Connecting ClearBlade MQTT broker using Abstract MQTT driver with GCP Authenticator

ClearBlade IoT Core requires TLS version 1.2 and higher.

Per-device public/private key authentication using JSON Web Tokens (JWTs).This limits an attack's surface area because a compromised key would affect only a single device and not the whole fleet. JWTs are valid for a limited duration, so any compromised keys will expire.

Support is provided to rotate keys per device by allowing concurrent keys to be registered and support for expiration time per credential. However, the key rotation is not implemented in Niagara.

Keep the private key secret.

Use TLS 1.2 and higher when communicating with mqtt.googleapis.com or mqtt.2030.ltsapis.goog on ports 8883 and 443.

To maintain TLS connections:

• Verify that the server certificate is valid using a Google root CA certificate. For more information, see "Downloading MQTT server certificates" at https://docs.clearblade.com.
• Perform regular security-related firmware updates to keep server certificates up-to-date.
• Each device should have a unique public/private key pair. For more information, see "Creating key pairs" at https://docs.clearblade.com. If multiple devices share a single key and one is compromised, an attacker could impersonate the devices configured with that one key.
• Keep the public key secure when registering it with ClearBlade IoT Core. If an attacker can tamper with the public key and trick the provisioner into swapping it and registering the wrong one, the attacker can authenticate on the device's behalf.
• The key pair to authenticate the device to ClearBlade IoT Core should not be used for other purposes or protocols.
• Depending on the device's ability to store keys securely, key pairs should be rotated periodically. When practical, discard all keys when you reset the device.