Automated Provisioning for Nordic boards#
With Factory provisioning for Nordic IoT devices, you can load on-device communication credentials and any cloud-related configuration at the factory level to automate secure device onboarding to Coiote IoT DM cloud.
Here’s a tutorial to get you started with device provisioning using a dedicated script to be found in the Anjay Zephyr Client repository.
- A Nordic board connected to your computer.
- Installed Go Programming language.
- Installed mcumgr command line tool.
- Zephyr development environment set up.
- An active Coiote DM cloud account.
- If you're using Windows: possibility to run Linux scripts/tools either via WSL, Cygwin or other.
Please verify if the directory to which you installed Go is in your
PATH variable. If it's missing please add it.
Provision the device using PSK#
This section shows how to provision your device using a pre-shared key (PSK).
Before running the script some configuration should be set. Example configuration can be found in
endpoint_cfgcontains LwM2M objects setting that will be uploaded to the device. Set
RID.Security.SecretKey. Make sure that
RID.Security.Modeis set to
domainentry to reflect your domain in Coiote server. This file is needed if you wish the script to automatically add the new device to Coiote DM.
Get the Coiote DM Access Token
The provisioning script can register your device to Coiote DM automatically. You might use this option for the sake of this tutorial, but this is an optional step.
If you wish to skip device registration to Coiote DM, then call
First an access token needs to be generated.
#!/bin/bash SERVER="https://eu.iot.avsystem.cloud" echo "Enter your login credentials for $SERVER" read -p "Login: " USER read -p "Password: " -s PASS curl -X POST \ -H "Content-Type:application/x-www-form-urlencoded" \ --data-urlencode "grant_type=password" \ --data-urlencode "username=$USER" \ --data-urlencode "password=$PASS" \ "$SERVER/api/auth/oauth_password"
If you're using Linux, run
chmod u+x get_token.shto give execute rights. Under Windows you can use the GUI to allow execution of this file.
./get_token.sh. The script will ask you for your login and password for eu.iot.avsystem.cloud, please provide them.
If a JSON structure containing
"access_token"appears, you're ready to proceed. Copy your token.
The token received is valid only for a short period of time.
For more informaton how to aquire the access token see REST API authentication.
Run provisioning tool
After creating the correct configuration for provisioning make sure that west configuration is correct and the
manifest.pathis set to an absolute path.
cd Anjay-zephyr-client/demo ./../tools/provisioning-tool/ptool.py -b nrf9160dk_nrf9160_ns -s <SERIAL> \ -c ../tools/provisioning-tool/configs/endpoint_cfg -t <TOKEN> \ -S ../tools/provisioning-tool/configs/lwm2m_server.json \
<SERIAL>should be the USB serial number of the connected board. You can check the serial number of your board by running:
nrfjprog -i. The
<TOKEN>should be the token acquired in previous step.
To see all of the options available in the script run
If everything went well then your device should be visible in Coiote DM.
Provisioning the device using certificates#
Now we will show how to provision the device using certificates. This method is very similar to the provisioning the device with PSK and will require just a few additional steps.
You may need to remove the device from Coiote if you finished the steps in previous section and the device is already registered. Coiote will not allow registration of the device with the same name.
Like in the PSK example we will modify the configuration found in
In this step we will use
endpoint_cfg_certconfiguration file instead of
endpoint_cfg. You may verify that the
RID.Security.Modeis set to
2in this configuration.
domainentry to reflect your domain in Coiote server.
cert_info.json. This file contains information for generating a self signed certificate. This configuration is needed only if user don't want to provide certificates generated ealier.
Get the certificate for
openssl s_client -showcerts eu.iot.avsystem.cloud:5684 > /tmp/server.pemto download server certificate and then
openssl x509 -outform der -in /tmp/server.pem -out /tmp/server.derto convert it to DER format.
The above two commands assumes you use a Linux OS and writes the certificate in the
/tmpdirectory. If using Windows modify the commands by changing
"/tmp"with some other valid directory.
Getting Coiote Access Token
Repeat this step from previous section to acquire a new token.
Run provisioning tool
Similar to the example with PSK run:
cd Anjay-zephyr-client/demo ./../tools/provisioning-tool/ptool.py -b nrf9160dk_nrf9160_ns -s <SERIAL> \ -c ../tools/provisioning-tool/configs/endpoint_cfg_cert -t <TOKEN> \ -S ../tools/provisioning-tool/configs/lwm2m_server.json \ -C ../tools/provisioning-tool/configs/cert_info.json -p /tmp/server.der
If you prefer using your own certificates then letting the script create a self signed cert then you can use option
-kfor providing endpoint private key
-rto provide endpoint public cert. Also please remove option
-rshould use absoute paths.
By default the script generates certificates for the device using P-384 elliptic curve.
Connecting device to Coiote
The certificates for the device need to be uploaded by hand. To do this fallow those steps:
Log in Coiote DM
On the left side choose
Administration -> DTLS/TLS certificates
Add File, in a popup window enter a name and upload the public certificate. The self signed certificate generated by the script should be in
If everyting went well you should see your new certificate and the device should be ready to connect to Coiote.