Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Ondrej Tomčík
    @ondrejtomcik
    @Hugh-Bao bundle image doesn't contain C2C
    Hugh-Bao
    @Hugh-Bao
    So I can not use bundle image for C2C PAI testing ?
    Ondrej Tomčík
    @ondrejtomcik
    @Hugh-Bao no
    Hugh-Bao
    @Hugh-Bao
    If I want to use go-ocf cloud to test C2C API, what should I do?
    Ondrej Tomčík
    @ondrejtomcik
    @Hugh-Bao use try.plgd.cloud . That's the only option right now.
    Hugh-Bao
    @Hugh-Bao
    OK , got it, thank you very much.
    Hugh-Bao
    @Hugh-Bao
    @ondrejtomcik Ondrej, if we use go-ocf to create local cloud directly, what do we need to do, is there any guidance ?
    Ondrej Tomčík
    @ondrejtomcik
    @Hugh-Bao You mean full cloud, not the bundle? deployment scripts and docu is not finalized yet. There is unfortunatelly no guidance how to do it. Our resources are very limited and everything takes time. Until you want to sponsor the go-ocf project and speed up your request. In the upcoming days, there will be an official sponsorsip possiblity enabled for the go-ocf/cloud project, which might speed-up your request.
    Hugh-Bao
    @Hugh-Bao
    Yes, I mean full cloud function. OK, I understand. Thanks a lot.
    Ondrej Tomčík
    @ondrejtomcik
    @here FYI documentation is in progress!
    https://gocf.dev/
    contributions warmly welcome!
    sudoodus
    @sudoodus
    Is anyone could invite me to join the group ocfcloud/mvite-4?
    Ondrej Tomčík
    @ondrejtomcik
    @sudoodus only those who signed the NDA are invited there. Please contact Rami.
    WinnieXu-CEI
    @winnnnniexu
    @ondrejtomcik We have been signed the NDA and registered the test, could you please give us the contact information about Rami so that we can reach him out? Thanks
    mkettrick
    @mkettrick
    You can contact Rami here: ralshafi@vtmgroup.com
    WinnieXu-CEI
    @winnnnniexu
    Thanks for the indormation.
    ged
    @gedw99
    Any examples of using this with tinygo ?
    Trishia Yun (HyeJeong Yun)
    @Trishia
    @jkralik @ondrejtomcik
    Ondrej Tomčík
    @ondrejtomcik
    @Trishia hoi, how can we help you?
    Trishia Yun (HyeJeong Yun)
    @Trishia
    Yes, I need your help. Could you explain the difference between DEVICE_OAUTH and SDK_OAUTH on Authorization ENVs ?
    I'm trying to build your pldg-dev/cloud on the google cloud
    to test C2C APIs. I'm confusing the usage of OAuth s with auth0.com.
    Ondrej Tomčík
    @ondrejtomcik
    There are different OAuth Client configurations for both SDK and Device. Device before it successfuly registers to the plgd Cloud has to SignUp using authorization code. This authorization code is exchange for an opaque token. On another side, SDK which also needs a token to be able in an authorized way communicate with the plgd Cloud requires JWT token. Reason why device cannot use JWT token is it's size and that's why you need two OAuth Clients. Requesting opaque / jwt token is not an request option but OAuth Client configuration. And as you need JWT for SDK and Opaque(Reference) for Device, you need two clients.

    Authorization Service isn't an OAuth Server. It's "just" an identity management glue between OAuth Server which usually companies host on their own. By Identity Management I mean component which links device to a user. This has nothing to do with an OAuth Server.

    So in your case, Auth0 is an OAuth 2.0 Server with user management while this plgd authorization server is what links device to user entities managed by Auth0.

    In the real production, there is no place for authorization service. It's just an example integration. In real production, authorization contracts shall be implemented by your identity management service, as user wants to manage his devices, share devices with other users and so on.

    https://github.com/plgd-dev/cloud/blob/master/authorization/pb/service.proto#L9

    Trishia Yun (HyeJeong Yun)
    @Trishia
    If I try to use auth0.com for Device Auth, how can I set up for SDK auth with plgd Cloud?
    Ondrej Tomčík
    @ondrejtomcik
    In a same way. You just need to create 2 OAuth Clients in the Auth0.
    Trishia Yun (HyeJeong Yun)
    @Trishia
    Ok I got it. I will give it a try. Thanks.
    Ondrej Tomčík
    @ondrejtomcik
    By the way, to be able to test C2C, you don't have to deploy plgd cloud on your own. There is a free instance available.
    Trishia Yun (HyeJeong Yun)
    @Trishia
    How can i do that? You mean https://portal.try.plgd.cloud/ ?
    Ondrej Tomčík
    @ondrejtomcik
    Exactly.
    Could you please firstly describe your use-case; what do you want to achieve / test ?
    Trishia Yun (HyeJeong Yun)
    @Trishia
    I need target/origin OCF Cloud including D2C, C2C functions for Korean OCF developers.
    Ondrej Tomčík
    @ondrejtomcik
    Then feel free to use exactly https://portal.try.plgd.cloud where you can connect devices, where you can connect other cloud over C2C or connect this cloud to other cloud which supports C2C. In addition, you can use SDK to work with devices, or just postman
    Do you need to prepare some hands-on lab? Or Demo ?
    Trishia Yun (HyeJeong Yun)
    @Trishia
    I need hands-on lab.
    Ondrej Tomčík
    @ondrejtomcik
    Can you describe more? What developers shall be able to do ?
    Trishia Yun (HyeJeong Yun)
    @Trishia
    Some developers will try to connect OCF Cloud with their cloud enabled devices such as light switch, bulb, energy meter and bridge, while other developers will want to connect OCF Cloud with their own legacy cloud.
    Ondrej Tomčík
    @ondrejtomcik

    Okay, so the first group have devices based on the IoTivity-Lite - or this is what they will try to integrate? Integrate IoTivity-Lite and connect it to the cloud?

    Second group want to "retrieve" devices from the plgd cloud testing instance over C2C or they want to "mirror" their devices to plgd cloud testing instance.

    Trishia Yun (HyeJeong Yun)
    @Trishia
    So I have to offer every case tutorial or guide and running instance of OCF Cloud to them.
    Jozef Kralik
    @jkralik
    @Trishia The error which you send to @ondrejtomcik occurs because service doesn't load system CAs by default. To load system CAs you need to set ENV DIAL_FILE_USE_SYSTEM_CERTIFICATION_POOL=true for the service.
    Trishia Yun (HyeJeong Yun)
    @Trishia
    @jkralik
    Thanks in advance. I will give it a try now.
    Yorick Coleu
    @YorickColeu

    Hi,

    I have an issue making the cloud_server (from iotivity-lite project) works with plgd-dev cloud in secure mode.
    Here is how I make this work with the UNSECURE configuration:

    # Start UNSECURE cloud
    docker pull plgd/bundle:vnext
    docker container stop cloud ; docker container rm cloud ; \
    docker run -d --network=host --name=cloud -t plgd/bundle:vnext \
    -e COAP_GATEWAY_CLOUD_ID="00000000-0000-0000-0000-000000000001" \
    -e COAP_GATEWAY_UNSECURE_PORT="5683" \
    -e COAP_GATEWAY_UNSECURE_ADDRESS="0.0.0.0:5683" \
    -e "coap+tcp://127.0.0.1:5683" && \
    docker logs --follow cloud
    
    # Start unsecure device server
    git clone https://github.com/iotivity/iotivity-lite
    cd iotivity-lite/port/linux
    CLOUD=1 SECURE=0 make cloud_server
    ./cloud_server "cloud_server" "test" "coap+tcp://127.0.0.1:5683" "00000000-0000-0000-0000-000000000001" "test"

    I get the following output from cloud_server:

    Cloud Manager Status:
                    -Registered
                    -Token Expiry: 3599
    
    Cloud Manager Status:
                    -Registered
                    -Token Expiry: 3599
                    -Logged In
    get_handler:
    get_handler:

    But according to bundle/README.md, when it comes to secured device, the documentation says that the device must be owned, but I cannot discover the cloud_server device using onboarding_tool so, what am I supposed to do to own the cloud_server device?
    It also says that Cloud CA must be set as TRUST CA with subject COAP_GATEWAY_CLOUD_ID in device. I don't know how I can achieve that, because I don't know what is the "Cloud CA" (I suppose it is stored within the container in /data/certs/) and how I should set it as TRUST CA.

    Here is what I tried:

    # Start SECURE cloud
    docker pull plgd/bundle:vnext
    docker container stop cloud ; docker container rm cloud ; \
    docker run -d --network=host --name=cloud -t plgd/bundle:vnext \
    -e COAP_GATEWAY_CLOUD_ID="00000000-0000-0000-0000-000000000001" \
    -e COAP_GATEWAY_PORT="5684" \
    -e COAP_GATEWAY_ADDRESS="0.0.0.0:5684" \
    -e "coaps+tcp://127.0.0.1:5684" && \
    docker logs --follow cloud
    
    git clone https://github.com/iotivity/iotivity-lite
    cd iotivity-lite/port/linux
    CLOUD=1 SECURE=1 PKI=1 make cloud_server
    docker exec -it cloud cat /data/certs/root_ca.crt > ./pki_certs/cloudca.pem
    ./cloud_server "cloud_server" "test" "coaps+tcp://127.0.0.1:5684" "00000000-0000-0000-0000-000000000001" "test"

    And I get no output from cloud_server, it does not seems that the device fetch the cloud.

    Please note that I am able to run the secured cloud_server device using "cloud-test".

    Could you please help? Could you please elaborate the documentation to get me started with plgd-dev cloud using iotivity-lite cloud_server samples?

    Thanks in advance,

    Yorick

    Ondrej Tomčík
    @ondrejtomcik
    Hello Yorick. Thanks for your message. First issue I would investigate is the problem that you cannot discover your device. Were you able to discover it when you've used unsecure mode ?
    Jozef Kralik
    @jkralik
    @YorickColeu For the secure device you need have onboarding tool which own the device, setup ACLs and CA for cloud and then you can configure cloud resource for connect to the cloud. cloud_server works only for unsecure device.
    Yorick Coleu
    @YorickColeu

    Hi,

    @Ondrej, No, when I use the cloud_server tool provided by iotivity-lite project built with SECURE=0, I am not able to discover it with the iotivity-lite CLI onboarding_tool.
    However, I am able to onboard cloud_server when built with CLOUD=1 SECURE=1 PKI=1, I though that onboarding_tool didn't work at all but it actually does work with secure cloud_server.

    @Jozef, I am surpised that cloud_server works only for unsecure device, because I can make it work by applying the patch found at ./device-simulator/patches/devsim.diff, then build it with CLOUD=1 SECURE=1 PKI=1 (in the same way as in device-simulator), then it works fine with:

    docker run \
        --network=other \
        -v $(pwd)/.tmp/certs:/certs \
        -v $(pwd)/.tmp/home:/home \
        --user $(id -u):$(id -g) \
        -e HOME=/home \
        -e DIAL_TYPE="file" \
        -e DIAL_FILE_CA_POOL=/certs/root_ca.crt \
        -e DIAL_FILE_CERT_DIR_PATH=/certs \
        -e DIAL_FILE_CERT_NAME=http.crt \
        -e DIAL_FILE_CERT_KEY_NAME=http.key \
        -e LISTEN_TYPE="file" \
        -e LISTEN_FILE_CA_POOL=/certs/root_ca.crt \
        -e LISTEN_FILE_CERT_DIR_PATH=/certs \
        -e LISTEN_FILE_CERT_NAME=http.crt \
        -e LISTEN_FILE_CERT_KEY_NAME=http.key \
        -e TEST_COAP_GW_OVERWRITE_LISTEN_FILE_CERT_NAME=coap.crt \
        -e TEST_COAP_GW_OVERWRITE_LISTEN_FILE_KEY_NAME=coap.key \
        -e TEST_CLOUD_SID=adebc667-1f2b-41e3-bf5c-6d6eabc68cc6 \
        -e TEST_ROOT_CA_CRT=/certs/root_ca.crt \
         -e TEST_ROOT_CA_KEY=/certs/root_ca.key \
        -e ACME_DB_DIR=/home/certificate-authority \
        cloud-test \
        go test -mod=mod -race -p 1 -v ./... -covermode=atomic -coverprofile=/home/coverage.txt

    Also, now that I know that onboarding_tool works, I can onboard and provision the device accordingly to https://github.com/iotivity/iotivity-lite#step-1-onboard-and-provision-the-server, then I retrieve the SECURE cloud certificate with docker exec -it cloud cat /data/certs/root_ca.crt, then I feed the device with this cert using onboarding_tool [96] Install new manufacturer trust anchor command. I see some progress, the device now displays a failure status code instead of nothing:

    ./cloud_server "cloud_server" "test" "coaps+tcp://127.0.0.1:5684" "00000000-0000-0000-0000-000000000001"
     "test"
    device_name: cloud_server
    auth_code: test
    cis : coaps+tcp://127.0.0.1:5684
    sid: 00000000-0000-0000-0000-000000000001
    apn: test
    
    Cloud Manager Status:
                    -Failure

    Am I doing it right? Did I actually "ACL for Cloud" with this previous steps? How can I configure cloud resources?

    If cloud_server works only for unsecure device, which tool should I use?

    Thank you both for your support

    Jozef Kralik
    @jkralik
    @YorickColeu go test -mod=mod -race -p 1 -v ./... -covermode=atomic -coverprofile=/home/coverage.txt runs test's over the cloud and it uses OBT created at https://github.com/plgd-dev/cloud/blob/94017c96d583b787592fad384051921f07f1c1de/test/sdkclient.go#L42 and own the device over manufacturer ownership transfer method (https://openconnectivity.org/specs/OCF_Security_Specification_v2.2.0.pdf 7.3.6 - the patch ./device-simulator/patches/devsim.diff just set's manufacturer certificate and CA) at https://github.com/plgd-dev/cloud/blob/master/test/test.go#L221 and provides ACLs https://github.com/plgd-dev/cloud/blob/94017c96d583b787592fad384051921f07f1c1de/test/test.go#L224. CA was not set, because identity CA (configured during own) is same as cloud CA. In near future we want to provide mobile app for IOS/Android which discover the secure device, and onboard it to the bundle/portal.try.plgd.cloud.
    Jozef Kralik
    @jkralik

    You need to set /data/certs/root_ca.crt as trust anchor. The manufacturer trust anchor is used during ownership transfer method. For ACLs I'm not sure how to setup it via https://github.com/iotivity/iotivity-lite#step-1-onboard-and-provision-the-server - i used our sdk for that https://github.com/plgd-dev/sdk/tree/master/local

    Maybe:
    Run docker exec -it cloud cat /data/certs/root_ca.crt > ./pki_certs/cloudca.pem
    Run ./cloud_server "cloud_server" "test" "coaps+tcp://127.0.0.1:5684" "00000000-0000-0000-0000-000000000001" "test"
    and then onboarding_tool:
    [1] Discover un-owned devices
    [8] Just-Works Ownership Transfer Method
    [13] Provision ACE2 (to set ACLs wildcart for subjectid 00000000-0000-0000-0000-000000000001 with full access)

    and then wait for reconnect
    Yorick Coleu
    @YorickColeu
    Hi, it works now, thanks for your help! I did a pull request that modifies the documentation to make easier for a user to get started with plgd-dev cloud using iotivity-lite cloud samples: plgd-dev/cloud#115 . Feel free to merge or decline, or propose modifications.
    Ondrej Tomčík
    @ondrejtomcik
    @YorickColeu thank you for your contribution!
    Ondrej Tomčík
    @ondrejtomcik
    @YorickColeu Soon there will be an application in the Google Play and Apple Store which gives you the possibility to discover and onboard the device to the cloud. It's already done, just waiting for Google and Apple review.
    Ondrej Tomčík
    @ondrejtomcik
    @all plgd mobile app available for android! https://play.google.com/store/apps/details?id=dev.plgd.client iOS available soon.