Thales' cellular IoT products business is now part of Telit Cinterion, find out more.

You are here

Telit Cinterion IoT Developer Community

Concept Board connection to Amazon AWS IoT Cloud with MQTT Protocol

Showcase, December 6, 2016 - 2:48pm, 11016 views

Updated on 10/10/2018
 
Summary
 
This showcase is a simple example showing how to establish secure connection with IoT Cloud in order to publish/subscribe messages via MQTT protocol.
In this case connection is being established with Amazon AWS IoT Cloud, which requires mutual authentication. It means, that while establishing a connection, client must prove its identity to a server, and the server must prove its identity to the client.
Application data will not be transferred over the client-to-server connection, until mutual authentication succeed.
 
While accessing Amazon AWS IoT Cloud, Cinterion Concept Board is a Client, which should prove its identity using a certificate generated using Amazon AWS Account.
Both Client's and Server's certificates need to be intsalled on Gemalto M2M module.
In order to communicate with IoT Cloud using MQTT Protocol, it is necessary to instal a MIDlet on the Cinterion Concept Board. 
The showcase related to preparing MIDlet based on latest Paho project you may find here: https://iot-developer.thalesgroup.com/showcase/paho-project-110-july-2016-mqtt-311
 
ZIP archieve attached includes following:
- whole "step by step" instruction how to prepare a secure environment on the Gemalto M2M module
- short overview related to configuring Amazon AWS account in order to test secure connection and publishing/subscribing messages
PDF file includes updated instruction for configuring AWS Cloud in two ways: 
  • One-click certificate creation - download certificates "ready to use"
  • Using your own certificate with AWS IoT
 

AWS_Register_CA.docx

Hi Agata,

                We are encountering issue when we use the configuration in which a CA registered with the AWS signs the TLS certificates for the Cinterion Modules. Pls. refer to attached document for the details of the steps that we are following to generate the Client Certs and install it on the modules.

e.g Application developer generates its own CA and registers it with AWS and use this CA to sign the client Certs for the Cinterion Modules.

             When we try to connect to AWS using the MQTT client, during the TLS handshake we get the error “INT:error in sendRequest -313 SSL-Error: revcd alert fatal error”

             The following is the summary of the tests and the results on our side:

SNoSNo        |  SSL Stack                  |   TLS / AWS MQTT (AWS IoT Feature “Just In Time Certificate Registration”)         connection Result |

1              | OpenSSL                     |    TLS connection Success   |

2              | AWS Java SDK          | Success                                 |

3              | AWS Node.js SDK     | Success                                |

4     4             | Cinterion Module            |         Built-in TLS        Mqttclient and configuration based on and adapted from (refer to attached document) as explained in the article |

(https://iot-developer.thalesgroup.com/showcase/concept-board-connection-amazon-aws-iot-cloud-mqtt-protocol)

-313 SSL-Error: revcd alert fatal error

 5            | Cinterion Module:-          BouncyCastle TLS Stack (Third party) external lib | Success

 

      Summary of our understanding:

-  AWS IoT Feature “Just In Time Certificate Registration” (https://aws.amazon.com/blogs/aws/new-just-in-time-certificate-registration-for-aws-iot/) is not working with Cinterion module WolfSSL stack

                                -  Cinterion Module (built-in SSL) is not sending the complete client certificate chain as part of TLS handshake, hence  AWS is rejecting the TLS connection due to failure in parsing the certificate chain and the  “Just In Time Certificate Registration fails.

                               - We don’t have detailed debug log from the Cinterion Module or AWS MQTT broker TLS/Just in Time Certificate Registration to confirm our analysis. Our understanding is based on our study of BouncyCastle TLS implementation.          

  Also when we tried  normal TLS connection to the following URLs, we get similar error as summarized in this :

https://iot-developer.thalesgroup.com/threads/ssl-error-interror-sendrequest-313-ssl-error-revcd-alert-fatal-error

 

                Pls. feel free to contact us if you need further information on the reported issues.

Best Regards,

Sridharan.

AWS_Register_CA.docx

Hi Agata,

                We are encountering issue when we use the configuration in which a CA registered with the AWS signs the TLS certificates for the Cinterion Modules. Pls. refer to attached document for the details of the steps that we are following to generate the Client Certs and install it on the modules.

e.g Application developer generates its own CA and registers it with AWS and use this CA to sign the client Certs for the Cinterion Modules.

             When we try to connect to AWS using the MQTT client, during the TLS handshake we get the error “INT:error in sendRequest -313 SSL-Error: revcd alert fatal error”

             The following is the summary of the tests and the results on our side:

SNoSNo        |  SSL Stack                  |   TLS / AWS MQTT (AWS IoT Feature “Just In Time Certificate Registration”)         connection Result |

1              | OpenSSL                     |    TLS connection Success   |

2              | AWS Java SDK          | Success                                 |

3              | AWS Node.js SDK     | Success                                |

4     4             | Cinterion Module            |         Built-in TLS        Mqttclient and configuration based on and adapted from (refer to attached document) as explained in the article |

(https://iot-developer.thalesgroup.com/showcase/concept-board-connection-amazon-aws-iot-cloud-mqtt-protocol)

-313 SSL-Error: revcd alert fatal error

 5            | Cinterion Module:-          BouncyCastle TLS Stack (Third party) external lib | Success

 

      Summary of our understanding:

-  AWS IoT Feature “Just In Time Certificate Registration” (https://aws.amazon.com/blogs/aws/new-just-in-time-certificate-registration-for-aws-iot/) is not working with Cinterion module WolfSSL stack

                                -  Cinterion Module (built-in SSL) is not sending the complete client certificate chain as part of TLS handshake, hence  AWS is rejecting the TLS connection due to failure in parsing the certificate chain and the  “Just In Time Certificate Registration fails.

                               - We don’t have detailed debug log from the Cinterion Module or AWS MQTT broker TLS/Just in Time Certificate Registration to confirm our analysis. Our understanding is based on our study of BouncyCastle TLS implementation.          

  Also when we tried  normal TLS connection to the following URLs, we get similar error as summarized in this :

https://iot-developer.thalesgroup.com/threads/ssl-error-interror-sendrequest-313-ssl-error-revcd-alert-fatal-error

 

                Pls. feel free to contact us if you need further information on the reported issues.

Best Regards,

Sridharan.

Hi,

Please see the work we have been doing with Amazon AWS and ESEYE.

The here was to offer a virtually Zero Touch experience onboarding to AWS with ESEYE SIMs.

It will work on all PLS62-W rel 1, ELS61 rel 2 and EHSx rel 4 modules.

https://devices.amazonaws.com/detail/a3G0h000007732DEAQ/Intelligent-Cloud-Connect-LTE-Terminal

Hi, 

I have gone through the steps, but i wasn't able succesfully connects to AWS.

with atswithout ats

Hi,

Just to add on further on the question.

My JAVA version is Cinterion,EHS6,Rev 03.001, A-Rev 00.000.51. 

AT^SJMSEC? = 1,1,1,1

I'm using AWS IOT One click to generate all the certificates.

I download the rootCA from AWS (https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs

Below were the CA certs that i tested out.

1.VeriSign Endpoints (legacy) RSA 2048 bit key
2. RSA 2048 bit key: Amazon Root CA 1
3. Starfield Root CA Certificate
4. Cross-signed Amazon Root CA 1

I have double check with the python SDK program and OpenSSL conneciton. 

openssl s_client -connect a2px87lo8v4uea.iot.us-west-2.amazonaws.com:8443 -CAfile SFSRootCAG2.pem -cert 1certificate.pem.crt -key private.pem.key

openssl s_client -connect a2px87lo8v4uea-ats.iot.us-west-2.amazonaws.com:8443 -CAfile SFSRootCAG2.pem -cert 1certificate.pem.crt -key private.pem.key

Below were the findings: 

Test for endpoint with ats (Python SDK, OpenSSL)
The success CA cert will as below

1. RSA 2048 bit key: Amazon Root CA 1
2. Starfield Root CA Certificate

Test for endpoint without ats (Python SDK, OpenSSL)

The success CA cert will as below
1. VeriSign Endpoints (legacy) RSA 2048 bit key

With that, i proceed to test with midlet program and i was able to make connection only on endpoint without ATS and VeriSign Endpoints Cert. 
Was able to connected to server, published the message, the strange part is i never see it at the server. If i'm using Python to endpoint without ATS , i was able to see the message. 

If i use the Amazon Root CA 1 or Starfield Root CA Certificate, i wasn't able to have successful connection at all. 

Each time when i try to replace the cert, i get the command code 

java -jar jseccmd.jar -cmd DelAllHttpsCertificatesUntrusted > DelAllHttpsCertificatesUntrusted.txt

So i run this cmd code, AT^SJMSEC="cmd","060091000000" , then i restart the terminal and reinstall  the cert again. 

Is anyone able to help out with this ? 

Author

Agata_Wiewiora's picture
Agata_Wiewiora