub Sub specifications as described in
Appendix ‘A’ at the end of this document.
• Configuration of Writer Datasets Tags in datasets.json file -> This file contains the tags which
need to be published to the Forge IoT platform. Each of the datasets.json files is an array of
either a single data set group or multiple data set groups. If there are a huge number of tags to
configure, it is recommended to create multiple datasets.json files.
Parameter Description
Hostname/ IP Hostname or the IP address of the system in which the Matrikon FLEX
Dispatch server is running. Note that the Matrikon MQTT Publisher will
not support connections to any third-party UA Server.
Port Port number in which the Matrikon FLEX Dispatch Server is running.
Endpoint Url Url to establish connection with the target OPC UA server.
For example, opc.tcp://<Hostname or IP>:Port number
Policy Security policy to establish connection with the target OPC UA server.
For example, Aes256_Sha256_RsaPss
Mode Security mode to establish connection with the target OPC UA server.
For example, Sign & Encrypt.
Note: When the Matrikon Data Broker MQTT Publisher service or container restarts, it tries to connect to
Matrikon FLEX Dispatch. Since this is a first-time connection, there is no trust established between these two
components, so their respective certificates need to be exchanged so trust can be established. To trust the
Matrikon Data Broker MQTT Publisher certificate in Matrikon FLEX Dispatch, follow the steps provided in the
Matrikon FLEX Dispatch User Manual.
• The Matrikon Data Broker MQTT Publisher can only connect to a single instance of
Matrikon FLEX Dispatch UA Server. If you want to publish data from additional UA Servers,
NOTE
including other Dispatch UA instances, they should be federated into the Matrikon FLEX
Dispatch (Matrikon Data Broker) instance you are connecting to MQTT Publisher.
• You cannot configure any other UA Server apart from Data Broker UA Server in this step.
Any attempts to connect to any other UA Server will be rejected.
Trust the Rejected Certificates in Matrikon Data Broker MQTT Publisher for the First Time.
If you are using an OPC UA Explorer instance whose certificate was already manually trusted by Matrikon
FLEX Dispatch, then you can use this same instance to trust additional certificates in the future. If you have
not completed this step yet, please see the Trust the Rejected Certificates in Dispatch for the First-Time
section in Matrikon FLEX Dispatch User Manual
In OPC UA Explorer, the Certificate Management screen is used to trust one or more certificates at a time.
This screen shows both trusted and rejected certificates and their trust status. Additional certificate details are
also available in the Certificate Details window.
You can view the details of both trusted and rejected certificates from within OPC UA Explorer.
writergroups.json The writer group determines how the data sets should be used to publish messages to
the required platform.
datasets.json The writer dataset describes the fields of the published message as well as the
published tags associated with each field. There can be multiple of these datasets.json
files.
It is recommended to not configure more than 2K tags in each of these data set file.
mqttclientconnectio This file holds the connection information to platforms to which the data should be
ns.json published.
Configuration for these files can be done by using below three steps,
For example, the Dataset configuration screens are used for configuration of the data files.
Matrikon Data Broker MQTT Publisher can publish data to the following three platforms. Follow the steps
below to establish connections to these platforms as MQTT Client connections:
When you open MQTT Client Connection tab for the first time, you will be presented with below screen.
Here you can see there are 3 connections added by default, one each for MQTT-Broker, Azure-IoT and Forge-
IoT. However, all of these are in disabled state. When you open each of the connection for editing by double
clicking the row, the configuration screen will present the options that can be entered for that connection type.
You can choose to edit the same connection or create a new connection all together. You need to enable the
connection you are planning to use for your deployment and configure it accordingly.
At any given time, using MQTT Publisher, you can publish data to one or more different end points
(destinations) like MQTT Broker, Azure IoT Hub or Forge IoT. One care should be taken would be to not share
the write groups between these different destinations. Also, there can be ONLY one connection to Forge IoT at
any given time.
Various actions you can perform on this screen are described in below table.
Icon/Button Action
Click this Icon to delete the connection row selected in below table
of connections.
Icon/Button Action
Click this button to register the system you are running MQTT
Publisher (container ONLY) to Forge IoT system. This button will be
enabled when you add or edit a MQTT Client connection of type
“Forge IoT”.
Before you try to create and configure a connection to the Azure IoT platform, ensure that you have the
following:
To establish a connection to Azure IoT Hub, you must first connect to Matrikon Data Broker MQTT Publisher’s
OPC UA Server using Matrikon OPC UA Explorer. Once you do this, establish a connection to the IoT Hub
device as follows:
Pre-requisite:
To add a connection to this IoT Hub device in Matrikon Data Broker MQTT Publisher:
Primary Key Enter the primary/secondary key of your device in Azure IoT Hub.
Publishing Types select the publishing types. The following publishing types are only
supported:
• OPC UA Pub-Sub.
Before you establish a connection to register a MQTT Broker, ensure that you have the following:
To establish a connection to an MQTT Broker, you must first connect to Matrikon Data Broker MQTT
Publisher’s OPC UA Server using Matrikon OPC UA Explorer. Once you establish the connection, you can then
configure the connection to MQTT Broker, using the steps below:
Broker Type the IP Address/Host Name of the system where MQTT Broker
is running.
Publisher Topic <<Free field to enter Topic of your choice>> (Without any Spaces)
Ex: MatrikonPublisherTopic
Publishing Types select the publishing types. The following publishing types are
supported:
• OPC UA Pub-Sub.
If you do not have a user ID and Password to register your device to Forge IoT platform, DO NOT proceed. Stop and
contact your Matrikon or Honeywell Account Manager.
Please refer to the Forge Connect for Industrial User Manual for more detailed information.
To create and configure the Forge IoT Platform, you must connect to Data Broker MQTT Publisher’s OPC UA
Server using Matrikon OPC UA Explorer. Once you establish the connection, you can create and configure the
device as follows:
Changing the initial password for the operator user for the Data Broker MQTT Publisher
You can change the initial password for the operator user of the Matrikon Data Broker MQTT Publisher
container.
It is not recommended to change the path /mnt/Uapublisher/ in any of the config options. If
you change the path, the changes in the configuration file will not be persistent.
NOTE
Please refer to Deployed Files Location in Windows and Deployed Files Location in Container
for right location of these variables for different deployments.
The following table lists parameters are applied ONLY after the MQTT Publisher service or container is
restarted.
The following table lists parameters you should NOT change at any time.
Changes made to the parameters listed in the table below are applied immediately.
Any parameters not described in above tables are not used and should be left untouched.
You can modify the Options.config file using the three steps below:
When a writer group is configured to publish the data on scan basis, then for every publishing interval,
irrespective of data has changed or not, data will be published to MQTT end points. This mode is used, when
you want to publish the data always irrespective of whether the data is changed at source or not. This mode is
generally a data intensive operation as the data is always published irrespective of data changes, which will
increase the data traffic on wire (either on prem or to cloud). Also, the applications consuming the data being
published should be aware of the potential duplicate data and should be able to process the data accordingly.
To use this option set "PublishingType" option in writergroup file as “Scan” as shown below.
"PublishingType": "Scan"
When a write group is configured to publish the data on subscription basis, then data will be published to MQTT
end options, ONLY when the data has changed. This mode is generally less data intensive as only changed data is
published. However, this mode may also give an assumption of not receiving data by end applications if they do
not receive data for a period. When using this mode, the end data consuming applications should be aware of this
and be able to process the data accordingly.
Some of the applications consuming the data from MQTT Publisher, want the data to be sent only when it is
changed, but also want some or all of the data to be sent irrespective of data changes every ‘X’ period of time.
In these cases, it is recommended to configure 2 write Groups, one with scan-based publishing and another
with subscription-based publishing. You can control the publishing interval at these Write Group level.
To use this option set "PublishingType" option in writergroup file as “Subscription” as shown below.
"PublishingType": "Subscription"
Publishing interval determines, how often the data should be published to MQTT destinations. This is
configured in milliseconds in each of the Writer Group using the option "PublishingInterval".
Sampling interval determines, how often the data should be read/sampled from end OPC UA Server. This is
configured for every tag in each of the dataset files in milliseconds using the option “SamplingIntervalHint”.
In case you want the Sampling interval to same as Publishing interval, then set the SamplingIntervalHint value
to -1. If you are setting a different value to Sampling interval, make sure that the value is such that a multiple
of that value should result to Publishing Interval used for that Writer Group. Unless, there is a valid reason to
set this to a different value than Publishing Interval, it is recommended always to be -1 so that Sampling and
Publishing intervals are always in sync.
The amount of data that can be buffered is defined by the “maxstoreforwardmemoryfootprintinmb” setting
in the Options.config file. This value defines the amount of memory to reserve in-process for unpublished
data buffering in megabytes (MB). The maximum amount of memory that can be reserved is capped at
500MB. If a higher value is provided, MQTT Publisher will limit the buffering memory to 500MB.
As a reference, with 10K string data type tags, it takes 40KB of space in memory for one publishing message.
With this reference, you can calculate how much data can be stored in memory based on your data types used
and publishing intervals.
Please note there is no store and forward capability between Matrikon FLEX Dispatch and
MQTT Broker. If the network connectivity between MQTT Publisher and FLEX Dispatch is lost,
NOTE there would be a data loss for that period.
Configuration Changes
1. For an active MQTT Publisher connection to either MQTT Broker or Azure IoT Hub: changes to the active
connection like adding or removing Writer Groups or Writer Data Sets will not be applied immediately to
the active connection.
• You need to stop the connection by Disabling it first and then Start it back up by Enabling the
connection.
2. If new tags are added to a Data Set in an active connection, the changes will not be applied immediately.
• You need to Restart the MQTT Publisher Service or Container for those new tags additions to
take effect.
• An alternative option is to Add the Tags in a new Data set and Writer group, add that Writer
group to connection and then follow the steps mentioned in #1 above for changes to be
applied.
3. it is best to group tags with the same Publishing internal into a single Writer Group. These tags could be
separated out into multiple Data Sets but kept in same Writer Group.
If you have multiple writer groups with same publishing interval, there is a possibility of incorrect
behavior of MQTT Publisher based on the number of tags you have in Writer Group.
Other Considerations
1. You need to be cognizant of the limitations of end OPC UA Server you are connecting to. For example, if
the end OPA UA Server cannot handle more than 1000 monitored items in a single request, you need to
set the value of “MaxMonitoredItemsPerCall” in options.config file to a number less than 1000.
2. Use caution when setting the limit setting for the Log Level to anything other than Error only for limited
periods of time, especially in a container deployment. If the docker default log management is not
configured correctly, it can fill up the Hard Disk very quickly and cause problems with the running of MQTT
Publisher Container.
3. MQTT Publisher supports all the basic OPC UA data types except the Location data type.
Appendix
Address NetworkAddre The Address parameter contains the network address used for
ssDataType the communication relation.
TransportSettin ConnectionTr
gs ansportDataT Transport mapping specific.
ype
SubscriberTopi String
The topic used to subscribe for MQTT messages.
c
UseTls Boolean True when the MQTT connection uses the TLS protocol.
1: username
2: certificate
CredentialNam String When username credentials are used, this field contains the
e username. When certificate or Azure shared access key is used,
this field is formed of the broker hostname and the device id:
[broker-hostname]/[device-id]. For example:
iot-hub.azure-devices.net/device-id
CredentialSecre String When username credentials are used, this field contains the
t password. When Azure shared access key used, this field
contains the shared access key: [shared-key]. For example,
1hijdnC8ryKWsmWw+J/uzNoOiM/kt/xw48mKLsb+st8=
WriterGroupNa String[] List of writer group names associated with the MQTT client
mes connection.
Writer Group
Field Type Description
WriterGroup WriterGroupDataType
LocaleIds String[]
TransportSettings WriterGroupTransportDataType
MessageSettings WriterGroupMessageDataType
DataSetWriters DataSetWriterDataType[]
TransportSettings DataSetWriterTransportDataTyp
e
Writer Datasets
Field Type Description
DataSetMetaData
OneOrMoreDimensions
(0): The data type is an
array with one or more
dimensions.
ScalarOrOneDimension
(−3): The data type can be a
scalar or a one dimensional
array.
If the Property is
EngineeringUnits, the unit
of the Field Value shall
match the unit of the
FieldMetaData.
DataSetSource PublishedDataSetSourceDataType
PublishedData PublishedVariableDataType[]
DataSetWriters may
depend on a valid Value
with the right DataType
that matches the
ConfigurationVersion.
If the SubstituteValue is
Null, the StatusCode of the
DataValue is processed.
All* +1-780-231-9480
For after-hours support in all regions, please use the following number. There is no extra charge from
Matrikon OPC for calling their after-hours support number.
Matrikon®