Skip to content

Latest commit

 

History

History
125 lines (82 loc) · 3.9 KB

README.md

File metadata and controls

125 lines (82 loc) · 3.9 KB
Raw

Getting the Executable

Use the following commands to build FIDO Device Onboard (FDO) Protocol Reference Implementation (PRI) HTTP Device Component sample source. For the instructions in this document, <fdo-pri-src> refers to the path of the FDO PRI folder 'pri-fidoiot'.

$ cd <fdo-pri-src>/component-samples/device/
$ mvn clean install

This will copy the required executables and libraries into /component-samples/demo/device/.

Configuring the Device Service

All the runtime configurations for the device is specified in service.yml file.

service.yml file is structured into multiple sections:

  • device: - This section contains the device specific runtime configurations including di-url, credential-file, key-type, key-enc, etc.

  • system-properties: - This section contains the runtime environment variables.

  • workers: The section contains the configuration to select desired functionality for the device. The deployer can pick and choose the functionality during runtime.

DI with mTLS

  1. To execute DI with mTLS, first uncomment the following lines from <fdo-pri-src>/component-samples/demo/aio/WEB-INF/Web.xml or <fdo-pri-src>/component-samples/demo/manufacturer/WEB-INF/Web.xml and start the sevices.
  <security-constraint>
    <web-resource-collection>
        <web-resource-name>apis</web-resource-name>
        <url-pattern>/api/v1/*</url-pattern>
        <!-- <url-pattern>/fdo/101/msg/10</url-pattern>
        <url-pattern>/fdo/101/msg/12</url-pattern> -->
    </web-resource-collection>
    <auth-constraint>
        <role-name>api</role-name>
    </auth-constraint>
    <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  1. Copy api-user.pem and ca-cert.pem into demo/device/app-data folder.
  2. Disable the following workers. - org.fidoalliance.fdo.protocol.SelfSignedHttpClientSupplier
  3. Enable the following workers. - org.fidoalliance.fdo.protocol.StandardHttpClientSupplier
  4. Then uncomment the following lines from <fdo-pri-src>/component-samples/demo/device/service.yml
system-properties:
  # javax.net.ssl.keyStorePassword: default
  # javax.net.ssl.trustStorePassword: default
  # javax.net.ssl.keyStore: ./app-data/api-user.pem
  # javax.net.ssl.trustStore: ./app-data/ca-cert.pem
  # javax.net.ssl.keyStoreType: PEM
  # javax.net.ssl.trustStoreType: PEM

Starting the Device Service

NOTE: Make sure that di-url is set to the correct address.

Run as Standalone service.

Open a terminal, change directory to <fdo-pri-src>/component-samples/demo/device/ and execute following command.

$ cd <fdo-pri-src>/component-samples/demo/device
$ java -jar device.jar

Run as Docker Service

Open a terminal, change directory to <fdo-pri-src>/component-samples/demo/device/ and execute following command.

docker-compose up --build

In case you need super user access, prefix 'sudo -E' to above command.

The device.p12 must contain the following data:

  • The device's private key
  • The device's public key or certificate (PKCS12 format).

PS: If device.p12 file is not present, then the file is autogenerated during runtime.

The device will initialize and exit. A credentials.bin file will be created containing the device state. Removing this file will make the device re-initialize the next time it runs.

During device initialization, Manufacturer server must be available.

TO1-2 Protocol

Execute the following code the initiate TO1 and TO2.

Run as Standalone service.

$ cd <fdo-pri-src>/component-samples/demo/device
$ java -jar device.jar

Run as Docker Service

Open a terminal, change directory to <fdo-pri-src>/component-samples/demo/device/ and execute following command.

docker-compose up --build

The device will be onboarded.

The rendezvous and owner servers must be available during this step.