AWS Partner Network (APN) Blog
Seamless IoT Device Provisioning to AWS with Semtech’s Zero-Touch Deployment Solution
By Gaurav Gupta, Principal Partner Solutions Architect, IoT/Connectivity – AWS
By Pedro Mendoza, Solutions Architect, Connectivity and Cloud – Semtech
By Karthik Ranjan, Partnerships & Ecosystem Leader – Semtech
Semtech |
Cellular IoT (Internet of Things) offers reliable, low-power, and wide-area connectivity, making it ideal for applications such as smart cities, logistics, healthcare, and agriculture. The growth of cellular IoT has been rapid in recent years, driven by increasing demand for connected devices and applications across industry verticals.
Connectivity for cellular IoT technologies spans Narrowband (NB) IoT, LTE-M/CAT-1BIS, 2G/3G IoT, and 4G/5G IoT.
- NB-IoT and LTE-M/CAT-1BIS are especially designed for low-power and low-data rate IoT sensors, offering efficient and cost-effective options.
- 2G/3G IoT, although older and less power efficient, can still be used for certain applications where these networks are still available.
- 4G/5G IoT is suitable for higher data speeds and low-latency applications.
Producing IoT devices at scale can require months of preparation with the global hardware supply chain. From reserving time on the production line to distribution, setup, and deployment, these tasks can take many months starting when production begins to when devices ultimately need to connect.
Binding devices to cloud services while creating a hardware-enforced root of trust provides some complication in manufacturing and supply chain, as manual onboarding of devices in the field can be costly, pose security risks, and does not scale. By providing services that enable seamless-binding to cloud endpoints, device manufacturers can produce devices that can be sold to multiple fleet operators without requiring SKU (Stock Keeping Unit) customization.
With Zero-Touch-Provisioning (ZTP) based on seamless-binding of devices to AWS IoT Core, fleet operators can purchase and deploy finished devices at scale without requiring any customization during the manufacturing process.
AWS IoT offers a managed platform for building, managing and securing IoT applications. It enables you to connect, collect, store, and analyze data from IoT devices at scale, while also providing features for device management, security, and integration with other AWS services.
The solution described in this post, Semtech’s AirVantage Device Control, uses a Hardware Root of Trust (HRoT) inside a Semtech wireless module and enables provisioning to your AWS IoT account securely without any customization or hardware-specific trust chain.
As a result, the solution lowers cost of production through single global SKU, and offers sustainability benefits with a low carbon footprint through direct shipment of devices to deployment sites and faster time to market.
Semtech (formerly Sierra Wireless) is an AWS Specialization Partner and AWS Marketplace Seller with the IoT Competency. It’s a high-performance semiconductor, IoT systems, and cloud connectivity service provider dedicated to delivering high-quality technology solutions that enable a smarter, more connected, and sustainable planet.
Semtech’s AirVantage Device Control
Built on AWS, AirVantage Device Control is a proven cloud service that helps organizations overcome the challenge of managing a large fleet of IoT devices. It lets you securely monitor, control, and update your cellular SIMs, cellular modules, and LoRaWAN-based devices, all in one place and all at scale.
AirVantage Device Control keeps you informed of potential problems before they happen, so you can avoid downtime and rapidly fix issues to keep your service up and running. It also helps you onboard, configure, and manage devices throughout their lifecycle, bringing reliability and consistency across the entire fleet. This includes monitoring connectivity and communication status, sending command and control instructions, pushing over-the-air (OTA) firmware updates, and remotely activating and diagnosing devices.
With AirVantage Device Control, you can provide a responsive service to your customers and reduce on-site visits.
AWS IoT Core
AWS IoT Core enables you to connect your IoT devices at scale without managing the infrastructure. It offers security through a combination of mechanisms and services to ensure confidentiality, integrity, and authenticity of data flowing between IoT devices and AWS IoT.
AWS IoT Core uses X.509 certificates or custom authentication to verify identity of IoT devices. Each device is assigned a unique certificate and private key, ensuring that only authorized devices can connect to AWS IoT Core. All communication between the IoT device and AWS IoT Core is encrypted using Transport Layer Security (TLS), which protects data in transit and prevents eavesdropping.
Read more on AWS IoT security in the documentation.
Seamless-Binding Solution
Semtech’s seamless-binding solution leverages existing trust relationships between the HRoT found inside their modules and AirVantage Device Control to automate the provisioning of devices into your AWS IoT Core account.
The implementation described in this post uses device-side applications implemented on top of the Legato framework, an open-source platform that allows developers to easily work with the various wireless technologies. Legato also includes the ability to securely connect and authenticate (based on pre-shared-keys) with AirVantage.
The GitHub repo for zero-touch provisioning contains the artifacts required to reproduce the solution.
The following architecture diagram describes, at high level, the seamless-binding solution.
Figure 1 – Semtech’s seamless-binding architecture.
The initial implementation of this seamless-binding solution is done by having two Legato applications running on the device.
The first application is responsible for provisioning into AWS IoT Core by using OMA LwM2M (Lightweight M2M) specification with AirVantage. The second application on the device establishes the secure connection to AWS IoT Core.
The following steps detail the process outlined in Figure 1:
- Application running on the device creates a new private key and stores it in the module’s secure storage. Using the private key, a new CSR (Certificate Signing Request) is generated.
- Device establishes secure LwM2M session with AirVantage (based on the factory provisioned pre-shared key).
- Device sends the CSR to AirVantage over the secure LwM2M session.
- AirVantage forwards the CSR to Amazon Kinesis Data Streams via cloud connector.
- A helper AWS Lambda function reads CSR from the Kinesis Data Streams.
- The helper Lambda function process CSR input by invoking the AWS IoT Core API to create a new certificate from the incoming CSR, applying a policy to it.
- Helper Lambda retrieves the certificate privacy enhanced mail (PEM) file and AWS IoT Core endpoint using AWS IoT Core API.
- Helper Lambda securely publishes the new certificate PEM file and AWS IoT Core endpoint via AirVantage HTTPS API.
- AirVantage relays the PEM file back to application running on the device (after a fragmentation process).
- PEM file is de-fragmented and stored in the device for later use.
- Second application on the device is responsible for using the private key and certificate to establish an MQTT over TLS connection towards your AWS IoT Core endpoint and start publishing data.
Validation
As a pre-condition to testing this solution, you need to have your device registered on your AirVantage account. For details, refer to Register your device – AirVantage.
Once you have your device registered and connected to AirVantage, you can proceed to build the device’s applications detailed above. The building step requires having a dev environment for Legato as detailed in Leaf Workspace Manager – Legato Docs. Then, follow the instructions available at the GitHub repo.
Now that you have the applications ready to be installed and deployed on your device, you can proceed to release and publish these by going through the instructions available at Develop – AirVantage. Next, for installing these on your device, use the instructions available at How to manage your device from AirVantage.
Please note that you need to follow the instructions for both the ZTP as indicated in Build and deploy the ZTP Legato app, as well as the MQTT client app as indicated in Build and deploy the MQTT client Legato app.
To have the data flowing from AirVantage to AWS, you need to configure the Amazon Kinesis Data Streams connector from your AirVantage account. Follow the instructions available at How to use the Amazon Kinesis Connector.
Once you have the data flowing into your AWS account, you need to deploy the Lambda function that will handle the CSR coming from your device, and perform the tasks required to create and register a certificate using the CSR within AWS IoT. Refer to the instructions at Create and configure the Lambda function.
Now, you should be ready to start the applications on the device. You’ll need to SSH (Secure Shell) into your device and use the Legato’s app command as detailed in app – Legato Docs.
Note that you should first run the seamless-binding app (to create the credentials required to access AWS IoT Core) and then the MQTT client app. You can refer to Test the solution for specific commands required to start each application on the device.
In order to confirm the MQTT client app is successfully connected to your AWS IoT Core endpoint, follow the instructions in the documentation.
Figure 2 – AWS IoT MQTT test client showing messages received.
Conclusion
One of the major hurdles in deploying IoT devices at scale is the time and cost associated with supply chain customization to connect devices securely. Semtech’s seamless-binding solution for provisioning solves this challenge by simplifying deployments with increased security.
This solution works by leveraging the existing authenticated connection between a device carrying a Semtech (formerly Sierra Wireless) module to provision it to AWS IoT Core. Customers of Semtech cellular modules and AWS IoT can thus eliminate several manual steps or customization during manufacturing process to onboard a fleet of devices to ingest data directly into AWS IoT Core.
The automation outlined in this post results in enhanced security, elimination of provisioning errors from manual activities, and significant cost reduction during manufacturing process through global single SKU.
Semtech – AWS Partner Spotlight
Semtech is an AWS Specialization Partner and high-performance semiconductor, IoT systems, and cloud connectivity service provider dedicated to delivering high-quality technology solutions that enable a smarter, more connected, and sustainable planet.