This blog post is providing advanced notification to Watson IoT Platform customers about changes to the Watson IoT Platform in relation to security.
These changes impact some endpoints communicating using TLS over MQTT to the Watson IoT Platform. This is referred to as the IoT messaging service. The certificate associated to this service is called the Messaging Certificate and is signed by a reputable Certificate Authority. The domain used on the Messaging Certificate is *messaging.internetofthings.ibmcloud.com. The Watson IoT Platform has a certificate signed by a reputable Certificate Authority, so you can trust that you are connecting to the genuine Watson IoT Platform. This information is also captured in our official security documentation.
The current Messaging Certificate is expiring – this is the reason for this announcement and the planned replacement of that certificate.
This change is standard practice and should cause minimal disruption to your interactions with the Watson IoT Platform.
We have identified a few instances where you may have to take action based on these changes. Specifically, if you are using certain client runtimes then they may need to be updated with the latest credentials (messaging.pem file).
- These changes only affect devices that connect with TLS.
- If your devices are using the current Digicert public certificates to verify our certificate (which is the best practice), then everything will continue to work.
- If you have hardcoded the current Messaging public key into your client code and you are using it to check the connection to our server then you will have issues after these changes. We recommend following best practice (point 2 above).
The above information and supporting guidance has already been posted in a Bluemix notification found here.
If you are an existing customer and you have issues then please raise a support ticket through the normal process. Otherwise if you have any concerns or additional feedback please use the forums.