Devices
As devices belong to an application, you need to create an application first.
The following commands will explicitly select the application by providing the --app <app name> argument. You can
however use drg config set-default-app, to set a default application and omit the --app argument.
Create a new device
A new device is being created using the following command:
drg create device --app my-app my-device-1This will create my-device-1 as part of my-app.
In most cases a device will require additional information, like access credentials or gateway assignments. You can
provide initial configuration using the --spec <json> argument:
drg create device --app my-app my-device-1 --spec '{"authentication": {"credentials":[{ "pass": "foobar" }]}}'The --spec argument accepts a JSON string of the full "spec" section of the device.
Modifying a device
You can edit the device configuration in YAML the same as the application:
drg edit device --app my-app my-device-1This will open an editor, and allow you to make modifications to the YAML source. When you close the editor, the change will be sent to the server for updating.
Deleting a device
An existing device can be deleted using the following command:
drg delete device --app my-app my-device-1| If a device requires any cleanup, the device will be first marked as deleted, the cleanup will be processed, and then the device will be deleted. |
Setting password credentials
It is possible to set a password as access credentials. This way, when connecting, the username will be the device name.
Procedure
Configure the device, adding a password credentials entry:
metadata:
name: device
# …
spec:
# …
authentication:
credentials:
- pass: my-password (1)| 1 | One credential entry of type "password". |
You can also use hashed passwords. For this, you need to specify the hash algorithm:
metadata:
name: device
# …
spec:
# …
authentication:
credentials:
- pass:
bcrypt: "$2a$12$WsLmgORBv3WHZ3CjCiMzXOeo2hL5UEeq8PEd11q9BfbM/RWqb7c3G" (1)| 1 | One credential entry of type "password" as "bcrypt" hash. |
See Supported hashes for a list of supported password hashes.
Setting username/password credentials
It is also possible to set a username and password as credentials. In this case, the device ID must be transmitted through an alternate way, in order to look up the device. The provided username/password combination will then be checked against the configured username/password combination.
The way the device name is transmitted to the endpoint depends on the capabilities of the protocol endpoint. For example, using HTTP, the device name can be provided as an additional query parameter.
Procedure
Configure the device, adding a password credentials entry:
metadata:
name: device (1)
# …
spec:
# …
authentication:
credentials:
- user:
username: device-user (2)
password: bar (3)| 1 | The device name |
| 2 | The username |
| 3 | The plain text password |
You can also use hashed passwords, instead of plain text:
metadata:
name: device (1)
# …
spec:
# …
authentication:
credentials:
- user:
username: device-user (2)
password:
bcrypt: "$2a$12$WsLmgORBv3WHZ3CjCiMzXOeo2hL5UEeq8PEd11q9BfbM/RWqb7c3G" (3)| 1 | The device name |
| 2 | The username |
| 3 | The bcrypt hashed password |
See Supported hashes for a list of supported password hashes.
Setting username/password credentials (unique username)
If you want to use the username only for authenticating your device, without the need to provide an additional device identifier, you can use "unique usernames". These usernames are unique per application.
Procedure
Configure the device, adding a password credentials entry:
metadata:
name: device
# …
spec:
# …
authentication:
credentials:
- user:
username: device-user
password: bar
unique: true (1)| 1 | Setting the value to true makes the entry a unique username entry. |
As described in Setting username/password credentials, you can use hashed passwords too.
Setting X.509 client certificate credentials
If you want to use client certificates to authenticate your device, your application must be configured with a trust root that can verify the device.
Procedure
Configure the application, adding a password credentials entry:
metadata:
name: application
# …
spec:
# …
trustAnchors:
anchors:
- certificate: <base64 encoded certificate> (1)| 1 | The certificate must be a base64-encoded DER-encoded X.509 certificate. |
The device authenticating must present the client certificate in the (D)TLS handshake. The X.509 certificate issuer must correspond to the application name, and the subject must correspond to the device id.
Setting TLS-PSK credentials
If you want to use pre-shared keys to authenticate your device, your device must be configured with the pre-shared key you wish to use.
Procedure
Configure the device, adding a password credentials entry:
metadata:
name: device
# …
spec:
# …
authentication:
credentials:
- psk:
key: aGV5LXJvZG5leQ== (1)
validity: (2)
notBefore: 2022-10-05T07:05:26Z (3)
notAfter: 2023-10-05T07:05:26Z (4)| 1 | The key must be base64-encoded. |
| 2 | (Optional) If not present, the pre-shared key is valid forever. |
| 3 | The earliest date (ISO 8601 date) the key will be valid. |
| 4 | The latest date (ISO 8601 date) the key will be valid. |
Configuring a gateway device
Every device can act as a gateway for another device. However, it must be granted the permission to act on behalf of that other device.
The way this is done, is by adding this information to the device connects through a gateway.