5.11.4. Ease of Use configuration - AWS IoT Console

5.11.4.1. Pre-requisites

  • AWS IoT Console Account

  • AWS CLI installed and configured (linked to you AWS account)

  • ssscli Tool

5.11.4.2. Extracting Device Certificate

Using ssscli Tool, read out the device certificate. Refer to Trust provisioned KeyIDs for keyIDs of trust provisioned keys and certificates.

Note

If you wish to use an embedded microcontroller, flash the VCOM binary on your board first. VCOM binaries are available in binaries directory.

Extract the device certificate as:

ssscli connect se05x <conn-type> <port>
ssscli get cert <certificate-keyId> <certificate-filename>
ssscli disconnect

Note

Give connection parameters according to your board. Refer to List of ssscli commands for details on supported parameters.

5.11.4.3. Registering Device Certificate

Use AWS CLI Tool to register the extracted device certificate on to your AWS IoT Console:

aws iot register-certificate-without-ca --certificate-pem file://<certificate-filename> --status ACTIVE
aws iot attach-policy --target <certificate ARN> --policy-name <policy name>

Note

Certificate ARN will be printed out after execution of the first command

Run the following command to print out the SNI string. This will be used later:

aws iot describe-endpoint --endpoint-type iot:Data-ATS

Note

Additionally, you can create and attach policies using aws create-policy and aws attach-policy commands. Although this is not required for this demo as we test only publish and subscribe functionalities, you would need to use policies to allow/restrict access to any resource. For more information on policies, refer to AWS CLI CreatePolicy and AWS CLI AttachPolicy

5.11.4.4. Running on Linux

This step is only for Linux platforms. If you wish to use an embedded microcontroller, continue to the next step

  • Run the following commands to build OpenSSL engine for SE050:

    cd simw-top
    python scripts/create_cmake_projects.py
    cd ../simw-top_build/<board>_native_se050_t1oi2c
    cmake --build .
    make install
    ldconfig /usr/local/lib
    
  • Navigate to demos/linux/aws_eou directory and execute the buildScript.sh as:

    chmod +x buildScript.sh
    ./buildScript.sh
    

    This will build the project iot_demo_mqtt.

  • Based on OpenSSL version, select the appropriate configuration file in <MW_SRC_DIR>/simw-top/demos/linux/common directory:

    openssl11_sss_se050.cnf   ----- OpenSSL 1.1.1 and SE050
    openssl_sss_se050.cnf     ----- OpenSSL 1.0.0 and SE050
    
  • Set the openssl config path as:

    $ export OPENSSL_CONF=<absolute-path-to-MW>/demos/linux/common/<appropriate-cnf-file>
    
  • Create a reference file of device keypair for OpenSSL engine:

    ssscli connect se05x <conn-type> <port>
    ssscli refpem ecc/rsa pair <keypair-keyId> <ref-filename>
    ssscli disconnect
    

    Note

    Make sure that the device keypair used corresponds to the device certificate

  • Run the demo:

    cd output/bin
    ./iot_demo_mqtt -i "ThingName" -h <endpoint> -r AmazonRootCA1.pem -c <certificate-filename> -k <ref-filename>
    

    where endpoint is the SNI string obtained in step Registering Device Certificate, certificate-filename is the device certificate extracted in step Extracting Device Certificate and ref-filename is the reference key created in the previous step.

5.11.4.5. Running on MCU

  • Update the clientcredentialMQTT_BROKER_ENDPOINT variable in demos/ksdk/common/aws_clientcredential.h file with the SNI string obtained in previous step.

  • Update SSS_KEYPAIR_INDEX_CLIENT_PRIVATE and SSS_CERTIFICATE_INDEX_CLIENT in file demos/ksdk/common/aws_iot_config.h with KeyIDs of device keypair and device certificate respectively. Refer to trust provisioned keyIDs listed in Section 3.17 Trust provisioned KeyIDs.

#define SSS_KEYPAIR_INDEX_CLIENT_PRIVATE 0x20181005
#define SSS_CERTIFICATE_INDEX_CLIENT 0x20181007
  • Build and run project cloud_aws.

    CMake configurations:

    • RTOS_FreeRTOS: ON

    • SSS_HAVE_HOSTCRYPTO_MBEDTLS: ON

    • SSS_HAVE_MBEDTLS_ALT_SSS: ON