Connecting with Edgelock SE050 and Raspberry Pi to AWS IoT Core

cancel
Showing results for 
Search instead for 
Did you mean: 

Connecting with Edgelock SE050 and Raspberry Pi to AWS IoT Core

Connecting with Edgelock SE050 and Raspberry Pi to AWS IoT Core

This example shows all steps for a onboarding process of a device to AWS IoT Core using the pre-provisioned credentials of the EdgeLock SE050 secure element.

AWS IoT authenticates client certificates using the TLS protocol's client authentication mode. In TLS client authentication, AWS IoT requests an X.509 client certificate and validates the certificate's status against a registry of certificates in the AWS account. It challenges the client for proof of ownership of the private key that corresponds to the public key contained in the certificate.
The secure element EdgeLock SE050 is used to securely store the private client keys and perform the client authentication.

AWS IoT supports these types of X.509 client certificates, all are supported by Edgelock SE050:

  1. X.509 certificates generated by AWS IoT
  2. X.509 certificates signed by a CA registered with AWS IoT.
  3. X.509 certificates signed by a CA that is not registered with AWS IoT. Client certificates must be registered with AWS IoT before a client can communicate with AWS IoT.

Only Option 3 supports the onboarding process of a device to AWS IoT Core using pre-provisioned credentials of a generic EdgeLock SE050. This option is known as “AWS IoT Core Multi-Account Registration” and generally available since 30th April 2020 and supported by the AWS CLI interface. Customer-specific configurations of Edgelock SE050 can even use Option 2 with pre-provisioned certificates.

Hardware setup

Hardware Prerequisite

The following hardware will be used for this demo:

  •      Raspberry Pi 3 Model B+
  •      OM-SE050ARD development kit (NXP 12NC 935383282598)
  •       Optional - OM-SE050RPI adapter board for Raspberry Pi (12NC 935379833598)[1]

pastedImage_1.png

https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-development-k...

[1] .. For further details see NXP “AN12570 Quick start guide with Raspberry Pi” chapter “2 Prepare your Raspberry Pi”. In the following sections, we will use the OM-SE050RPI adapter board.

Connecting the OM-SE050ARD to the Raspberry Pi

Make sure the jumpers in your OM-SE050ARD board are configured as shown in the figure below (equal to the default configuration of OM-SE050ARD):

pastedImage_4.png

Stack the OM-SE050ARD with the adapter board to the Raspberry Pi

pastedImage_5.png

Alternative it is possible to connect the OM-SE050ARD via wires to the Raspberry Pi board as shown in the figure below:

pastedImage_6.png

Software Setup

This section explains how to get your Raspberry Pi ready to execute the EdgeLock SE050 Plug & Trust middleware.

Prerequisite

Enable I2C if not yet enabled on your Raspberry Pi.

ls /sys/bus/i2c/devices

If does not list i2c-1, I2C needs to be enabled for your board.

sudo raspi-config

Use the down arrow to select Interfacing Options. Follow instructions and Enable I2C.

Create a new folder called se050_ middleware:

cd ~

mkdir se050_middleware

cd se050_middleware

EdgeLock SE050 Plug & Trust middleware - Build Instructions

 

Install the required build tools, if the image does not have them already.

sudo apt-get install cmake cmake-curses-gui cmake-gui libssl-dev

 

Download the EdgeLock SE050 Plug & Trust middleware (nxp.com login needed) from the NXP website .

 

Unzip the EdgeLock SE050 Plug & Trust middleware in the se050_middleware folder:

unzip ~/Downloads/SE050-PLUG-TRUST-MW.zip -d ~/se050_middleware

 

Run the following commands to build OpenSSL engine for SE050. For further details see please “AN12570 Quick start guide with Raspberry Pi” chapter “3.2 Build EdgeLock SE050 Plug & Trust middleware”. If the hostname is “raspberrypi” automatically the config for a Raspberry Pi is created:

cd simw-top

python3 scripts/create_cmake_projects.py

cd ~/se050_middleware/simw-top_build/raspbian_native_se050_t1oi2c

cmake --build .

sudo make install

sudo ldconfig /usr/local/lib

Install the ssscli tool

In this example, the SE050 Python-based ssscli tool is used to extract the credentials of the EdgeLock SE050. The following steps are needed before running the ssscli tool and needed

are needed once per installation.

 

sudo apt-get install python3-pip

sudo apt-get install libffi-dev

cd ~/se050_middleware/simw-top/pycli

pip3 install -r requirements.txt

 

 

To install ssscli tool, run the following commands once: 

pip3 install --editable src

 

Install AWS CLI

To install the AWS CLI tool, run the following commands once:

pip3 install awscli --upgrade –user

Add AWS CLI executable to your Command-Line Path:

export PATH=/home/pi/.local/bin:$PATH

Confirm the AWS CLI tool was successful installed:

aws --version

 

Configure AWS

Get access key ID and secret access key

To access AWS, you will need to sign up for an AWS account.

Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. If you don't have access keys, you can create them by using the IAM console at https://console.aws.amazon.com/iam/-.

To get your access key ID and secret access key:

  1.       Open the IAM console at https://console.aws.amazon.com/iam/.
  2.       On the navigation menu, choose Users.
  3.       Choose your IAM user name (not the checkbox).
  4.       Open the Security credentials tab, and then choose to Create an access key.
  5.       To see the new access key, choose Show. Your credentials resemble the following:
  •      Access key ID:
  •     Secret access key:
  1.        To download the key pair, choose the Download .csv file. Store the .csv file with keys in a secure location.

pastedImage_7.png

pastedImage_8.png

Set AWS crededentials in AWS cli

You can save your frequently used configuration settings and credentials in files that are maintained by the AWS CLI.

Run the following command to quickly set your credentials, region, and output format:

aws configure

Example:

$ aws configure

AWS Access Key ID [None]: <access key ID>

AWS Secret Access Key [None]: <secret access key>

Default region name [None]: <aws region name>

Default output format [None]: json

pastedImage_9.png

 

Using credentials from EdgeLock SE050

We will be using ECC credentials in this example, the key with ID 0xF0000100 and the corresponding certificate at ID 0xF0000101. You can use any of the available certificates that are pre-provisioned in your EdgeLock SE050. Please refer to AN12436 - SE050 Configurations for a list of available key and certificate IDs.

 

Create a folder to store the EdgeLock SE050 credentials:

cd ~/se050_middleware/

mkdir se050_device_credentials

cd se050_device_credentialsls

Extracting the EdgeLock SE050 Device Certificate

Using pySSSCLI Tool, read out the device certificate.

ssscli connect se050 t1oi2c none

ssscli get cert 0xF0000101 se050_device_cert0_ecc.cer

pastedImage_10.png

Creating the EdgeLock SE050 Device Key Reference

The private device key is securely stored inside the EdgeLock SE050 and cannot be readout.

The EdgeLock SE050 Device Reference Key is used by the OpenSSL Engine to invoke the SE050 private key operation.

 

Using pySSSCLI Tool, read out the device reference key.

sudo ssscli refpem ecc pair 0xF0000100 se050_device_key_ref0_ecc.pem

ssscli disconnect

pastedImage_11.png

Registering Device Certificate

Use the AWS CLI Tool to register the extracted device certificate on to your AWS IoT Console.

The command line options are:

aws iot register-certificate-without-ca --certificate-pem <certificate-filename>

 

Execute the following command:

aws iot register-certificate-without-ca --certificate-pem file://se050_device_cert0_ecc.cer --status ACTIVE

 

pastedImage_12.png

This command returns the certificate ANR and ANR ID. A certificate Amazon Resource Name (ARN) uniquely identifies this certificate. You can open the AWS IoT console to check if the certificate was successfully registered.

 pastedImage_13.png

Create an AWS IoT policy.

First, create a JSON document “se050_raspi_policy.json” with the following content.
Note: this policy allows for demo purpose access to all iot actions on all resources.

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "iot:*",

      "Resource": "*"

    }

  ]

}

 

using for example the nano editor. The following command creates an empty file.

nano se050_raspi_policy.json

Copypaste the content into the text editor and save the file.

 pastedImage_14.png

 

Use the AWS CLI Tool to create the policy on your AWS IoT Console.

aws iot create-policy --policy-name se050_raspi_policy --policy-document file://se050_raspi_policy.json

 

You can open the AWS IoT console to check if the policy was successfully created. 

 pastedImage_15.png

  

Attach AWS IoT policy to certificate.

Attaching an AWS IoT Core policy to a certificate gives the device connecting with this certificate the permissions specified in the policy.

 

Use the AWS CLI Tool to attach the policy to the device certificate. 

aws iot attach-policy --target <certificate ARN> --policy-name se050_raspi_policy

 pastedImage_16.png

  

Obtain the custom AWS IoT endpoint URL

Run the following command to print out your AWS’ user’s endpoint address. This will be used later:

aws iot describe-endpoint --endpoint-type iot:Data-ATS

 pastedImage_17.png

Alterative you can obtain the customer AWS IoT endpoint using the AWS IoT console.

 pastedImage_18.png

 

  

Run the IoT demo MQTT Example

Navigate to demos/linux/aws_eou directory and execute the buildScript.sh. This will build the project iot_demo_mqtt. 

cd ~/se050_middleware/simw-top/demos/linux/aws_eou/

chmod +x buildScript.sh

./buildScript.sh

Copy all SE50 credentials into the example output/bin folder:

cd ~/se050_middleware/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin

cp ~/se050_middleware/simw-top/demos/linux/aws_eou/AmazonRootCA1.pem ~/se050_middleware/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin

cp ~/se050_middleware/se050_device_credentials/se050_device_cert0_ecc.cer ~/se050_middleware/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin

cp ~/se050_middleware/se050_device_credentials/se050_device_key_ref0_ecc.pem ~/se050_middleware/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin

To let openSSL use the engine set the openssl config path to point to the preconfigured config file:

export OPENSSL_CONF=/home/pi/se050_middleware/simw-top/demos/linux/common/openssl11_sss_se050.cnf

 

Navigate to demos binary folder:

cd ~/se050_middleware/simw-top/demos/linux/aws_eou/aws-iot-device-sdk-embedded-C/build/output/bin

pastedImage_21.png

Run the demo with specifying your endpoint URL and certificate + key files:

./iot_demo_mqtt -i "ThingName" -h <endpoint> -r AmazonRootCA1.pem -c <certificate-filename> -k <ref-filename>

For example:

./iot_demo_mqtt -i "myRaspiSE050" -h <endpoint> -r AmazonRootCA1.pem -c se050_device_cert0_ecc.cer -k se050_device_key_ref0_ecc.pem

 pastedImage_22.png

Go to the AWS IoT Core dashboard and subscribe to the following topic:

iotdemo/#

 pastedImage_23.png

 

The MQTT topic you subscribed will now appear in the Subscriptions section as

shown in the figure below.

 

pastedImage_24.png

Labels (1)
Version history
Revision #:
1 of 1
Last update:
‎07-10-2020 05:02 AM
Updated by: