- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
IBM IoT Platform secure connectivity using A71CH
Hi @prabhunath_gupt ,
Indeed the A71CH is offered off-the-shelf pre-provisioned so that OEMs are not required to program any additional credentials to onboard their devices to Watson IoT. if your customer doesn't want to extract the certificates from the secure element, then they have to provision their devices with device-individual credentials. Is this the way they prefer to ? Please kindly clarify.
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi Kan,
Thanks for your response.
We have gone through the application note "A71CH for secure connection to IBM Watson IoT" and found there are two types of A71CH as below.
- A71CH Customer Programmable type
- A71CH Provisioned & Programmable type; Ready for IBM Watson IoT
As per section 4 which is related to the "A71CH Customer Programmable" type, NXP provides C client library source code(iot-nxpimxa71ch-c), and it contains some examples and certificates provisioning script. We have gone through one example "samples/gatewaySample.c" and found there is one API available in "src/iotfclient.c" file which fetch the certificates from the secure element and store the same in the file system.
Please find the below queries based on the above understanding.
- Is the same Client library will use if we go with "A71CH Provisioned & Programmable type Ready for IBM Watson IoT" type? If yes then reading the certificates from the A71CH and store the same in the file system is again a security blocker for us.
- What are other security advantages in "A71CH Provisioned & Programmable type; Ready for IBM Watson IoT" apart from provisioning certificates performed by NXP?
- OpenSSL engine used in this C client library is an older one, is there any plan to update this C library as it is not updated for more than 2 years.
The key point is to integrate the secure element communications with the IBM cloud and create an end to end TLS communication and avoid to extract the certificate from the secure element. for this, it is necessary to have A71CH SDK integration with the IBM cloud, Please direct us to the SDK which supports IBM cloud integration in a secure way.
Hello @prabhunath_gupt ,
- Is the same Client library will use if we go with "A71CH Provisioned & Programmable type Ready for IBM Watson IoT" type? If yes then reading the certificates from the A71CH and store the same in the file system is again a security blocker for us. - Usually the certificates are provisioned into A71CH and host controller may fetch it from the secure element via a secured channel, here we use SCP on platform/applet level, so I could not understand what the scenario of without extracting certificates from secure element would be like, would you please clarify?
- What are other security advantages in "A71CH Provisioned & Programmable type; Ready for IBM Watson IoT" apart from provisioning certificates performed by NXP? - The main advantage is saving the cost for provisioning , this IC can be used directly for IBM Watson IOT application out of box.
- OpenSSL engine used in this C client library is an older one, is there any plan to update this C library as it is not updated for more than 2 years. -
The Plug&Trust MW comes with two OpenSSL Engine implementations, both implementations support OpenSSL 1.1.1:
-
SSS API based (A71CH SSS OpenSSL Engine)
-
A71CH Legacy API based (A71CH Legacy OpenSSL Engine) Does this version meet your requirement? Please kindly clarify.
-
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Dear Nxp Team,
We are waiting for your response to the above query please provide some inputs on this.
Do let us know if any other information required.
