Sample configurations as MQTT/TLS client

The following paragraphs describe how to connect the SpringCore device to the SpringCard MQTT server for testing purposes, or to your own MQTT server, using only ECC key 0D and predefined SpringCard-supplied certificate 0D.

Please refer to the free SpringCard SDK for SpringCore+MQTT (available on GitHub) for details: https://github.com/springcard/springcard.springcore-mqtt.sdk (WARNING: PRELIMINARY INFORMATION - SERVICE IS NOT YET AVAILABLE).

Connecting to mqtt.springcard.com

Principles

mqtt.springcard.com is a MQTT server set-up and managed by SpringCard to help customers test and adopt the SpringCore+MQTT architecture.

The certificate of the SpringCore Client CA is already known by the MQTT server and any client owning a certificate signed by this CA is allowed to connect. Therefore, any genuine SpringCore device is allowed to connect to this server and to publish (within its own topic).

The MQTT server features a readonly, open access through its WebSocket port, and the web page https://mqtt.springcard.com shows the message that are pushed by the devices in realtime. Alternatively developers may use a PC-based MQTT client software (such as MQTT Explorer) to connect (with a readonly access) to the MQTT server. The procedure to obtain a client certificate is detailed in the SDK.

This is usefull for developments, tests and demos, but shall not be used for production since all the messages going through the server could be observed publicly.

Device configuration

To connect your SpringCore device to publish on mqtt.springcard.com, configure the device as follow:

Register Content
0280 IPv4 Settings IPv4 parameters (address, mask, gateway, DNS servers)
Leave empty for DHCP operation
0286 MQTT : Server Hostname of MQTT server:
"mqtt.springcard.com"
0287 MQTT : Port Listen port of the MQTT server
Leave empty for default value 8883
0288 MQTT : TLS Options Use the following settings:
- TLS enabled
- SNI enabled
- Verify CN (Server Name)
- Verify server certificate
- Verify public key only
- Server certificate is in slot 7 (07)
- Enable client authentication
- Client certificate is in slot 13 (0D)
- Client private key is in ATECC
- Client private key is in slot 13 (0D)
- Don't chain CA certicate with client certificate

The value to put in the register is therefore 13078D4D00
0289 MQTT : Client Options Use the following settings:
- QoS used for subscribing: 1
- QoS used for publishing: 1
- Don't create topic before subscribe
- Disable Last Will Message
- Disable Retained Messages
- Connection timeout: 30s
- Response timeout: 3s
- Keep alive interval: 10s
- Status publish interval: 30s
- Reconnect interval: 30s

The value to put in the register is therefore 5014030A1E1E
028B MQTT : Login Must be empty. Authentication relies on TLS certificate and private key only.
028C MQTT : Password Must be empty. Authentication relies on TLS certificate and private key only.
028D MQTT : Client ID Leave empty. Doing so, the device uses its Serial Number as Client ID.
028E MQTT : Topic prefix Leave empty. Doing so, the device's topics are under "springcard/springcore".
028F MQTT : Device ID Leave empty. Doing so, the device uses its Serial Number as Device ID.
02C0 Main configuration : Profile Set to 64 for Smart Reader operation through MQTT client

The certificate of the server need to be stored at the slot 7 in the device.

If you have the SpringCore Tools installed, just run the command

> SpringCoreConfig --url https://docs.springcard.com/books/SpringCore/Appendixes/PKI_keys_and_certificates/TLS_client_with_default_certificate/springcore-mqtt-springcard.json

(you may have to specifiy how the software shall connect to the SpringCore device at the end of the command-line).

You may also download the springcore-mqtt-springcard.json file manually and edit its content as required.

Testing

Launch a web browser and go to mqtt.springcard.com to see the events coming from active SpringCore devices in realtime.

Reset your SpringCore device to apply the new configuration, and watch for its serial number (DeviceId) in the incoming event.

Connecting to AWS IoT Core

WARNING: PRELIMINARY INFORMATION - SERVICE IS NOT YET AVAILABLE

Amazon Web Services (AWS) is the most popular cloud service provider in the world. AWS IoT is a set of protocols and services specifically designed to connect IoT devices with cloud solutions. AWS IoT Core is a message broker that supports a subset of the MQTT protocol.

SpringCard has set-up an AWS IoT Core MQTT instance and makes it available to its customers for development, test and demonstration purposes.

The certificate of the SpringCore Client CA is already known by this instance of AWS IoT Core, and any client owning a certificate signed by this CA is allowed to connect. Therefore, any genuine SpringCore device is allowed to connect to this instance and to publish (within its own topic).

The MQTT server features a readonly, open access through its WebSocket port, and the web page https://mqtt.springcard.com shows the message that are pushed by the devices in realtime. Alternatively developers may use a PC-based MQTT client software (such as MQTT Explorer) to connect (with a readonly access) to the MQTT server. The procedure to obtain a client certificate is detailed in the SDK.

This is usefull for developments, tests and demos, but shall not be used for production since all the messages going through the server could be observed publicly.

Device configuration

To connect your SpringCore device to publish on mqtt.springcard.com, configure the device as follow:

Register Content
0280 IPv4 Settings IPv4 parameters (address, mask, gateway, DNS servers)
Leave empty for DHCP operation
0286 MQTT : Server Hostname of MQTT server:
"acztxc1o83ew9-ats.iot.us-west-2.amazonaws.com"
0287 MQTT : Port Listen port of the MQTT server
Leave empty for default value 8883
0288 MQTT : TLS Options Use the following settings:
- TLS enabled
- SNI enabled
- Verify CN (Server Name)
- Verify PKI
- Verify public key only
- Server certificate is in slot 8 (08)
- Enable client authentication
- Client certificate is in slot 13 (0D)
- Client private key is in ATECC
- Client private key is in slot 13 (0D)
- The CA of the client certificate shall be chained with the client certificate itself
- CA of the client certificate is in slot 15 (0F)

The value to put in the register is therefore 3F098D4D8F
0289 MQTT : Client Options To be written
The value to put in the register is therefore 561E3C3C
028B MQTT : Login Must be empty. Authentication relies on TLS certificate and private key only.
028C MQTT : Password Must be empty. Authentication relies on TLS certificate and private key only.
028D MQTT : Client ID Leave empty. Doing so, the device uses its Serial Number as Client ID.
028E MQTT : Topic prefix Leave empty. Doing so, the device's topics are under "springcard/springcore".
028F MQTT : Device ID Leave empty. Doing so, the device uses its Serial Number as Device ID.
02C0 Main configuration : Profile Set to 64 for Smart Reader operation through MQTT client

If you have the SpringCore Tools installed, just run the command

> SpringCoreConfig --url https://docs.springcard.com/books/SpringCore/Appendixes/PKI_keys_and_certificates/TLS_client_with_default_certificate/springcore-mqtt-aws-europe.json

(you may have to specifiy how the software shall connect to the SpringCore device at the end of the command-line).

You may also download the springcore-mqtt-aws-europe.json file manually and edit its content as required.

Testing

To be written