Configuring FCU
Factory Configurator Utility (FCU) requires a configuration file in YAML format.
When you download FCU from the Device Management Portal, you get a ZIP archive, which contains the configuration file fcu.yml
.
The configuration file controls FCU's behavior, and contains information relevant to multiple devices. Device-specific information is provided through the APIs (most notably, prepare_device_configuration
).
FCU consults the configuration file whenever an FCU API is called, so you can modify it between calls; however, you are not likely to require modifications in daily use.
Values in the downloaded configuration file
Most of the fields in this file are empty, but some account information and default security values are populated:
# Defines whether FCU is set up as an intermediate Certificate Authority:
# - false: The setup command creates a self signed certificate to be used by FCU for signing the device certificates.
# - true: The setup command creates a CSR. The customer should use its Certificate Authority to sign the CSR and provide the certificate to FCU as 'fcu.crt' file.
# Note: If the 'fcu.crt' is a certificate chain, you must specify the 'device-certificate-chain-depth' when using FCU as a certificate authority.
setup-ca-as-intermediate: false
# Use bootstrap server (true/false). Required
use-bootstrap: true
# First to claim mode (true/false)- Relevant when 'use-bootstrap' is set to true.
# If true- the Bootstrap server URL used is the Bootstrap server first-to-claim URL.
first-to-claim: false
# Include time synchronization parameters in device configuration (true/false)
time-sync: true
# Enable/disable verification of configuration on device side (true/false)
verify-on-device: true
device-info:
# Device timezone
timezone: UTC
# Device key generation modes:
# Defines the source of 'device keys' (Device DTLS private key and certificate)
# - 'by_device': The device generates the private key and signs a CSR, and
# FCU signs the CSR and creates a certificate, which it passes to the device
# - 'by_tool': The tool generates device keys (default)
# - 'externally_supplied': The user supplies device keys and provides them to the tool as files
# under 'device-keys-location', which is provided as a command-line parameter
# - 'preprovisioned': The device has been pre-provisioned with DTLS keys; therefore, FCU does not generate, provision, or validate DTLS keys
device-key-generation-mode: by_tool
# Device entropy generation modes:
# Defines the source of 'device entropy'
# - 'by_device': The device generates the entropy; FCU does not pass entropy to the device (default)
# - 'by_tool': The tool generates device entropy
# - 'externally_supplied': The user supplies device entropy and provides it to the tool as
# "entropy.bin" file under 'device-keys-location', which is provided as a command-line parameter
entropy-generation-mode: by_device
# Secure storage types:
# Defines the device storage type
# - 0: Unspecified
# - 1: Externally inaccessible storage
# - 2: Secure storage with protected local root of trust
# - 3: Secure storage with externally inaccessible local root of trust
secure-storage-type: 0
# Secure hardware components:
secure-hardware-components:
non-secure-hardware: true
uVisor: false
trust-zone-M: false
trust-zone-A: false
crypto-with-lrot: false
# Device private keys in field generation:
# Controls the method in which keys are generated, in field
# - 'by_cloud': Device private keys are never generated on the device in the field; the private keys are generated only by the cloud.
# This option is less secure. This setting cannot be overridden by the cloud when the device is in the field (default).
# - 'by_device': Device private keys can be generated on the device in the field.
# This option must be used to generate LwM2M device private keys on the device as part of the bootstrap flow (also known as the EST flow).
# You must also set the `use-bootstrap` value to `true`.
# The Enrollment over Secure Transport (EST) feature must be enabled in your account.
# The MBED_CLIENT_DISABLE_EST_FEATURE flag must be off on the device to enable the EST feature.
# This option is recommended from a security perspective.
device-private-keys-in-field-generation: by_cloud
The file also includes your account ID and certificate information that is specific to your account; for example, if your account ID were 123456abcd015867c96c2202420a1234
:
# File location for bootstrap server CA certificate.
bootstrap-server-ca-certificate-file: <%= ENV['FCU_RESOURCES_DIR'] %>/bootstrap_server_ca_cert.pem
# Bootstrap server URL, for example coaps://bootstrap.arm.com
bootstrap-server-uri: coaps://auto_generated_uri.com?aid=123456abcd015867c96c2202420a1234
# Bootstrap server first-to-claim URL.
# Same URL as bootstrap-server-uri, omitting the account-id.
bootstrap-server-uri-first-to-claim: coaps://auto_generated_uri.com
# File location for LwM2M server CA certificate.
lwm2m-server-ca-certificate-file: <%= ENV['FCU_RESOURCES_DIR'] %>/lwm2m_server_ca_cert.pem
# LwM2M server URL, for example coaps://connector.arm.com
lwm2m-server-uri: coaps://auto_generated_uri.com?aid=123456abcd015867c96c2202420a1234
Environment variables
You can reference environment variables in the FCU configuration file using the following syntax:
<%= ENV['ENVVAR_NAME'] %>
, where ENVVAR_NAME
is the name of your environment variable.
For example:
bootstrap-server-ca-certificate-file: <%= ENV['FCU_RESOURCES_DIR'] %>/bootstrap_server_ca_cert.pem
FCU expects (and reserves) some environment variables. When these variables are absent, FCU uses default values:
Variable | Description | Default |
---|---|---|
FCU_HOME_DIR |
Specifies the home directory of the factory configurator library. The library uses this as the root path of several directories and files on which the library depends. |
The current working directory. |
FCU_RESOURCES_DIR |
Specifies the resources directory of the FCU library. |
/<FCU Home>/resources |
FCU_KEYSTORE_DIR |
Specifies the keystore directory of the FCU library. |
/<FCU Home>/keystore |
Keys, certificates, and configurations
The sections below detail the various FCU configuration parameters for injecting keys, certificates and other configurations.
For more information about the parameters, see Provisioning information.
Key generation and bootstrap modes
The following parameters define how device keys are generated and whether and how your devices bootstrap.
Parameter | Description | Values | Mandatory or optional |
---|---|---|---|
device-key-generation-mode |
Defines the source of device keys (device DTLS private key and certificate). | externally_supplied : Device keys that you supply, and which FCU expects to find under device-keys-location (an API parameter).by_tool : Device keys that FCU generates. by_device : Device keys that are generated by the device. |
Mandatory |
use-bootstrap |
If true , devices use the bootstrap server. If false , they use the LwM2M server. |
true /false |
Mandatory |
verify-on-device |
Enable/disable verification of configuration on the device side. | true /false |
Optional |
first-to-claim |
In the first-to-claim mode, the device is created with a certificate but without an account ID. The customer claims the device by adding the enrollment identity and OEM's CA to their account. The bootstrap binds the device to the account when the enrollment identity exists in Pelion Device Management.* If true , the bootstrap server URL used is the bootstrap-server-uri-first-to-claim . * If false , the bootstrap server URL used is the bootstrap-server-uri . |
The first-to-claim mode is only applicable when use-bootstrap is true .true /false |
Optional |
The bootstrap mode you select in use-bootstrap
dictates which files and configuration values you must provide.
Bootstrap mode
To use bootstrap mode, set use-bootstrap: true
.
-
Configuration values:
-
bootstrap-server-ca-certificate-file
: File location for the bootstrap server's CA certificate. -
bootstrap-server-uri
: The bootstrap server's URL. For example,coaps://bootstrap.arm.com?aid=123456abcd015867c96c2202420a1234
.The
fcu.yml
configuration file you download from Device Management Portal is pre-populated with a bootstrap server URI that supports both the TCP and the UDP protocols.To can change the pre-populated bootstrap server URI to a protocol-specific URI:
-
In Device Management Portal, select Device identity > Server to open the Server credentials page.
-
Copy one of the available URIs:
- TCP URI for bootstrap server - For devices that connect to the bootstrap server using the TCP protocol.
- Alternative TCP URI for bootstrap server - For devices that connect to the bootstrap server using the TCP protocol, if the devices are behind a firewall that blocks non-standard secure ports.
- UDP URI for bootstrap server - For devices that connect to the bootstrap server using the UDP protocol.
-
-
bootstrap-server-uri-first-to-claim
: Mandatory whenfirst-to-claim
is enabled (otherwise unused). Similar tobootstrap-server-uri
, where the URL must not containaid
query parameter. For example,coaps://bootstrap.arm.com
.
-
-
Files - if
device-key-generation-mode
isexternally_supplied
:BootstrapDeviceCert.der
orBootstrapDeviceCert.pem
: The device's bootstrap certificate.BootstrapDevicePrivateKey.der
orBootstrapDevicePrivateKey.pem
: The device's bootstrap private key.
LwM2M mode
To use LwM2M mode, set use-bootstrap: false
.
-
Configuration values:
-
lwm2m-server-uri
: The LwM2M server's URL. For example,coaps://connector.arm.com
.The
fcu.yml
configuration file you download from Device Management Portal is pre-populated with a LwM2M server URI that supports both the TCP and the UDP protocols.To can change the pre-populated LwM2M server URI to a protocol-specific URI:
-
In Device Management Portal, select Device identity > Server to open the Server credentials page.
-
Copy one of the available URIs:
- TCP URI for LwM2M server - For devices that connect directly to the LwM2M server using the TCP protocol.
- Alternative TCP URI for LwM2M server - For devices that connect directly to the LwM2M server using the TCP protocol, if the devices are behind a firewall that blocks non-standard secure ports.
- UDP URI for LwM2M server - For devices that connect directly to the LwM2M server using the UDP protocol.
- WebSocket tunnel URI for LwM2M server - For devices that connect directly to the LwM2M server using UDP DTLS over WebSocket.
- WebSocket SSL tunnel URI for LwM2M server - For devices that connect directly to the LwM2M server using UDP DTLS over WebSocket, if the devices are behind a firewall that blocks non-standard secure ports.
Note: WebSocket URIs are account-specific and not available to other customers.
-
-
lwm2m-server-ca-certificate-file
: File location for the LwM2M server's CA certificate.
-
-
Files - if
device-key-generation-mode
isexternally_supplied
:LwM2MDeviceCert.der
orLwM2MDeviceCert.pem
: The device's LWM2M certificate.LwM2MDevicePrivateKey.der
orLwM2MDevicePrivateKey.pem
: The device's LWM2M private key.
For information about the format of DTLS certificates, see device certificates.
Using certificate chains
In addition to injecting certificates, you can also inject a certificate chain to the device. Certificate chains can also be defined as trusted in Device Management.
When a device performs bootstrap or connects to Device Management, the server can verify the validity of the certificate that the device presents by validating the chain of certificates.
When you inject a certificate chain, define the chain's length using the device-certificate-chain-depth
parameter (integer, 1-10).
If you do not define the certificate chain depth, it is assumed to be 1 (a single certificate).
Note: The length of the certificate chain depends on the device's capability. By default, a device supports up to five certificates. You can change this by modifying the KCM_MAX_NUMBER_OF_CERTIFICATES_IN_CHAIN
compilation flag in the kcm_defs.h
file. The default value is 5
.
Note: When FCU loads a certificate chain file (as an external device certificate, or when FCU is a CA and its CA certificate is a chain), it expects the file to be in PEM format, and the certificates in the file should be in the following order:
- The end-entity certificate
- The intermediate certificate(s)
- The root certificate
-----BEGIN CERTIFICATE-----
(End-entity certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
...
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----
FCU as CA
The subject of the generated CA certificate consists of the following parameters, which are aggregated under the certificate-authority
section in the fcu.yml
file:
Parameter | Description |
---|---|
common-name |
The CN subject field. |
organization-name |
The O subject field. |
organizational-unit-name |
The OU subject field. |
locality-name |
The L subject field. |
state-or-province-name |
The ST subject field. |
country-name |
The C subject field. |
Additional certificate authorities
The subject of the CA certificate generated for each additional CA consists of the following parameters, which are aggregated under the additional-certificate-authorities
section in the fcu.yml
file:
Parameter | Description |
---|---|
<CA name> |
The additional certificate authority's name. The name of each CA must be unique and must not be fcu .Limited to 20 alphanumeric characters, dashes ( - ), underscores (_ ), and periods (. ). |
certificate-authority |
These parameters make up the subject of the generated CA certificate. |
setup-ca-as-intermediate |
A Boolean parameter, which defines whether the CA is set up as an intermediate CA. Default: false . |
To add multiple additional CAs, copy and populate the parameters for each CA.
Note: FCU creates a folder in the keystore
directory for each additional CA that you add in the additional-certificate-authorities
section. FCU names these folders using the <CA name>
values that you define in the additional-certificate-authorities
section. Each of these folders holds a private key and the CA certificate or a CSR (for an intermediate CA).
Example:
additional-certificate-authorities:
sample-ca-1:
certificate-authority:
common-name: CN-sample-1
organization-name: ON
organizational-unit-name: OUN
locality-name: LN
state-or-province-name: SN
country-name: NO
setup-ca-as-intermediate: true
sample-ca-2:
certificate-authority:
common-name: CN-sample-2
organization-name: ON
organizational-unit-name: OUN
locality-name: LN
state-or-province-name: SN
country-name: NO
setup-ca-as-intermediate: false
Firmware update authentication
For firmware update:
Parameter | Description | Mandatory or optional |
---|---|---|
update-auth-certificate-file |
File location for Update auth certificate. | Mandatory if using the firmware update functionality. |
vendor-id |
Valid UUID String (RFC4122) | Mandatory only if update-auth-certificate-file is configured. |
class-id |
Valid UUID String (RFC4122) | Mandatory only if update-auth-certificate-file is configured. |
Note: If update-auth-certificate-file
is configured, you must also configure the vendor-id
and class-id
parameters.
LwM2M Device Object information
These parameters are aggregated under the device-info YAML section:
Parameter | Description | Mandatory or optional |
---|---|---|
manufacturer-name |
Manufacturer name (string) | Mandatory |
device-type |
Device type (string) | Mandatory |
model-number |
Model number (string) | Mandatory |
hardware-version |
Hardware version (string) | Mandatory |
memory-total |
Total memory size in kilobytes (integer) | Mandatory |
timezone |
Device timezone. Default: UTC. | Optional |
Device certificates configuration
These parameters make up the subject of the generated device certificate. They are aggregated under the device-certificate
section in the fcu.yml
file:
Parameter | Description | Mandatory or optional |
---|---|---|
organization-name |
Organization Name (O) field. | Mandatory |
organizational-unit-name |
Organizational Unit (OU) field. | Mandatory |
locality-name |
Locality (L) field. | Mandatory |
state-or-province-name |
State or Province (ST) field. | Mandatory |
country-name |
Country (C) field. | Mandatory |
FCU automatically uses the endpoint name you give the device as the Common Name of the device certificate.
Trust level parameters
Use these configuration parameters to enable FCU to calculate and set the trust level extension in the device certificate:
secure-storage-type
: Defines the device storage type. Valid values:0
: Unspecified.1
: Externally inaccessible storage.2
: Secure storage with protected local root of trust.3
: Secure storage with externally inaccessible local root of trust.
secure-hardware-components
: Parameters that specify the secure hardware components in the device:non-secure-hardware
:true
/false
.uVisor
:true
/false
.trust-zone-M
:true
/false
.trust-zone-A
:true
/false
.crypto-with-lrot
:true
/false
.
device-private-keys-in-field-generation
: Controls the method of generating the keys in field. Valid values:by_cloud
: Device private keys are never generated on device in field – the private keys are generated only by the cloud. This option is less secure. This setting cannot be overridden by cloud once the device is in the field (default).
The trust level is embedded in the generated device certificate, in an X.509 extension.
Device Entropy
This parameter defines the source of the entropy that the device receives. The entropy is 48 bytes of random data.
Parameter | Description | Values | Mandatory or optional |
---|---|---|---|
entropy-generation-mode |
Defines the source of the entropy. Default: by_device |
by_device : The device generates entropy; FCU does not pass entropy.externally_supplied : You supply entropy, which FCU expects to find under device_keys_location (an API parameter).by_tool : FCU generates entropy. |
Optional |
Using the device to generate entropy
To get the device to generate entropy itself in the injection process, in the fcu.yml
file, set entropy-generation-mode
to by_device
.
If entropy-generation-mode
does not exist in the fcu.yml
, this is default behavior.
Using your own entropy file
In this mode, you use your own entropy file as a resource:
- In
fcu.yml
, setentropy-generation-mode
toexternally_supplied
. - Under path used for
device_keys_location
provideentropy.bin
file.entropy.bin
shall be binary file with 48 bytes.- It is good practice to use a True Random Number Generator (TRNG) to generate such entropy.
Using FCU to generate entropy
To get FCU to generate entropy and pass it to the device in the injection process, in the fcu.yml
file, set entropy-generation-mode
to by_tool
.
This scenario is used when the device does not have enough entropy and you do not have a TRNG. FCU generates 48 random bytes.
Secure device access
The trust anchor public keys that need to be put on the device, so that it can validate that the access tokens have been signed by a known trust anchor.
Each trust anchor public key is stored on the device as a single DER under mbed.ta.<key-sha256-fingerprint-uppercase>
key.
Parameter | Description | Mandatory or optional |
---|---|---|
trust-anchors-public-key-files |
List of PEM public key files referenced by the configuration file | Optional |
Custom properties
You can provision custom properties to a batch of devices by defining them in the FCU configuration file (fcu.yml
).
You can also provision device-specific custom properties by creating a custom properties section, as explained in this section, in a separate YAML file and passing the --device-config-file
argument when you provision the device. For more information, see Injecting the configuration onto the device.
If the device-specific custom properties YAML file contains a property with the same name
and type
as a property in the fcu.yml
FCU configuration file, FCU injects the device-specific custom property.
This section describes the parameters these properties must have:
Parameter | Description | Details | Required |
---|---|---|---|
type |
The expected type of the custom property. | Can be certificate , private-key , public-key , general-data or generated-certificate-key-pair . See the type definitions below. |
Required |
name |
Name of the property to be stored on ESFS. | String. Up to 50 characters long. Do not use the prefix mbed. ; it is reserved. Must be unique. |
Required |
data |
Contents of the custom property. | Up to 5000 bytes. | Leave empty if data-file is provided. |
data-file |
Path to file containing the property's contents. | Treat all values as a byte stream (up to 5000 bytes). | Leave empty if data is provided. |
chain-depth-on-device |
The length of the certificate chain to be stored on device. | Applicable only when type is certificate and data or data-file contains a chain of certificates in PEM format. If chain-depth-on-device doesn’t exist, the chain is expected to have a single certificate. Integer between 1-10. |
Optional |
Available types:
Type | Description | Comment |
---|---|---|
certificate |
X.509 certificate in PEM or DER format. | PEM-format certificates are stored in DER format on the device. |
private-key |
ECC private key in PEM or DER format. | Supported EC Curve: SECP256R1 PEM-format keys are stored in DER format on the device. |
public-key |
ECC public key in PEM or DER format. | PEM-format keys are stored in DER format on the device. |
generated-certificate-key-pair |
Dictionary containing data for the device to generate a private key and CSR (signed by FCU or configured additional CA). | Supported types: dictionary in the following format:
|
general-data |
General simple type value. | Supported types: string, int, bytes. |
Sample configurations for custom properties:
custom-properties:
-
type: certificate
name: Sample.TrustedPartnerCert
data-file: <%= ENV['FCU_RESOURCES_DIR'] %>/trusted-partner.crt
custom-properties:
-
name: Sample.InlineDerCertificate
type: certificate
data: !binary |
MIICMDCCAdWgAwIBAgIQJvkI/PHARqRKTSzxlCf5HzAKBggqhkjOPQQDAjBv
MQswCQYDVQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdlc2hpcmUxEjAQBgNV
BAcTCUNhbWJyaWRnZTEQMA4GA1UEChMHQVJNIEx0ZDEhMB8GA1UEAxMYQVJN
IEludGVncmF0aW9uIExXTTJNIENBMCAXDTE3MDIxMjEwMzc1MloYDzIwNTIw
MjEyMTA0NzUyWjBvMQswCQYDVQQGEwJHQjEXMBUGA1UECBMOQ2FtYnJpZGdl
c2hpcmUxEjAQBgNVBAcTCUNhbWJyaWRnZTEQMA4GA1UEChMHQVJNIEx0ZDEh
MB8GA1UEAxMYQVJNIEludGVncmF0aW9uIExXTTJNIENBMFkwEwYHKoZIzj0C
AQYIKoZIzj0DAQcDQgAEuuqAAS3w4bbFX/l2hDGpKaHHqP2grdmU5+xaM6Es
jjZDmxjfznEUJLH7FjQOQ/wjd9QT1xGqOWCrot8ks+ugxaNRME8wCwYDVR0P
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHuhpZSl5Y+VXdTO
3A+Kvq2aa2Y+MBAGCSsGAQQBgjcVAQQDAgEAMAoGCCqGSM49BAMCA0kAMEYC
IQDSBijFMToRjbbLKz/dKpoTMFJ3qtray865XOQyHAL6MAIhALOCJKKxZ2tp
Bw7Nd3SZBpxZsgDAs7s3W8Ab+9lwmLke
custom-properties:
-
type: private-key
name: Sample.SomeFeatureSigningPrivateKey
data-file: <%= ENV['FCU_RESOURCES_DIR'] %>/signing-priv.pem
-
type: public-key
name: Sample.SomePublickKey
data-file: <%= ENV['FCU_RESOURCES_DIR'] %>/some-pub-key.der
custom-properties:
-
type: generated-certificate-key-pair
name: Sample.InlineGeneratedCertificateKeyPair
data:
certificate:
certificate-authority: # Optionally provide CA name here.
subject:
common-name: inline_common_name
organization-name: inline_organization
organizational-unit-name: inline_organizational
locality-name: inline_local
state-or-province-name: inline_state
country-name: GB
key-usage:
digital-signature: true
non-repudiation: true
key-cert-sign: true
extended-key-usage:
any-extended-key-usage: true
server-auth: true
client-auth: true
code-signing: true
email-protection: false
time-stamping: false
ocsp-signing: false
chain-depth-on-device: 2
validity-period-months: 24
private-key-storage: device
public-key-storage: device
custom-properties:
-
type: general-data
name: Factory.SwManufacturerName
data: SomeManufacturer
-
type: general-data
name: Sample.IntValue
data: 35458
custom-properties:
-
type: general-data
name: Sample.GeneralDataBytes
data-file: <%= ENV['FCU_RESOURCES_DIR'] %>/some-data.bin
-
type: certificate
name: Sample.TrustedOnlineServiceCert
data: |
-----BEGIN CERTIFICATE-----
MIIDsjCCApqgAwIBAgIQAeao0CRBMj9YWf0vWw1u0jANBgkqhkiG9w0BAQsFADA4
MRMwEQYDVQQKEwpHbG9iYWxTaWduMSEwHwYDVQQDExhHbG9iYWxTaWduIG1UTFMg
SW5mcmEgQ0EwHhcNMTcxMjE0MTAyODUyWhcNMTgxMjE0MTYxNzM4WjAzMREwDwYD
VQQDEwhBUk0gTWJlZDELMAkGA1UEBhMCR0IxETAPBgNVBAoTCEFSTSBNYmVkMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJcENDq/V9xI+J/AYmEmTqym
Qw3eeOOnhVNo2tATI9fNR99qnBTUMFwfmKxt8uZQ2oE55FlrBZOqVfj60WB51NB0
e0cSMvZlq4Gwx7cBkMjCfLf14TngeDoXWdA00px1SYH5pXOtIIPRn1YXIXjXDQkd
41R4dKeFEOlk84HBwb/lnBQRycVWPPP/n5ucsVzm+7zSw8d3jSNPe4IK5fjqUhfu
mzISNZx9qa6zkA6YlDfAlpzN66Ot4kr6dXLUqEkQyKo7lLDY5TvJTVpvOBYy6P33
Ba5LHmNOrr2bpy+lVxQkeBQ2ZGG1XjtmaF9BLZsAfM0ILnR+4DGF37T3TT6ikwID
AQABo4G8MIG5MB0GA1UdDgQWBBTbMxrEWKPQ9nDgYw7fucfRPsPJsDAJBgNVHRME
AjAAMB8GA1UdIwQYMBaAFD3Y0AtxC2Afj5Jt6zaf2lHr8uVWMEcGA1UdHwRAMD4w
PKA6oDiGNmh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vY2EvR2xvYmFsU2lnbm1U
TFNJbmZyYUNBLmNybDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH
AwIwDQYJKoZIhvcNAQELBQADggEBACPZvmuJi27r7ksZ8Xmk87JzzlgmFKTJN436
+Q5oK9iGtuguIC5COjsJLped9gRFEUH7BrmK5spW3bJqB7KHuRt9pB3Xf5Q9MFem
Ysf23TkjmKLi3cQdEVdzYOYrjAu3RTuN44O/1qfjb/SSR7X+9WMKykGJd8gl8RTL
s7K1pnF2Zpptm8XU40VXzNH45cPyrmXtEOPU+UTtAhE7MfE6bbOrxazV6ncC3Ybe
Xf2hRuSiO2MaSbwtYZCcSjC79if4HOu5P1qvLjWyVkebNkTOb2OR0TxQTLnCLAit
sLGO4z4MKdDSO4VNlj1qDXgOExwIPnhS16h/jHDOLbpOKVdnR8c=
-----END CERTIFICATE-----
custom-properties:
-
type: general-data
name: network_address
data: 2001:2345::1
-
type: general-data
name: network_secret
data: !!binary |
c23tZSBzZWNyZXQgZGF1YSBoZXJlLi4=
Sample configuration file
############################################################
# Factory Configurator Utility Configuration
# Used for configuring FCU library
############################################################
############################################################
# Configuration used for setting up the tool as a
# Certificate Authority
############################################################
certificate-authority:
common-name: Sample Cert
organization-name: Company Ltd.
organizational-unit-name: Mbed Factory
locality-name: Madison
state-or-province-name: Wisconsin
country-name: US
# Defines whether FCU is set up as an intermediate Certificate Authority:
# - false: The setup command creates a self signed certificate to be used by FCU for signing the device certificates.
# - true: The setup command creates a CSR. The customer should use its Certificate Authority to sign the CSR and provide the certificate to FCU as 'fcu.crt' file.
# Note: If the 'fcu.crt' is a certificate chain, you must specify the 'device-certificate-chain-depth' when using FCU as a certificate authority.
setup-ca-as-intermediate: false
############################################################
# Configuration used for setting up additional certificate authorities.
# Used for custom properties of type 'generated-certificate-key-pair'
#
# additional-certificate-authorities:
# <CA name>:
# certificate-authority:
# common-name:
# organization-name:
# organizational-unit-name:
# locality-name:
# state-or-province-name:
# country-name:
# setup-ca-as-intermediate: true/false
############################################################
############################################################
# Device General Information
############################################################
# Use bootstrap server (true/false). Required
use-bootstrap: true
# Include time synchronization parameters in device configuration (true/false)
time-sync: true
############################################################
# Bootstrap Configuration
# Relevant when 'use-bootstrap' is set to true
############################################################
# Bootstrap server URL, for example coaps://bootstrap.arm.com
bootstrap-server-uri: coaps://auto_generated_uri.com?aid=123456abcd015867c96c2202420a1234
# File location for bootstrap server CA certificate.
bootstrap-server-ca-certificate-file: <%= ENV['FCU_RESOURCES_DIR'] %>/bootstrap-server-certificate.crt
# First to claim (true/false).
# If true, the Bootstrap server URL used is the Bootstrap server first-to-claim URL.
first-to-claim: false
# Bootstrap server first-to-claim URL.
# Same URL as bootstrap-server-uri, omitting the account-id.
bootstrap-server-uri-first-to-claim: coaps://auto_generated_uri.com
############################################################
# LwM2M Configuration
# Relevant when 'use-bootstrap' is set to false
############################################################
# LwM2M server URL, for example coaps://connector.arm.com
lwm2m-server-uri: coaps://auto_generated_uri.com?aid=123456abcd015867c96c2202420a1234
# File location for LwM2M server CA certificate.
lwm2m-server-ca-certificate-file: <%= ENV['FCU_RESOURCES_DIR'] %>/lwm2m-server-certificate.crt
############################################################
# Update auth (for firmware update)
############################################################
# File location for Update auth certificate
update-auth-certificate-file: <%= ENV['FCU_RESOURCES_DIR'] %>/update-auth-certificate.crt
# Vendor-Id - UUID string that represents the vendor (for example, "fa6b4a53-d5ad-5fdf-be9d-e663e4d41faf")
vendor-id: 'fa6b4a53-d5ad-5fdf-be9d-e663e4d41faf'
# Class-Id - UUID string that represents the device class (for example, "4a5fa6b3-5fef-fe9d-bee4-66e41f3e4daf")
class-id: '4a5fa6b3-5fef-fe9d-bee4-66e41f3e4daf'
############################################################
# LwM2M Device Object Information
############################################################
device-info:
# Manufacturer name (String)
manufacturer-name: SomeManufacturer
# Device type (String)
device-type: Sensor-A
# Model Number (String)
model-number: TEMP-SENSOR-MVMF7IF
# Hardware version (String)
hardware-version: 1A
# Memory total size in kilobytes. (Integer)
memory-total: 10240
# Device timezone
timezone: GMT
############################################################
# Configuration used for generation of device certificates
############################################################
# Device key generation modes:
# Defines the source of 'device keys' (Device DTLS private key and certificate)
# - 'by_device': The device generates the private key and signs a CSR,
# the FCU signs the CSR and creates a certificate to be passed to the device
# - 'by_tool': The tool generates device keys (default)
# - 'externally_supplied': The user supplies device keys and provides them to the tool as files
# under 'device-keys-location', which is provided as a command-line parameter
device-key-generation-mode: by_tool
device-certificate:
organization-name: Sample Org Ltd.
organizational-unit-name: IoT-Temp-Sensors
locality-name: Texas City
state-or-province-name: Texas
country-name: US
# If certificate chains used: defines the length of the certificate chain to be stored on device (Integer between 1-10)
# Note: The length of the certificate chain that will be stored depends on device capability, by default devices support only up to 5 certificates.
# The device capability can be changed by modifying compilation flag KCM_MAX_NUMBER_OF_CERTITICATES_IN_CHAIN. Its' default value is 5 and it's located in `kcm_defs.h` file
device-certificate-chain-depth: 2
############################################################
# Configuration used for generation of device entropy
############################################################
# Device entropy generation modes:
# Defines the source of 'device entropy'
# - 'by_device': The device generates the entropy; FCU does not pass entropy to the device (default)
# - 'by_tool': The tool generates device entropy
# - 'externally_supplied': The user supplies device entropy and provides it to the tool as
# "entropy.bin" file under 'device-keys-location', which is provided as a command-line parameter
entropy-generation-mode: by_device
############################################################
# Trust Level
############################################################
# Secure storage types:
# Defines the device storage type
# - 0: Unspecified
# - 1: Externally inaccessible storage
# - 2: Secure storage with protected local root of trust
# - 3: Secure storage with externally inaccessible local root of trust
secure-storage-type: 0
# Secure hardware components:
# Multiple values can be set
secure-hardware-components:
non-secure-hardware: true
uVisor: false
trust-zone-M: false
trust-zone-A: false
crypto-with-lrot: false
# Device Private Keys in field generation:
# Controls the method in which keys are generated, in field
# - 'by_cloud': Device private keys are never generated on device in field – the private keys are generated only by the cloud.
# This option is less secure. This setting cannot be overridden by cloud once device is in the field (default)
device-private-keys-in-field-generation: by_cloud
############################################################
# Secure Device Access
############################################################
# Trust Anchors:
trust-anchors-public-key-files:
- <%= ENV['FCU_RESOURCES_DIR'] %>/ta.367E98852E.pem
Logging
FCU uses Python’s built-in logging module to perform system logging as a sub-logger.
Configuring logs is a two-step process performed when you implement your factory tool:
-
Configure the Python root logger (as you can see in the factory tool demo).
For details about the usage and configuration of this module, see the official Python documentation.
-
Configure the FCU sub-logger. For example:
You can set FCU's log level to
error
, so that warnings and messages aren't logged:logging.getLogger('fcu').setLevel(logging.ERROR)
You can rotate the log file at a set time interval:
file_handler = logging.handlers.TimedRotatingFileHandler(filename, when='h', interval=1, backupCount, encoding=None, delay=False, utc=False, atTime=None)
For more information, see the official Python documentation.
FCU logs
FCU generates two types of logs: debug logs, which monitor the system, and audit logs, which you can use to analyze system usage.
-
FCU debug log format:
<OPERATION>: <ENDPOINT_NAME>; <ACCOUNT_ID> - <MESSAGE>
Where
<OPERATION>
can be:PREP
: Prepare device configuration API.VER
: Verify device response API.STAT
: Get setup status API.SETUP
: Set up the Factory Configurator Utility API.
<ENDPOINT_NAME>
and<ACCOUNT_ID>
are not mandatory, and are only set in APIs that have or need access to them. -
FCU audit log format:
<OPERATION>: <ENDPOINT_NAME>; <ACCOUNT_ID> - AUDIT: <API> <AUDIT_MESSAGE>
Where
<AUDIT_MESSAGE>
can be:Operation completed successfully
Operation completed with warnings
Operation completed with errors: <fcu_error_code>; <fcu_error_message>
For errors, the audit log message prints the FCU error number and message as listed in FCU error codes.
Log file rotation
We recommend setting log file rotation so that your factory tool server does not halt or fail because of insufficient free disk space.
To configure the log file rotation:
file_handler = logging.handlers.RotatingFileHandler(log_file, mode, maxBytes, backupCount)
handlers.append(file_handler)
# where the maxBytes and backupCount values to allow the file to rollover at a predetermined size.
For more information about log file rotation and other logging configuration, see the official Python documentation.