You are here

Concept Board connection to Amazon AWS IoT Cloud with MQTT Protocol

Showcase, December 6, 2016 - 2:48pm, 2831 views

Updated on 10/10/2018
 
Summary
 
This showcase is a simple example showing how to establish secure connection with IoT Cloud in order to publish/subscribe messages via MQTT protocol.
In this case connection is being established with Amazon AWS IoT Cloud, which requires mutual authentication. It means, that while establishing a connection, client must prove its identity to a server, and the server must prove its identity to the client.
Application data will not be transferred over the client-to-server connection, until mutual authentication succeed.
 
While accessing Amazon AWS IoT Cloud, Cinterion Concept Board is a Client, which should prove its identity using a certificate generated using Amazon AWS Account.
Both Client's and Server's certificates need to be intsalled on Gemalto M2M module.
In order to communicate with IoT Cloud using MQTT Protocol, it is necessary to instal a MIDlet on the Cinterion Concept Board. 
The showcase related to preparing MIDlet based on latest Paho project you may find here: https://developer.gemalto.com/showcase/paho-project-110-july-2016-mqtt-311
 
ZIP archieve attached includes following:
- whole "step by step" instruction how to prepare a secure environment on the Gemalto M2M module
- short overview related to configuring Amazon AWS account in order to test secure connection and publishing/subscribing messages
PDF file includes updated instruction for configuring AWS Cloud in two ways: 
  • One-click certificate creation - download certificates "ready to use"
  • Using your own certificate with AWS IoT
 
haran8888's picture
haran8888

AWS_Register_CA.docx

Hi Agata,

                We are encountering issue when we use the configuration in which a CA registered with the AWS signs the TLS certificates for the Cinterion Modules. Pls. refer to attached document for the details of the steps that we are following to generate the Client Certs and install it on the modules.

e.g Application developer generates its own CA and registers it with AWS and use this CA to sign the client Certs for the Cinterion Modules.

             When we try to connect to AWS using the MQTT client, during the TLS handshake we get the error “INT:error in sendRequest -313 SSL-Error: revcd alert fatal error”

             The following is the summary of the tests and the results on our side:

SNoSNo        |  SSL Stack                  |   TLS / AWS MQTT (AWS IoT Feature “Just In Time Certificate Registration”)         connection Result |

1              | OpenSSL                     |    TLS connection Success   |

2              | AWS Java SDK          | Success                                 |

3              | AWS Node.js SDK     | Success                                |

4     4             | Cinterion Module            |         Built-in TLS        Mqttclient and configuration based on and adapted from (refer to attached document) as explained in the article |

(https://developer.gemalto.com/showcase/concept-board-connection-amazon-aws-iot-cloud-mqtt-protocol)

-313 SSL-Error: revcd alert fatal error

 5            | Cinterion Module:-          BouncyCastle TLS Stack (Third party) external lib | Success

 

      Summary of our understanding:

-  AWS IoT Feature “Just In Time Certificate Registration” (https://aws.amazon.com/blogs/aws/new-just-in-time-certificate-registration-for-aws-iot/) is not working with Cinterion module WolfSSL stack

                                -  Cinterion Module (built-in SSL) is not sending the complete client certificate chain as part of TLS handshake, hence  AWS is rejecting the TLS connection due to failure in parsing the certificate chain and the  “Just In Time Certificate Registration fails.

                               - We don’t have detailed debug log from the Cinterion Module or AWS MQTT broker TLS/Just in Time Certificate Registration to confirm our analysis. Our understanding is based on our study of BouncyCastle TLS implementation.          

  Also when we tried  normal TLS connection to the following URLs, we get similar error as summarized in this :

https://developer.gemalto.com/threads/ssl-error-interror-sendrequest-313-ssl-error-revcd-alert-fatal-error

 

                Pls. feel free to contact us if you need further information on the reported issues.

Best Regards,

Sridharan.

haran8888's picture
haran8888

AWS_Register_CA.docx

Hi Agata,

                We are encountering issue when we use the configuration in which a CA registered with the AWS signs the TLS certificates for the Cinterion Modules. Pls. refer to attached document for the details of the steps that we are following to generate the Client Certs and install it on the modules.

e.g Application developer generates its own CA and registers it with AWS and use this CA to sign the client Certs for the Cinterion Modules.

             When we try to connect to AWS using the MQTT client, during the TLS handshake we get the error “INT:error in sendRequest -313 SSL-Error: revcd alert fatal error”

             The following is the summary of the tests and the results on our side:

SNoSNo        |  SSL Stack                  |   TLS / AWS MQTT (AWS IoT Feature “Just In Time Certificate Registration”)         connection Result |

1              | OpenSSL                     |    TLS connection Success   |

2              | AWS Java SDK          | Success                                 |

3              | AWS Node.js SDK     | Success                                |

4     4             | Cinterion Module            |         Built-in TLS        Mqttclient and configuration based on and adapted from (refer to attached document) as explained in the article |

(https://developer.gemalto.com/showcase/concept-board-connection-amazon-aws-iot-cloud-mqtt-protocol)

-313 SSL-Error: revcd alert fatal error

 5            | Cinterion Module:-          BouncyCastle TLS Stack (Third party) external lib | Success

 

      Summary of our understanding:

-  AWS IoT Feature “Just In Time Certificate Registration” (https://aws.amazon.com/blogs/aws/new-just-in-time-certificate-registration-for-aws-iot/) is not working with Cinterion module WolfSSL stack

                                -  Cinterion Module (built-in SSL) is not sending the complete client certificate chain as part of TLS handshake, hence  AWS is rejecting the TLS connection due to failure in parsing the certificate chain and the  “Just In Time Certificate Registration fails.

                               - We don’t have detailed debug log from the Cinterion Module or AWS MQTT broker TLS/Just in Time Certificate Registration to confirm our analysis. Our understanding is based on our study of BouncyCastle TLS implementation.          

  Also when we tried  normal TLS connection to the following URLs, we get similar error as summarized in this :

https://developer.gemalto.com/threads/ssl-error-interror-sendrequest-313-ssl-error-revcd-alert-fatal-error

 

                Pls. feel free to contact us if you need further information on the reported issues.

Best Regards,

Sridharan.

Agata_Wiewiora