Skip to content

Latest commit

 

History

History
73 lines (58 loc) · 2.4 KB

README.md

File metadata and controls

73 lines (58 loc) · 2.4 KB

Foundries.io allows customers to own/manage their own PKI for their factory's device-gateway. This project provides a reference example of an lmp-device-register compatible API that can be used with a customer owned intermediate certificate authority.

This code can be used as-is or forked to accomodate the specific customer manufacturing needs.

Requirements:

  • docker-compose
  • git
  • access to your PKI files created/managed via fioctl

Quick Start

First create/register your PKI with Foundries.io:

  $ fioctl keys ca create /really-secure-directory

Next set this project up with:

 $ git clone https://github.com/foundriesio/factory-registration-ref
 $ cd factory-registration-ref
 $ docker-compose build

Now copy the required files to this service:

 $ mkdir -p ./data/certs
 $ cp /really-secure-directory/factory_ca.pem ./data/certs/
 $ cp /really-secure-directory/local-ca.pem ./data/certs/
 $ cp /really-secure-directory/local-ca.key ./data/certs/
 $ cp /really-secure-directory/tls-crt ./data/certs/

 # some of these files are only readable to the file owner. To deal with
 # docker user permissions the easy way:
 chmod +r ./data/certs/*

You can optionally copy a Foundries.io API token (scope devices:create) so that devices can be defined/configured before the certificate is returned back to the device. This can be used for setting up device-groups and config so that a device's first boot will include the proper configuration:

  # echo <TOKEN> > ./data/fio-api-token

If you are using a Foundries domain which is not app.foundries.io, (i.e. MEDs), then ensure that you configure accordingly the URL used for your domain:

export DEVICE_REGISTRATION_API=https://api.<dns-domain>/ota/devices/

NOTE If you want to skip the SSL verification, also use export VERIFY_SSL=False.

You can now run this API with:

 $ docker-compose up

To register a device, run as root from LmP device:

 $ DEVICE_API=http://<IP of docker-compose host>/sign lmp-device-register [-T <TOKEN>] [-f <factory>]

NOTE If you're emulating the device with QEMU, by default the gateway (host) IP is 10.0.2.2. (i.e. sudo DEVICE_API=http://10.0.2.2:80/sign lmp-device-register [-T <TOKEN>] [-f <factory>])

Testing/Troubleshooting

This project includes a simple fake-lmp-device-register that can be used to quickly test this project's API. (More info)