5.11.4. Ease of Use configuration - AWS IoT Console¶
5.11.4.1. Pre-requisites¶
AWS IoT Console Account
AWS CLI installed and configured (linked to you AWS account)
ssscli Tool
5.11.4.2. Extracting Device Certificate¶
Using ssscli Tool, read out the device certificate. Refer to Trust provisioned KeyIDs for keyIDs of trust provisioned keys and certificates.
Note
If you wish to use an embedded microcontroller, flash the VCOM binary on your board first.
VCOM binaries are available in binaries
directory.
Extract the device certificate as:
ssscli connect se05x <conn-type> <port>
ssscli get cert <certificate-keyId> <certificate-filename>
ssscli disconnect
Note
Give connection parameters according to your board. Refer to List of ssscli commands for details on supported parameters.
5.11.4.3. Registering Device Certificate¶
Use AWS CLI Tool to register the extracted device certificate on to your AWS IoT Console:
aws iot register-certificate-without-ca --certificate-pem file://<certificate-filename> --status ACTIVE
aws iot attach-policy --target <certificate ARN> --policy-name <policy name>
Note
Certificate ARN will be printed out after execution of the first command
Run the following command to print out the SNI string. This will be used later:
aws iot describe-endpoint --endpoint-type iot:Data-ATS
Note
Additionally, you can create and attach policies using aws create-policy and aws attach-policy commands. Although this is not required for this demo as we test only publish and subscribe functionalities, you would need to use policies to allow/restrict access to any resource. For more information on policies, refer to AWS CLI CreatePolicy and AWS CLI AttachPolicy
5.11.4.4. Running on Linux¶
This step is only for Linux platforms. If you wish to use an embedded microcontroller, continue to the next step
Run the following commands to build OpenSSL engine for SE050:
cd simw-top python scripts/create_cmake_projects.py cd ../simw-top_build/<board>_native_se050_t1oi2c cmake --build . make install ldconfig /usr/local/lib
Navigate to
demos/linux/aws_eou
directory and execute thebuildScript.sh
as:chmod +x buildScript.sh ./buildScript.sh
This will build the project
iot_demo_mqtt
.Based on OpenSSL version, select the appropriate configuration file in
<MW_SRC_DIR>/simw-top/demos/linux/common
directory:openssl11_sss_se050.cnf ----- OpenSSL 1.1.1 and SE050 openssl_sss_se050.cnf ----- OpenSSL 1.0.0 and SE050
Set the openssl config path as:
$ export OPENSSL_CONF=<absolute-path-to-MW>/demos/linux/common/<appropriate-cnf-file>
Create a reference file of device keypair for OpenSSL engine:
ssscli connect se05x <conn-type> <port> ssscli refpem ecc/rsa pair <keypair-keyId> <ref-filename> ssscli disconnect
Note
Make sure that the device keypair used corresponds to the device certificate
Run the demo:
cd output/bin ./iot_demo_mqtt -i "ThingName" -h <endpoint> -r AmazonRootCA1.pem -c <certificate-filename> -k <ref-filename>
where
endpoint
is the SNI string obtained in step Registering Device Certificate,certificate-filename
is the device certificate extracted in step Extracting Device Certificate andref-filename
is the reference key created in the previous step.
5.11.4.5. Running on MCU¶
Update the
clientcredentialMQTT_BROKER_ENDPOINT
variable indemos/ksdk/common/aws_clientcredential.h
file with the SNI string obtained in previous step.Update
SSS_KEYPAIR_INDEX_CLIENT_PRIVATE
andSSS_CERTIFICATE_INDEX_CLIENT
in filedemos/ksdk/common/aws_iot_config.h
with KeyIDs of device keypair and device certificate respectively. Refer to trust provisioned keyIDs listed in Section 3.17 Trust provisioned KeyIDs.
#define SSS_KEYPAIR_INDEX_CLIENT_PRIVATE 0x20181005
#define SSS_CERTIFICATE_INDEX_CLIENT 0x20181007
Build and run project
cloud_aws
.CMake configurations:
RTOS_FreeRTOS
: ONSSS_HAVE_HOSTCRYPTO_MBEDTLS
: ONSSS_HAVE_MBEDTLS_ALT_SSS
: ON