Bosch IoT Device Management

Automatic thing creation for devices authenticating with device certificates

In this example, we assume that you want your devices, which authenticate with device certificates, to be automatically registered with our services.

These will be most probably stand-alone devices.

By default, all devices which want to communicate to the Bosch IoT Suite need to be registered.
In this case, however, we assume that you don't want to register your device using the provisioning API or UI, but instead you want to create the "trust" via a device certificate, that is accepted by the device connectivity layer - Bosch IoT Hub.

To prepare such a setup, please proceed with the steps described in the following sections:

Step A - Configure a CA certificate for your tenant

Navigate to https://accounts.bosch-iot-suite.com/subscriptions/ > Go to Developer Console.

The Bosch IoT Suite console will open in a new browser tab where you can perform the following steps:

  1. Open the Certificates UI feature.

    In case it is not there yet click Search Services and features, then click the star icon in the Certificates tile to pin the entry to the left menu bar.

  2. Click the + icon get the Add root certificate entry fields.

  3. Enter a unique name for the certificate.

  4. Click the Load PEM file button.
    Select the PEM file from the local folder where you store it and confirm with Open to upload it from your workstation.
    The certificate entry field is pre-filled with the Base64 encoded certificate.

  5. Enable the automatic provisioning, by activating the toggle button Auto-provisioning enabled.

  6. Enter a template for the generation of the device ID: your.namespace:{{subject-dn}} or your.namespace:{{subject-cn}}. Please keep the placeholder in exactly the notation given in the context sensitive help.

    Since your subscription could potentially have multiple namespaces, please notice that the Device ID template must contain one specific namespace within your subscription.

  7. Click the Add button.

images/confluence/download/attachments/2219422885/ca-upload.png

As a result, the certificate is stored. Click the name to see the details.

images/confluence/download/attachments/2219422885/ca-cn.png

Step B - Configure the Devices via Bosch IoT Hub connection

By default, the "Devices via Bosch IoT Hub" connection was generated automatically at the time of creating all service instances of this service subscription.

This connection provides default templates for creating stand-alone devices as well as gateways or devices which communicate via a gateway.

However, in case the default template does not fit your needs, feel free to customize it.


Step C - Use Eclipse Mosquitto - to simulate a new device that needs to be registered implicitly

  • The mosquitto_pub command is installed. See Eclipse Mosquitto.

  • Download the server certificate for MQTT TLS encryption.

    curl -o ISRGRootX1.crt https://letsencrypt.org/certs/isrgrootx1.pem
  • Send an event from the device to simulate a change.
    In case the device can authenticate properly (i.e. the device-cert is valid within the range of the CA cert which you have uploaded at step A) but does not exist yet, this would result into a new device registration.

  • The content of the message must additionally respect the notation of Eclipse Ditto protocol.
    In our example we simulate updating the value if the manufacturer attribute, thus the request body looks like in the following snippet:

    mosquitto_pub -h mqtt.bosch-iot-hub.com -p 8883 -t event -m
    '{
    "topic": "<your.namespace>/device-name/things/twin/commands/modify",
    "path": "/attributes/manufacturer",
    "value": "my company"
    }'
    -q 1 --cert demo-certs/certs/device-cert.pem --key demo-certs/certs/device-key.pem --cafile ISRGRootX1.crt

    If your like to reproduce, please replace <your.namespace> in the "topic" part - with exactly the namespace edited at step A, nr 6.

    The device-name will be substituted with the {{subject-cn}} form the device certificate.

Check your work

The mosquitto_pub command is forwarded to Bosch IoT Things, the digital twin layer of Bosch IoT Device Management. Due to the fact that it is passed through the connection configured at step B, a payload mapping will be applied.

The device is automatically created with the respective template - which excludes the attribute.

images/confluence/download/attachments/2219422885/new-device.png

Please take into account that the protocol adapters of Bosch IoT Hub have a caching mechanism in place for devices and their credentials. This means that if you make changes in the device's or credentials' properties, it takes some time until the protocol adapters apply the changes. Currently the cache setting is configured to 10 minutes.