Context
Change Type: Announcement
Product area: Platform services
Component: MQTT
Technical details
Build artifact: mqtt-service
Description
Caution
This change only affects the new Cumulocity MQTT Service capability.
The existing Cumulocity Core MQTT capability is not affected.
The Cumulocity MQTT Service is expected to transition to Generally Available (GA) status by the end of March 2026.
When the service reaches GA status, features that have been deprecated during the Public Preview period will be removed.
These changes were all previously announced; this notice is a reminder to help ensure that devices and applications are ready for the transition to GA status.
Important
It is essential that all devices and applications using the MQTT Service have been updated to use only GA features before the GA date.
Which features will be removed?
The following features will not be available after the GA date:
- Tenant-level isolation
Isolation between MQTT devices will be strictly enforced and direct communication between devices by publishing and subscribing to the same topic will not be possible.
All communication between MQTT devices must be mediated by a microservice or external application client.
Themqtt-service.tenant.isolationfeature toggle will have no effect on the behaviour of the MQTT Service.
See the device isolation announcement for more details.
- Java client SDK
The MQTT Service Java Client SDK will not be able to connect to the MQTT Service once it reaches GA status.
Microservices and external application clients must use the Pulsar client protocol to interact with MQTT Service topics.
See the deprecation notice for more details.
- Non-TLS endpoint
Unencrypted device connections to the MQTT Service on TCP port 2883 will not be enabled on any Cumulocity shared public environments.
Devices must connect to these environments using TLS on TCP port 9883.
Both one-way (server certificates only) and two-way (client and server certificates) TLS are supported.
The unencrypted port may be enabled on dedicated environments if required by legacy devices that do not support TLS.
This restriction is documented, although some public environments do currently have the non-TLS port enabled to ease device onboarding during the Public Preview.
In addition, as previously announced, the MQTT Service is already enforcing Common Name validation on device certificates.
Devices connecting using an X.509 client certificate where the Common Name does not match the MQTT client identifier will be rejected.
What user action is required?
Developers and integrators of MQTT devices, microservices and external application clients must ensure that their devices and clients are using only GA features of the MQTT Service:
- Replace all uses of the Java Client SDK with the Pulsar client protocol.
- Replace all uses of the MQTT protocol in microservices or external application clients with the Pulsar client protocol.
The MQTT protocol should only be used by devices. - Migrate all MQTT device connections to use the secure TLS endpoint on TCP port 9883.
- Ensure that the MQTT client identifier matches the certificate Common Name for any devices authenticating using X.509 client certificates.
If you have any questions or concerns, please contact Cumulocity Support as soon as possible.