AWS IoT Connection
Overview
This section provides a guide on connecting an ESF device to the Amazon AWS IoT platform.
Prerequisites
- In order to connect a device to Amazon AWS IoT Kura version 1.3 or greater is required.
- An Amazon AWS account is also needed.
Device registration
The first step involves the registration of the new device on AWS, this operation can be done using the AWS Web Console or with the AWS CLI command line tool, in this guide the Web based console will be used.
- Access the AWS IoT management console.
This can be done by logging in the AWS console and selecting IoT Core from the services list, in the Internet of Things section.
- Create a default policy for the device.
This step involves creating a default policy for the new device, skip if an existing policy is already available.
Access the main screen of the console and select Secure -> Policies from the left side menu and then press the Create button, in the top right area of the screen.
Fill the form as follows and then press the Create button:
- Action ->
iot:Connect, iot:Publish, iot:Subscribe, iot:Receive, iot:UpdateThingShadow, iot:GetThingShadow, iot:DeleteThingShadow
- Resource ARN ->
*
- Effect ->
Allow
This will create a policy that allows a device to connect to the platform, publish/subscribe on any topic and manage its thing shadow.
- Register a new device.
Devices on the AWS IoT platform are called things, in order to register a new thing select Manage -> Things from the left side menu and then press the Create button, in the top right section of the screen. Select Create a single thing.
Enter a name for the new device and then press the Next button, from now on kura-gateway
will be used as the device name.
- Create a new certificate for the device.
The AWS IoT platform uses SSL mutual authentication, for this reason it is necessary to download a public/private key pair for the device and a server certificate. Click on Create certificate to quickly generate a new certificate for the new device.
Certificates can be managed later on by clicking on Secure -> Certificates, in the left part of the console.
- Download the device SSL keys.
You should see a screen like the following:
Download the 3 files listed in the table and store them in a safe place, they will be needed later, also copy the link to the root CA for AWS IoT in order to be able to retrieve it later from the device.
Press the Activate button, and then on Attach a policy.
- Assign the default policy to the device.
Select the desired policy and then click on Register thing.
A policy can also be attached to a certificate later on perforiming the following steps:
Enter the device configuration section, by clicking on Manage -> Things and then clicking on the newly created device. Click on Security on the left panel and then click on the certificate entry (it is identified by an hex code), select Policies in the left menu, you should see this screen:
Click on Actions in the top left section of the page and then click on Attach policy, select the default policy previously created and then press the Attach button.
Device configuration
The following steps should be performed on the device.
- Configure the SSL parameters.
7.1. Access the ESF Web UI Console, select the Settings entry in the left side menu and then click on SSL Configuration. Set Default protocol to TLSv1.2
7.2. Download to your local system the AWS CA available here and open it with your preferred text editor.
Select the Settings entry in the left side menu and then click on Server SSL Certificate.
Add a proper name for the certificate in the Storage Alias field and paste the Certificate in the proper area. Then click on the Apply button.
7.3. Open the ESF Web Console and enter select the Settings entry in the left side menu and then click on Device SSL Certificate, you should see this screen:
Enter aws-ssl
in the Storage Alias field.
7.4. The private key needs to be converted to the PKCS8 format, this step can be performed executing the following command on a Linux or OSX based machine:
openssl pkcs8 -topk8 -inform PEM -outform PEM -in xxxxxxxxxx-private.pem.key -out outKey.pem -nocrypt
where xxxxxxxxxx-private.pem.key
is the file containing the private key downloaded at step 4.
7.5. Paste the contents of the obtained outKey.pem
in the "Private Key" field.
7.6. Paste the contents of xxxxxxxxxx-certificate.pem.crt
in the Certificate field.
7.7. Click the Apply button to confirm.
Restart ESF to reload the keystore.
8. Click on Cloud Services in the left panel, you should see this screen:
8.1. Click on the New button at the top of the page and set the following parameters in the dialog:
- Factory ->
org.eclipse.kura.cloud.CloudService
- Cloud Service Pid ->
org.eclipse.kura.cloud.CloudService-AWS
Press the Create button to confirm and then select the newly created CloudService instance from the list.
8.2. Set the broker URL in the MqttDataTransport-AWS tab, it can be obtained from the AWS IoT Web Console clicking on the Settings entry in the bottom left section of the page, the URL will look like the following:
a1rm1xxxxxxxxx.iot.us-east-1.amazonaws.com
The mqtts protocol must be used, the value for the broker-url field derived from the URL above is the following:
mqtts://a1rm1xxxxxxxxx.iot.us-east-1.amazonaws.com:8883/
8.3. Clear the value of the username and password fields.
8.4. Set a value for the topic.context.account-name and client-id.
-
Assign an arbitrary account name to topic.context.account-name (for example
aws-test
), this will be used by the CloudClient instances for building the topic structure. -
Enter the thing name in the client-id field (in this example
kura-gateway
).
8.5. In order for the previously added keys to be used for the SSL connection with the broker enter the Storage Alias defined in step 7.2 (e.g aws-ssl
) as value for the ssl.certificate.alias field.
8.6. The setting lwt.topic under MqttDataTransport-AWS needs to be updated as well by entering a value not containing the $ character. This is required because of the fact that AWS IoT does not support topic names starting with $ (except for the $aws/ hierarchy).
8.7. Press the Apply button in the top left section to commit the changes to the MqttDataTransport-AWS.
8.8. Enter a name without the $ character for the topic.control-prefix setting in the CloudService-AWS tab, for example aws-control
.
8.9. The ESF CloudService uses some well-known topics to allow remote device management and to report device state information, this features are not supported by default by AWS IoT, the following settings can be applied in the CloudService-AWS tab in order to avoid sending unnecessary messages:
- republish.mqtt.birth.cert.on.gps.lock ->
false
- republish.mqtt.birth.cert.on.modem.detect ->
false
- enable.default.subscriptions ->
false
- birth.cert.policy ->
Disable publishing
8.10. Click the Apply button to save the changes.
- Make sure the AWS CloudService instance is selected from the list in tho top section of the page and click on the Connect button, if the connection to AWS IoT platform succeeds the Status of the instance will be reported as Connected.
ESF CloudService uses the Kura protobuf format for payload encoding, and performs payload compression to reduce message size. For this reason it will not be possible to immediately visualize published message content using AWS console.
It is possible to disable payload compression and switch to the JSON format by setting the following parameters in the CloudService-AWS tab:
- encode.gzip ->
false
- payload.encoding ->
Simple JSON
Updated almost 6 years ago