What You'll Learn
- How To Create A Key Pair
- How To Create A Registry in Omnicore
- How To Create A Device in Omnicore
- How To Connect An Omnicore Device With Go
- Registry-level CA certificates are an optional feature for additional security; you are not required to use them. (Managing Credentials) If you are choosing to go without Registry-level CA certificates, then follow Option A below else follow Option B route.
Option A - Without Registry CA
- Create A Private Key With OpenSSl
#openssl genrsa -out private_key_filename bits openssl genrsa -out private.key 2048 - Create A Public Key With OpenSSl
#openssl rsa -in private_key_filename -outform PEM -pubout -out publickey_filename openssl rsa -in private.key -outform PEM -pubout -out public.pem - The Private Key will be saved as private.key and the public key as public.pem
Option B - With Registry CA
- Create A Root CA And its Certificate
#openssl req -x509 -nodes -sha256 -days validity_certificate -newkey rsa:bits -keyout root_key_file -out root_certificate_file openssl req -x509 -nodes -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt - Create A Private Key With OpenSSl
#openssl genrsa -out private_key_filename bits
- Registry-level CA certificates are an optional feature for additional security; you are not required to use them. (Managing Credentials) If you are choosing to go without Registry-level CA certificates, then follow Option A below else follow Option B route.
Option A - Without Registry CA
- Create A Private Key With OpenSSl
#openssl genrsa -out private_key_filename bits openssl genrsa -out private.key 2048 - Create A Public Key With OpenSSl
#openssl rsa -in private_key_filename -outform PEM -pubout -out publickey_filename openssl rsa -in private.key -outform PEM -pubout -out public.pem - The Private Key will be saved as private.key and the public key as public.pem
Option B - With Registry CA
- Create A Root CA And its Certificate
#openssl req -x509 -nodes -sha256 -days validity_certificate -newkey rsa:bits -keyout root_key_file -out root_certificate_file openssl req -x509 -nodes -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt - Create A Private Key With OpenSSl
#openssl genrsa -out private_key_filename bits openssl genrsa -out private.key 2048 - Create A Signing Request
#openssl req -key private_key_filename -new -out csr_filename openssl req -key private.key -new -out domain.csr - Sign the Csr With Root CA
#openssl x509 -req -CA root_ca_cert_file -CAkey root_ca_key_file -in csr_filename -out device_cert_filename -days validitiy -CAcreateserial openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out device.crt -days 365 -CAcreateserial
- This Step can be skipped if you already have generated keys and certificates using RSA
- This Step can be skipped if you already have generated keys and certificates using RSA
- Registry-level CA certificates are an optional feature for additional security; you are not required to use them. (Managing Credentials) If you are choosing to go without Registry-level CA certificates, then follow Option A below else follow Option B route.
Option A - Without Registry CA
- Create A Private Key With OpenSSl
#openssl ecparam -genkey -name prime256v1 -noout -out file_name openssl ecparam -genkey -name prime256v1 -noout -out ec_private.key - Create A Public Key With OpenSSl
#openssl ec -in private_key_filename -outform PEM -pubout -out publickey_filename openssl ec -in ec_private.key -pubout -outform PEM -pubout -out ec_public.pem - The Private Key will be saved as ec_private.key and the public key as ec_public.pem
Option B - With Registry CA
- Create A Root CA And its Certificate
#openssl req -x509 -nodes -sha256 -days validity_certificate -newkey rsa:bits -keyout root_key_file -out root_certificate_file openssl req -x509 -nodes -sha256 -days 1825 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt - Create A Private Key With OpenSSl
#openssl ecparam -genkey -name prime256v1 -noout -out file_name openssl ecparam -genkey -name prime256v1 -noout -out ec_private.key - Create A Signing Request
#openssl req -key private_key_filename -new -out csr_filename openssl req -key ec_private.key -new -out domain.csr - Sign the Csr With Root CA
#openssl x509 -req -CA root_ca_cert_file -CAkey root_ca_key_file -in csr_filename -out device_cert_filename -days validitiy -CAcreateserial openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in domain.csr -out device.crt -days 365 -CAcreateserial
- If you want your telemetry and state messages to be forwarded to Cloud Pub/Sub please configure a sink.Else skip this step.
- Go To Sink Tab And Click On Create Sink if not present.
- Copy Your Gcp Project Id To Project Field
- Follow the instructions and click continue.Choose either console or cli option.
- Go To Registry Tab and click on New Registry
- If Root CA is needed, Paste the rootCA.crt generated in the previous step and paste it in the authentication.
- Enter Registry Details and Click Create. Sample Data is shown below.
- Go To Device Tab and click on New Device
- If Registry Has No CA ,Use the publickey.pem generated in previous step as authentication.If Registry Has Ca,specify the device.crt generated in previous step as authentication.Specify the key type also.
- Enter Device Details And Click On Create .
- Save the Code as sample-publish.go
# Copyright 2017 Google Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Go sample for connecting to Omnicore via MQTT, using JWT. This example connects to Omnicore via MQTT, using a JWT for device authentication. After connecting, by default the device publishes 100 messages to the device's MQTT topic at a rate of one per second, and then exits. Before you run the sample, you must follow the instructions in the README for this sample. """ package main import ( "crypto/tls" "crypto/x509" "flag" "fmt" "io/ioutil" "log" "time" MQTT "github.com/eclipse/paho.mqtt.golang" "github.com/golang-jwt/jwt" ) var ( deviceID = flag.String("device", "", "Omnicore Device ID") bridge = struct { host *string port *string }{ flag.String("mqtt_host", "lowercased(subscriptionid).mqtt.korewireless.com", "MQTT Bridge Host"), flag.String("mqtt_port", "8883", "MQTT Bridge Port"), } subscriptionID = flag.String("subscription", "", "Omnicore Subscription ID") registryID = flag.String("registry", "", "Omnicore Registry ID (short form)") certsCA = flag.String("ca_certs", "", "Download https://pki.cloud.korewireless.com/roots.pem") privateKey = flag.String("private_key", "", "Path to private key file") ) func main() { log.Println("[main] Entered") log.Println("[main] Flags") flag.Parse() log.Println("[main] Loading Omnicore's roots") certpool := x509.NewCertPool() pemCerts, err := ioutil.ReadFile(*certsCA) if err == nil { certpool.AppendCertsFromPEM(pemCerts) } log.Println("[main] Creating TLS Config") config := &tls.Config{ RootCAs: certpool, ClientAuth: tls.NoClientCert, ClientCAs: nil, InsecureSkipVerify: true, Certificates: []tls.Certificate{}, MinVersion: tls.VersionTLS12, } clientID := fmt.Sprintf("subscriptions/%v/registries/%v/devices/%v", *subscriptionID, *registryID, *deviceID, ) log.Println("[main] Creating MQTT Client Options") opts := MQTT.NewClientOptions() broker := fmt.Sprintf("ssl://%v:%v", *bridge.host, *bridge.port) log.Printf("[main] Broker '%v'", broker) opts.AddBroker(broker) opts.SetClientID(clientID).SetTLSConfig(config) opts.SetUsername("unused") token := jwt.New(jwt.SigningMethodRS256) token.Claims = jwt.StandardClaims{ IssuedAt: time.Now().Unix(), ExpiresAt: time.Now().Add(24 * time.Hour).Unix(), } log.Println("[main] Load Private Key") keyBytes, err := ioutil.ReadFile(*privateKey) if err != nil { log.Fatal(err) } log.Println("[main] Parse Private Key") key, err := jwt.ParseRSAPrivateKeyFromPEM(keyBytes) if err != nil { log.Fatal(err) } log.Println("[main] Sign String") tokenString, err := token.SignedString(key) if err != nil { log.Fatal(err) } opts.SetPassword(tokenString) // Incoming opts.SetDefaultPublishHandler(func(client MQTT.Client, msg MQTT.Message) { fmt.Printf("[handler] Topic: %v\n", msg.Topic()) fmt.Printf("[handler] Payload: %v\n", msg.Payload()) }) log.Println("[main] MQTT Client Connecting") client := MQTT.NewClient(opts) if token := client.Connect(); token.Wait() && token.Error() != nil { log.Fatal(token.Error()) } topic := struct { config string telemetry string loopback string }{ config: fmt.Sprintf("/%s/%s/config", *registryID,*deviceID), telemetry: fmt.Sprintf("/%s/%s/events", *registryID,*deviceID), loopback: fmt.Sprintf("/%s/%s/loopback", *registryID,*deviceID), } log.Println("[main] Publishing Messages To Events Telemetry Topic") for i := 0; i < 10; i++ { log.Printf("[main] Publishing Message #%d", i) token := client.Publish( topic.telemetry, 0, false, fmt.Sprintf("Message: %d", i)) token.WaitTimeout(5 * time.Second) } log.Println("[main] MQTT Client Disconnecting") client.Disconnect(250) log.Println("[main] Done") }
- Get the Mqtt Root CA From https://pki.cloud.korewireless.com/roots.pem and save as roots.pem
- Invoke the go code.Replace The subscriptionId,registryId,DeviceId.Also provide file path for Omnicore Ca File,Private Key of device for jwt generation and the mqtt host url.
go run sample-publish.go --registry=registryId --subscription=SubscriptionId --device=DeviceId --private_key=private.key --ca_certs=roots.pem --mqtt_host=subscriptionId.mqtt.korewireless.com --mqtt_port=8883 - Once invoked ,messages will be sent to the pubsubTopic corresponding to message type as defined in the registry.