2024-03-08 09:08 AM
Hi,
I'd like to ask if any example code for Azure IoT Hub group enrollment is available.
I found examples for individual enrollment in X-CUBE-AZURE-v2-3-0 only.
I try to follow the Just-in-time registration method and it fails when trying to connect to the endpoint/scopeID.
I can read out the leaf certificate from STSAFE, but I don't understand where it fails. The CA root has been uploaded to DPS as well. Probably the enrollment process is different for group enrollment and individual enrollment as it might need some kind of challenging or key exchange?
Any guidelines will be much appreciated.
Best regards,
Thang
2024-03-13 06:15 AM - edited 2024-03-14 01:05 AM
Hello @neocnx
I will check if a demonstration code is available showing how to implement an IoT Hub Device Provisioning Service (DPS) group enrollment, following the specification in Azure IoT Hub DPS | IoT Production Training Pack
Moreover, I asked how possible to port the X-CUBE-AZURE-v2-3-0 ~\TFM_Azure_IoT example to a IoT Hub DPS group enrollment.
For internal tracking we use the Ticket #175980 (not accessible for you).
Best regards
2024-03-17 08:30 PM
Hi @CMYL,
Thank you so much. I will wait for your feedback again.
2024-03-21 12:29 AM - edited 2024-03-21 12:40 AM
Hi @neocnx,
For the last question: To use a group enrollment with a shared key you have to modify the application configuration in Projects\B-U585I-IOT02A\Applications\TFM_Azure_IoT\TFM_Apli\NonSecure\Netxduo\app_azure_iot_config.h and then recompile the application:
in app_azure_iot_config.h , comment the lines that define USE_DEVICE_CERTIFICATE and USE_TFM_STSAFE_CERTIFICATE
//#define USE_DEVICE_CERTIFICATE
//#define USE_TFM_STSAFE_CERTIFICATE
and configure the group's symmetric key in DEVICE_SYMMETRIC_KEY:
#define DEVICE_SYMMETRIC_KEY "==Yx67xxab.............."
also it is required to configure the registration ID (if using DPS):
#define REGISTRATION_ID "mydevice1"
(if not using DPS, it's DEVICE_ID)
The problem is that this device ID must be unique and must be changed for every device.
If the customer just wants to test one device, it is ok. You just have to change app_azure_iot_config.h, recompile the application and flash it.
If the customer wants to use this code in production for lots of devices, some code must be developed to configure each device ID.
This is where the solution with STSAFE has an advantage: Azure IoT Hub sets the device ID with the content of the Common Name field in the STSAFE X509 certificate. It is different for each STSAFE.
There are some explanations in the other (non-Trustzone) application in Projects\B-U585I-IOT02A\Applications\NetXDuo\Nx_Azure_IoT\readme.md and in the comments in app_azure_iot_config.h
Best Regards
2024-03-21 12:33 AM
Hi @neocnx,
One more use-case:
If the user wants to do group enrollment with B-U585I-IOT02A STSAFE's X509 certificate:
You have to give Azure DPS the root certificate of STSAFE SPL3 certificate included in the board. It is available here: https://www.st.com/resource/en/application_note/an5762-stsafea110-spl03-generic-sample-profile-description-stmicroelectronics.pdf ; page 3, chapter 1.1 STM STSAFE-A PROD CA 01 certificate
copy the data under "PEM encoded certificate" and paste it in a local file on your PC:
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
(copy all the lines and make sure there is a blank line after -----END CERTIFICATE-----)
you have to add this root certificate in your Azure DPS certificates and create a group enrollment with it.
In Azure web portal (portal.azure.com), in DPS config, go to "Certificates" and create a new certificate by clicking on "+". Give it the PEM file containing STSAFE-A PROD CA 01 certificate in X509 PEM format. Make sure to activate the check-box near "Set certificate status to verified on upload". As we don't have the private key for "STM STSAFE-A PROD CA 01" we can't do a proof-of-possession procedure.
With this option "Set certificate status to verified on upload" we tell Azure to trust the certificate.
Then, in DPS config go to "Manage Enrollments", click on "Enrollment groups", click on "+ Add enrollment group". Under "Attestation mechanism", select "X509 certificates uploaded to this DPS instance". In primary certificate file, select the certificate name created in previous step. Give a group name. Click on Review + create.
With this configuration, the DPS will check the individual STSAFE X509 certificates presented by the B-U585I-IOT02A boards against the configured Root certificate and accept the devices.
Best Regards,
Younes