Ockam logo
Product
Open Source SDKsOckam RegistryOckam HubKafka Add-onInfluxData Add-onAzure HSM Add-onMicrochip Add-ons
Contact

Get Secure Communication Between Telegraf and InfluxDB by adding OckamD

Telegraf, Ockam and InfluxDB

Ockam is a suite of programming libraries and infrastructure that make it easy to build devices that communicate securely and privately with cloud services and other devices. Below we show how OckamD integrates with Telegraf to deliver end-to-end encrypted data, from devices that are running Telegraf, at the edge, to InfluxDB in the cloud.

Cryptographic protocols can be a powerful tool to solve many complex, real world challenges in deploying dependable IoT at scale. Such protocols, however, must be designed and implemented with extreme care.

In Ockam, we're taking proven cryptographic building blocks and applying them to build solutions for common IoT and edge computing problems like:

  • Secure, easy and rapid enrollment of large fleets of devices.
  • Scalable provisioning, proof of possession, rotation, and revocation of identity keys and credentials.
  • End-to-end encrypted communication over low-bandwidth, intermittently connected, multi-protocol IoT and edge network topologies.

If you're running InfluxDB to store and process time-series IoT data, the below demo shows:

This demo shows:

  1. How Ockam InfluxDB Add-On can run as a sidecar next to your InfluxDB.
  2. How OckamD can run as an execd output plugin for Telegraf inside your connected devices.
  3. How these two components enable end-to-end encrypted secure connections between your devices and your Influx TICK stack.

Step 1: Clone the Ockam repo to get the demo scripts:

1git clone https://github.com/ockam-network/ockam.git
2cd ockam && git checkout tags/v0.10.0 -b main

Make sure you're running the following commands from within the ockam directory. All commands below require that Docker be installed on your machine. Using Ockam does not require Docker, but it makes this demo easy to run and share!


Step 2: Run InfluxDB and OckamD

1./tools/docker/demo/influxdb.sh influxdb-ockamd

This launches InfluxDB and ockamd in a container, waiting for input from the "initiator" end, which you'll launch next. Think of that as your application, which creates the time-series data you will store in InfluxDB. Note the "Responder public key" line written to your terminal. Make sure to copy & paste this string into the $COPIED_RESPONDER_PUBLIC_KEY as the next command's argument. This is a basic way to verify that the initiator and responder are who they claim to be.

ockamd will receive messages over the network from the next container, decrypt them, and insert them into InfluxDB.


Step 3: Run Telegraf and OckamD

1./tools/docker/demo/influxdb.sh telegraf-ockamd $COPIED_RESPONDER_PUBLIC_KEY

This launches Telegraf (a helpful data collection agent by InfluxData) and ockamd in a container ready to capture time-series data. The "initiator" creates a secure channel with the "responder" and all messages sent between them are fully encrypted, end-to-end. Note that you aren't signing or managing certificates, or having to set up TLS anywhere in this architecture!

Learn more about Telegraf by InfluxData here.

Within the telegraf.conf configuration file used by Telegraf, you can see how it starts ockamd and provides some detail about how to set up connections, validate identity, and more:

1[agent]
2 interval = "3s"
3 round_interval = true
4 metric_batch_size = 1000
5 metric_buffer_limit = 10000
6 collection_jitter = "0s"
7 flush_interval = "3s"
8 flush_jitter = "0s"
9 precision = ""
10
11[[outputs.execd]]
12 command = ["ockamd",
13 "--role", "initiator",
14 "--route", "${OCKAMD_ROUTE}",
15 "--local-socket", "${OCKAMD_LOCAL_SOCKET}",
16 "--service-public-key", "${OCKAMD_RESPONDER_PUBLIC_KEY}",
17 "--service-address", "01242020"
18 ]
19 restart_delay = "5s"
20 data_format = "influx"
21
22[[inputs.http_listener_v2]]
23 service_address = "0.0.0.0:8080"
24 path = "/telegraf"
25 methods = ["POST"]
26 read_timeout = "3s"
27 write_timeout = "3s"
28 max_body_size = "16KB"
29 data_format = "influx"

Specific details about ockamd is out of scope for this guide, but check out the README on GitHub to learn more about how to use it.


Step 4: Send Telegraf input via HTTP

1./tools/docker/demo/influxdb.sh telegraf-write

Telegraf is configured to launch ockamd as an execd output plugin, which conveniently extends Telegraf to capture and process time-series data for InfluxDB. ockamd creates the secure channel, manages the transports, and encrypts the input from Telegraf and/or your application before it securely sends it to another ockamd (sitting next to InfluxDB) where it is inserted into the database after being decrypted by ockamd.

Read more about how Ockam simplifies encryption using our Vault interface abstraction.

Note: use a packet capture tool such as WireShark to inspect the network traffic and see that it's fully encrypted as ockamd sends and receives your time-series data over the wire.


Step 5: Query data written to InfluxDB

1./tools/docker/demo/influxdb.sh influxdb-query

Now that there's data in InfluxDB, run a query using this command and see it show up via the influx client. Feel free to write more data to Telegraf by repeating Step 4 above and re-run the influxdb-query command to see it populated.


Step 6: Stop & clean-up the Docker containers

1./tools/docker/demo/influxdb.sh kill-all

Thanks for checking out Ockam's InfluxDB Add-on! For more information, or to try using any of Ockam's fully open-source components (including Rust, Elixir, and C libraries), head to the GitHub repo. Follow along by starring the repo, and send us a PR!

Learn more about InfluxDB and how to use ockamd with the robust time-series database on the InfluxData website, and our detailed partner page.


Next, try a more advanced demo which leverages Ockam Hub, a cloud-hosted service that makes it easy to route end-to-end encrypted messages within complex real world IoT topologies.

Previous

Enterprise

Next

Connect to Ockam Hub

On this page
Edit this page
Star Ockam repo