Skip to main content

AWS IOT JITR (Just in Time registration) with Thing and Policy creation using JAVA

AWS IOT JITR with Thing and Policy creation using JAVA.

This POC will provide Just In Time Registration (JITR) of custom certificate and Thing creation with connect policy for AWS IOT Devices. You just need to add name of thing in common name while creation of device certificate and thing will be created with attached policy & certificate and common name as thing name.

Project Overview:

  1. Get certificate details from certificate id.
  2. Parse certificate details and get common name from certificate.
  3. Creates IOT policy having action of connect.
  4. Creates IOT thing with name from certificate common name.
  5. Attach policy and thing to certificate.
  6. Activate Certificate.
  7. Now your device can connect to AWS using this custom certificate.

Step for JITR & Thing creation

Create CA Certificate:

  1. openssl genrsa -out CACertificate.key 2048
  2. openssl req -x509 -new -nodes -key CACertificate.key -sha256 -days 365 -out CACertificate.pem
  • Enter necessary details like city, country, etc.

Create private key verification certificate using CA certificate

  1. aws iot get-registration-code
  • This registration code will be used in following step
  1. openssl genrsa -out privateKeyVerification.key 2048
  2. openssl req -new -key privateKeyVerification.key -out privateKeyVerification.csr
  • Enter necessary details. Note: In common name, Enter registration code which copied before.
  1. openssl x509 -req -in privateKeyVerification.csr -CA CACertificate.pem -CAkey CACertificate.key -CAcreateserial -out privateKeyVerification.crt -days 365 -sha256
  • After this step, CA certificate will create. Now We need to register it to AWS.

Register & Activate Certificate to AWS

  1. aws iot register-ca-certificate --ca-certificate file://CACertificate.pem --verification-certificate file://privateKeyVerification.crt
  • This will output like: { "certificateArn": "< certificateArn >", "certificateId": "< certificateId >" }
  1. certId=< output certificateId >
    • Assign certificateId to certId variable.
  2. aws iot describe-ca-certificate --certificate-id $certId
    • It will give output with certificate details.
  3. aws iot update-ca-certificate --certificate-id $certId --new-status ACTIVE
    • It will activate CA certificate. You can do it from AWS console also.
  4. aws iot update-ca-certificate --certificate-id $certId --new-auto-registration-status ENABLE
    • It will enable auto registration of certificate.

Device Certificate Registration

  1. To verify certificate registration request subscribe to the following topic from AWS IOT core Test.
    • $aws/events/certificates/registered/#
    • you can skip this step.
  2. openssl genrsa -out device.key 2048
  3. openssl req -new -key device.key -out device.csr
  4. openssl x509 -req -in device.csr -CA CACertificate.pem -CAkey CACertificate.key -CAcreateserial -out device.crt -days 365 -sha256
  5. cat device.crt CACertificate.pem > deviceAndCACert.crt

Create AWS lamda function and IAM role.

  • create AWS lambda function with JAVA 8 and with IAM role which having IOT Full Access policy. Create JAR from this project using mvn clean install and upload JAR to Lambda.
  • When new device will send request with new certificate which signed with registered CA certificate then it will send MQTT message to $aws/events/certificates/registered/# topic.
  • We need to create IOT rule from Act section to trigger lambda function when new certification registered message will trigger.
    • Add rule query statement SELECT * FROM '$aws/events/certificates/registered/#' and action as Send message to Lambda function by selecting created Lambda function.

Test

  1. mosquitto_pub --cafile root.cert --cert deviceAndCACert.crt --key device.key -h -p 8883 -q 1 -t foo/bar -i anyclientID --tls-version tlsv1.2 -m "RegisterCertificateAndCreateThingAndPolicy" -d
    • Note: you need mosquito client to use above command. You can get endpoint by: aws iot describe-endpoint. you can get root.cert from here.
    • Now you can verify that new thing is created. You will also see that this thing and policy attached to new certificate. Certificate will be marked as active.
    • I added policy with just only for connect action. You can change policy as per your requirement like publish, subscribe, etc.
Labels:

Comments

Post a Comment

Popular posts from this blog

AWS IOT Thing Job

AWS IOT Thing Job AWS Iot Thing Job Creation, new job notification, start job and update the job after downloading firmware through JAVA SDK with UI in JAVAFX | Presigned S3 URL creation This Application is made for firmware download. Refer to this GIT repository:  AWS IOT POC A repository contains 3 projects: Aws-Pre-Signed-Url-Generation: To generate presigned url and use it into job document. NOTE: AWS CLI should be configured Iot-Create-Thing-Job-App: To create iot thing job with UI. NOTE: Access key and secret key should be mentioned in aws-iot-sdk-samples.properties Iot-Start-Update-Thing-Job-App: To get notification for new job and to start job and then get job document from aws. After getting thing job document, it will download firmware zip from mention url and update the status of job to SUCCEDED or FAILED. NOTE: aws-iot-sdk-samples.properties files properties should be mention as per your aws account. JOB Document: sample-job-document.json { "ope...
Post a Comment
Read more

Secure Azure Function App with Azure Active Directory (AD). [Token based access]

Welcome to BigDataStacks. This blog is regarding how we can secure azure function app with azure active directory. So when we will try to access function app it will ask for login . I also elaborate on how we can access the function URL with the access token .  Let's start.  Configure Function App Create an Azure Function app with anonymous access. Go to function app's 'Authentication / Authorization' section from 'Platform features'. Turn on App service Authentication/Authorization section. Select action 'Login with Azure AD' Click on Azure AD from Auth provider. Select 'Express' and 'create a new AD app' then click on OK. Click on 'Save'. Again open screen where we selected 'Express mode'. Now Select 'Advanced'. Copy 'clientId' which will be used later. NOTE: If clientId is not showing then refresh the page then it will display.  Add one more entry in 'Allowed Token Audi...
1 comment
Read more