Device Onboarding End-to-End Use Case
This tutorial describes how to use the device onboarding system:
Onboard the Fast IDentity Online (FIDO) device.
Register the new device in ThingsBoard*.
Set up a secure TLS connection for communication.
Load specified applications (containers) to the EI for AMR device.
The following sequence chart is a simplified presentation of the onboarding flow:
You must do all sections of this tutorial in order.
Prerequisites: The robot and the server are configured as instructed in the Get Started Guides.
Configuring the server: Get Started Guide for Robot Orchestration.
Configuring the robots: Get Started Guide for Robots.
For this use case, the following machines are used.
Machine A-1 is the Intel® Smart Edge Open control plane which deploys ThingsBoard* to Machine A-2.
NOTE:The ThingsBoard* docker image is installed on a worker node on a different machine than the Intel® Smart Edge Open control plane. However, the ThingsBoard* GUI can be accessed using the Intel® Smart Edge Open control plane IP and mapped port.Machine B is the EI for AMR target that you want to onboard. Machine B:
executes amr-fdo-client in terminal 1.
executes edge-server-fdo-manufacturer in terminal 2.
uses terminal 3 for configuration and control.
Machine C executes the rendezvous and owner servers:
edge-server-fdo-owner is on terminal 1.
edge-server-fdo-rendezvous is on terminal 2.
Minimum Install Requirements on the EI for AMR Device
Machine B: Download, and install the latest release.
Go to the Product Download page.
Select Robot and Server Complete Kit.
Click Download.
Copy the zip file to your target system.
Extract and install the software:
unzip edge_insights_for_amr.zip cd edge_insights_for_amr chmod 775 edgesoftware export no_proxy="127.0.0.1/32,devtools.intel.com" ./edgesoftware download ./edgesoftware list
NOTE:Get the ID for Docker Community Edition CE and for Docker Compose:./edgesoftware update <ID_Docker Community Edition CE> <ID_Docker Compose> ./edgesoftware docker --pull amr-fleet-management:<docker_tag> sudo groupadd docker sudo usermod -aG docker $USER newgrp docker source /etc/environment
All images in the FDO pipeline are self-contained and require minimal configuration. Configuration settings are all handled by external environment files. But some environment files need to be generated by running the fdo_keys_gen.sh script:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers/01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/ chmod +x fdo_keys_gen.sh bash fdo_keys_gen.sh .
Copy the generated certificates to Machine C:
scp -r creds/ machine_c_user@machine_c_ip:/<path_to_edge_insights_for_amr>/AMR_server_containers/01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/
Make sure that password-less ssh access for root is set on all machines:
sudo nano /etc/ssh/sshd_config
Add the following line at the end of the file:
PermitRootLogin yes
After the /etc/ssh/sshd_config is updated, restart the ssh service:
sudo service ssh restart sudo su service ssh restart ssh-keygen exit
Build FDO Docker* Images
These steps have to be re-executed if a terminal is closed.
Machine B, C- all terminals:
export DISPLAY=0:0 cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_containers/
Machine B- all terminals:
export no_proxy=<no_proxy>,ip_from_machine_C,ip_from_machine_B,localhost sudo su source 01_docker_sdk_env/docker_compose/05_tutorials/config/docker_compose.source docker tag amr-fleet-management:<docker_tag> amr-fleet-management:latest
Machine B, C- all terminals: Prepare the environment setup:
source 01_docker_sdk_env/docker_compose/05_tutorials/config/docker_compose.source
NOTE:Set up the environment in each new terminal on which you want to run docker-compose commands.Machine C- terminal 1: Get the DNS:
sudo cat /run/systemd/resolve/resolv.conf
Machine B- terminal 1: Build the FDO client:
Before building the FDO Client image, there are a variety of configuration flags that can be adjusted.
Open 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/manufacturer/service.yml:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers nano 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/manufacturer/service.yml
Add the following lines:
# Modify the values shown below in bold in the above file with respective DNS and IP address of Rendezvous server rv-instruction: dns: dns_from_step_4 ip: ip_from_machine_C
Build the image:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_containers docker-compose -f ./01_docker_sdk_env/docker_compose/01_amr/amr-sdk.all.yml build fdo-client
Machine B- terminal 2: Build the manufacturer server image:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_containers docker-compose -f ./01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml build fdo-manufacturer
Machine C- terminal 1: Build the owner server image:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_containers docker-compose -f ./01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml build fdo-owner
Machine C- terminal 2: Build the rendezvous server image:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_containers docker-compose -f ./01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml build fdo-rendezvous
Set Up the Intel® Smart Edge Open Controller on Machine A-1
Make sure that the common name is the hostname of Machine A-1.
Install the Eclipse Mosquitto* broker and client for device onboarding and application over-the-air (AOTA) message queuing telemetry transport (MQTT) messages:
sudo apt-add-repository ppa:mosquitto-dev/mosquitto-ppa sudo apt-get update sudo apt-get install mosquitto sudo apt-get install mosquitto-clients sudo apt clean
Generate the certificates for the Mosquitto secure sockets layer (SSL) and the server.key for the Mosquitto SSL:
cd /etc/mosquitto/certs openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -days 1826 -key ca.key -out ca.crt openssl genrsa -out server.key 2048 openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 360
NOTE:Use the machine hostname of Machine A as the common name.Update /etc/mosquitto/mosquitto.conf:
# Place your local configuration in /etc/mosquitto/conf.d/ # # A full description of the configuration file is at # /usr/share/doc/mosquitto/examples/mosquitto.conf.example persistence true persistence_location /var/lib/mosquitto/ log_dest file /var/log/mosquitto/mosquitto.log include_dir /etc/mosquitto/conf.d listener 18883 allow_anonymous true cafile /etc/mosquitto/certs/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key
Go to <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<release>, and update the mqtt_onboard_aota.py file with the control plane hostname:
cd 01_docker_sdk_env/docker_orchestration/ansible-playbooks/02_edge_server/smart_edge_open/ chmod +x *.sh nano mqtt_onboard_aota.py
DEFAULT_MQTT_HOST = "<Machine_A_HOSTNAME>
Start the MQTT onboard AOTA script:
ufw allow 18883 python3 mqtt_onboard_aota.py &
For errors, go to Troubleshooting.
Set Up ThingsBoard* on Machine A-2
Open a browser, use the controller IP, and open <IP Address>:32764. Use the following credentials:
account: tenant@thingsboard.org
password: tenant
Go to the Rule Chain page, and select MQTT_SEO.
Assign the Machine A-1 IP to the variable Host*.
Select the Enable SSL option.
Assign PEM to the variable Credentials.
Upload the /etc/mosquitto/certs/server.crt certificate that was generated above, and apply the changes.
Initialize FDO
Machine B- terminal 3: FDO has to transfer some information (e.g. ThingsBoard* device provision token or TLS certificate) to the fleet-management Intel® In-Band Manageability container. For this purpose the host folder ‘’/etc/tc’’ is used.
sudo mkdir /etc/tc
Machine B- terminal 3: Adjust the Python script 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/register_with_tb.py to your setup:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers/ nano 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/register_with_tb.py
Update with the following values:
Assign the Machine A IP to the variable tb_address
Assign the ThingsBoard* HTTP port to the variable tb_port (for example, 9000).
NOTE:For Intel® Smart Edge Open setup the tb_port is 32764Assign the values for device_key and device_secret with the values obtained from the ThingsBoard* web interface. Go to Thingsboard > Device Profiles > Device Profiles details > Device Provisioning.
In preconfigured data, the following are set in ThingsBoard*:
device_key = "9oq7uxtdsgt4yjyqdekg" device_secret = "6z3j3osphpr8ck1b9ocp"
Machine B- terminal 3: Adjust the Python script 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/register_with_tbtc.py for your setup. Use a block copy to follow the script file formatting.
nano 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/register_with_tbtc.py
Update with the following values:
Assign the Machine C IP to the variable IP.
Assign the Machine A-1 IP to the variable tb_address.
Assign the ThingsBoard* HTTP port to the variable tb_port (for example, 9000).
NOTE:For Intel® Smart Edge Open setup, tb_port is 32764.Assign the ThingsBoard* MQTT TLS port to the variable tb_mqtt_port (for example, 8883).
NOTE:For Intel® Smart Edge Open setup, tb_mqtt_port is 32767.Machine A-1: Get the SSH public key, and assign it to the variable ssh_public_key. The public key is generated by the ssh-keygen tool.
Machine A-2: Get the ThingsBoard* TLS certificate, and assign it to the variable tb_pem (refer to certificate generation in the Get Started Guide for Robot Orchestration. The certificate is used in Intel® In-Band Manageability and ThingsBoard* transport layer security [TLS] communication.).
Example:
........................... s.connect(('10.255.255.255', 1)) IP = s.getsockname()[0] except Exception: IP = 'ip_from_machine_C' finally: s.close() return IP # Thingsboard IP-Address. Default is localhost, update if multisystem is desired tb_address = http://<machine_A_IP> # TB Server # Thingsboard Docker Image http port tb_port = 9090 # for SEO use 32764 # Thingsboard Docker Image mqtt port (typical 1883-nonSSL or 8883 SSL); req. by TurtleCreek tb_mqtt_port = 8883 # for SEO use 32767 ........................... # Important: Don't use this certificate, replace it by your own!! tb_pem = "-----BEGIN CERTIFICATE-----\n"+\ Add the output of "cat /etc/thingsboard/conf/server.pub.pem " command from MACHINE A-2 "-----END CERTIFICATE-----\n" ........................... # This key-value is an example and there is no matching private key # Important: create your own SSH key and copy the public key here in the string. ssh_public_key = "the output of "cat ~/.ssh/id_rsa.pub" command from MACHINE A-1"Machine B- terminal 3: Edit 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/multi_machine_config.sh, and set the following variables:
nano 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/multi_machine_config.sh
Update with the following values:
Assign the value from 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/manufacturer/service.env to the variable mfg_api_passwd.
cat 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/manufacturer/service.env
Assign the value from 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/owner/service.env to the variable default_onr_api_passwd.
cat 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/owner/service.env
Assign the Machine C DNS to the variables rv-dns and owner-dns.
Assign the Machine C IP to the variables rv-ip and owner-ip.
Replace the http://localhost:8042 in the second curl command with http://MACHINE_C_IP:8042.
Example (without the curly brackets):
mfg_api_passwd={manufacturer_api_password_from_service.env} onr_api_passwd={owner_api_password_from_service.env} ....................................................... # Updating RVInfo blob in Manufacturer # Replace localhost, {rv-dns} and {rv-ip} references with respective DNS and IP address of the host machine curl -D - --digest -u "${api_user}":"${mfg_api_passwd}" --location --request POST 'http://localhost:8039/api/v1/rvinfo' \ --header 'Content-Type: text/plain' \ --data-raw '[[[5,"dns"],[3,8040],[12,1],[2,"ip_from_machine_C"],[4,8040]]]' # Updating T02RVBlob in Owner # Replace localhost, {owner-ip} and {owner-dns} references with respective DNS and IP address of the host machine curl -D - --digest -u "${api_user}":"${onr_api_passwd}" --location --request POST 'http://<ip_from_machine_c>:8042/api/v1/owner/redirect' \ --header 'Content-Type: text/plain' \ --data-raw '[["ip_from_machine_C","dns",8042,3]]'Machine B- terminal 3: Edit 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/extend_upload.sh, and set the following variables:
nano 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/extend_upload.sh
Update with the following values:
Assign the value from 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/manufacturer/service.env to the variable default_mfg_api_passwd.
cat 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/manufacturer/service.env
Assign the value from 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/owner/service.env to the variable owner_api_password_from_machine.
cat 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/creds/owner/service.env
Assign the Machine B IP to the variable default_mfg_ip.
Assign the Machine C IP to the variable default_onr_ip.
Example:
default_mfg_ip="<ip_from_machine_B>" default_onr_ip="<ip_from_machine_C>" ........................... default_mfg_api_passwd="<manufacturer_api_password_from_service.env>" default_onr_api_passwd="<owner_api_password_from_service.env>"
Machine B- terminal 3: Edit 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/configure_serviceinfo.sh, and set the following variables:
Assign the Machine C IP to the variable OWNER_IP.
Onboard
FDO is a new IoT standard that is built on Intel® Secure Device Onboard (Intel® SDO) specifications. It is the first step in onboarding a device. The FDO specification specifies four entities.
Device: the EI for AMR device plus the FDO client (the FDO client supports the FDO protocol)
Manufacturer Server: the entity that is responsible for the initial steps of the FDO protocol and loading credentials onto the device, and is also a part of the production flow of the MAR device
Owner Server: the entity that sends all required data (for example, keys and certificates) to the device in the final protocol step TO2
Rendezvous Server: the first contact point for the device after you switch the device on and configure it for network communication. The rendezvous server sends the device additional information, for example, how to contact the owner server entity.
All containers, including the client, follow this command structure:
docker-compose -f <.yml path used during build stage> up <fdo service name>
Machine B- terminal 2: Run the manufacturer server:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers/ docker-compose -f 01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml up fdo-manufacturer
Machine C- terminal 1: Run the owner server:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers/ docker-compose -f 01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml up fdo-owner
Machine C- terminal 2: In a new terminal window, run the rendezvous server:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers/ docker-compose -f 01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml up fdo-rendezvous
Machine B- terminal 1: Run the client:
cd <edge_insights_for_amr_path>/Edge_Insights_for_Autonomous_Mobile_Robots_<version>/AMR_server_containers/ sudo su docker-compose -f 01_docker_sdk_env/docker_compose/01_amr/amr-sdk.all.yml up fdo-client
After running the FDO client for the first time, the device initialization is complete:
FDO Client log snippet: amr-sdk-fdo-client | 09:56:55:433 FDOProtDI: Received message type 13 : 1 bytes amr-sdk-fdo-client | 09:56:55:433 Writing to Normal.blob blob amr-sdk-fdo-client | 09:56:55:433 Hash write completed amr-sdk-fdo-client | 09:56:55:434 HMAC computed successfully! amr-sdk-fdo-client | 09:56:55:434 Writing to Secure.blob blob amr-sdk-fdo-client | 09:56:55:434 Generating platform IV of length: 12 amr-sdk-fdo-client | 09:56:55:434 Generating platform AES Key of length: 16 amr-sdk-fdo-client | 09:56:55:434 Device credentials successfully written!! amr-sdk-fdo-client | (Current) GUID after DI: <GUID> amr-sdk-fdo-client | 09:56:55:434 DIDone completed amr-sdk-fdo-client | 09:56:55:434 amr-sdk-fdo-client | ------------------------------------ DI Successful -------------------------------------- amr-sdk-fdo-client | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ amr-sdk-fdo-client | @FIDO Device Initialization Complete@ amr-sdk-fdo-client | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ amr-sdk-fdo-client exited with code 0
NOTE:When starting FDO containers, start the FDO client image last because the FDO client image immediately begins reaching out to the manufacturer server in order to complete device initialization (DI), and it only attempt this connection a few times before exiting. If the FDO client is successful in connecting to the manufacturer server, the manufacturer server assigns a GUID to the FDO client and generates an ownership voucher for use in the rest of the pipeline.Machine B- terminal 3: Move into the script folder.
NOTE:Run the FDO scripts on Machine B as root.cd 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts/ chmod +x * sudo su export no_proxy=<no_proxy>,ip_from_machine_C,ip_from_machine_B,localhost
Machine B- terminal 3:
./multi_machine_config.sh
Expected output:
HTTP/1.1 401 WWW-Authenticate: Digest realm="Authentication required", qop="auth", nonce="1652260953609:a1f80c513623b4c7b87292c054d5d650", opaque="4F6AB1DF45A94C67D59892BC7DB6B6B4" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 673 Date: Wed, 11 May 2022 09:22:33 GMT HTTP/1.1 200 Content-Length: 0 Date: Wed, 11 May 2022 09:22:33 GMT HTTP/1.1 401 WWW-Authenticate: Digest realm="Authentication required", qop="auth", nonce="1652260953705:0e2856e16da3eb830dca777a34f1f154", opaque="E11DE6169652A5495FC93933790D1A04" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 673 Date: Wed, 11 May 2022 09:22:33 GMT HTTP/1.1 200 Content-Length: 0 Date: Wed, 11 May 2022 09:22:33 GMT
Machine B- terminal 3:
./configure_serviceinfo.sh
Expected output:
Upload Device execution script to Owner Server HTTP/1.1 401 WWW-Authenticate: Digest realm="Authentication required", qop="auth", nonce="1652941145981:e5cdb0c180cd069360cd159fdcadccde", opaque="BE4E73265635CC0D98F9430BABA64DBE" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 673 Date: Thu, 19 May 2022 06:19:05 GMT HTTP/1.1 100 HTTP/1.1 200 Content-Length: 0 Date: Thu, 19 May 2022 06:19:05 GMT
Machine B- terminal 3:
./extend_upload.sh -s 1234abcd
Expected output:
Success in downloading SECP256R1 owner certificate to owner_cert_SECP256R1.txt Success in downloading extended voucher for device with serial number 1234abcd Success in uploading voucher to owner for device with serial number 1234abcd GUID of the device is 7e1e0c59-6d87-4b40-b68d-e7fcc00a7e37 Success in triggering TO0 for 1234abcd with GUID 7e1e0c59-6d87-4b40-b68d-e7fcc00a7e37 with response code: 200 xxxx@machineA: 01_docker_sdk_env/artifacts/02_edge_server/edge_server_fdo/scripts$
Machine C- terminal 1: In the edge-server-fdo-owner logs, verify that TO0 finished.
edge-server-fdo-owner | 06:49:50.463 [INFO ] TO0 completed for GUID: ...
NOTE:This task can take more than three minutes.Machine B- terminal 1:
docker-compose -f 01_docker_sdk_env/docker_compose/01_amr/amr-sdk.all.yml up fdo-client
Machine B- terminal 1: In the client messages, verify that FDO completed.
amr-fdo-client | ------------------------------------ TO2 Successful -------------------------------------- amr-fdo-client | amr-fdo-client | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ amr-fdo-client | @FIDO Device Onboard Complete@ amr-fdo-client | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ amr-fdo-client exited with code 0
NOTE:FDO protocol steps TO1 and TO2 can take more than five minutes.Expected result:
Machine A-2: In the ThingsBoard* GUI, Machine B was added in Devices as a new device.
NOTE:The device is online on the Dashboard after the Intel® In-Band Manageability container in Machine B is automatically brought up successfully.
Machine B: The wandering app is deployed from the Intel® Smart Edge Open controller, and the robot starts to wander around.
Hosts Cleanup
Machine B- terminal 1:
docker-compose -f 01_docker_sdk_env/docker_compose/01_amr/amr-sdk.all.yml down
Machine B- terminal 2:
docker-compose -f 01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml down
Machine C- terminal 1:
docker-compose -f 01_docker_sdk_env/docker_compose/02_edge_server/edge-server.all.yml down
Remove the device in the ThingsBoard* web interface.
Machine B- terminal 3: If the fleet-management container is already running:
docker rm -f $(docker ps -aq --filter name=amr-fleet-management)
NOTE:If you get an error message, verify that the fleet management container is not running and that the amr-fleet-management tag is latest. For example:amr-fleet-management:latest
Known Issues and Limitations
Only amr-fleet-management:latest is supported.
Troubleshooting
Verify that the MQTT service is running:
systemctl status mosquitto.service
If the command above returns Active: failed:
chmod -R 755 /etc/mosquitto/ systemctl restart mosquitto.service systemctl status mosquitto.service
Expected result: The status of the mosquitto service is Active: active
For detailed EI for AMR target installation steps, see the Get Started Guide for Robots.
FDO References
Term |
Reference |
|---|---|
DMS |
N/A |
FDO |
|
FIDO |
|
RV |
https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-RD-v1.0-20201202.html |
Intel® SDO |
https://www.intel.com/content/www/us/en/internet-of-things/secure-device-onboard.html |