Using DPS SDK together witih IoT edge

[nhuurnink]

Hi there,

I want to automatically provision my IoT Edge devices, but I don't have a TPM module on my devices.
So what I want to do is to use the device provisioning SDK to gain a connectionString, which I then paste in my configuration for IoT edge.

I've tried this with X509 certificates using https://github.com/Azure/azure-iot-sdk-csharp/tree/master/provisioning/device/samples , but I can only send messages to my IoT-Hub (after my device is assigned) using this certificate and I don't get a connection string returned. How can I make this work properly so I can use IoT Edge on an "already-x509-assigned" device?

[darobs]

Hello @nhuurnink,

I am not sure there is a way to do this on the IoTHub. Symmetric keys and X.509 authentication seems to be an either/or propostion.

Ideally, we'd want to provide you with X.509 DPS support on IoT Edge, which is a feature we very much want to support. One of the things I can do is make sure to communicate the need for it during planning.

[nhuurnink]

Thank you, that would be great, otherwise there isn't much use for IoT Edge in production scenarios where a TPM module is not guaranteed.

I'm not going to provision 100k devices by hand :)

[gauravagarwal28]

Hey @darobs ,
I'm working on automatic provisioning for IoT Edge devices too and had the same question as @nhuurnink .

I would highly appreciate any update or a tentative date on release of X. 509 certificate attestation for IOT Edge devices to enable automatic device provisioning.

[meshell]

Hey @darobs
Any update to this issue ? I really need to provision an edge device without TPM automatically (using DPS).
Thanks a lot

[myagley]

We are bringing support for DPS's Symmetric Key attestation shortly (https://docs.microsoft.com/en-us/azure/iot-dps/how-to-legacy-device-symm-key). We are trying to get this in the February release. This method does not require a TPM.

The x.509 certificate attestation is also in the plan, but requires some changes in the IoT Hub service to work effectively. At this point, the best guidance I can give is after February and before July. I'll update the thread here if this changes or becomes more concrete.

[xwdreamer]

Hi @myagley ,
Does azure iot edge support Symmetric Key dps Provisioning now.
When I change the provisioning type, I can't start azure iot edge.

the iot edge status
`
pi@raspberrypi:/etc/iotedge $ systemctl status iotedge
● iotedge.service - Azure IoT Edge daemon
Loaded: loaded (/lib/systemd/system/iotedge.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Fri 2019-06-28 16:55:06 CST; 17min ago
Docs: man:iotedged(8)
Process: 16015 ExecStart=/usr/bin/iotedged -c /etc/iotedge/config.yaml (code=exited, status=1/FAILURE)
Main PID: 16015 (code=exited, status=1/FAILURE)
CPU: 13ms

6月 28 16:55:06 raspberrypi systemd[1]: iotedge.service: Unit entered failed state.
6月 28 16:55:06 raspberrypi systemd[1]: iotedge.service: Failed with result 'exit-code'.
6月 28 16:55:06 raspberrypi systemd[1]: iotedge.service: Service hold-off time over, scheduling restart.
6月 28 16:55:06 raspberrypi systemd[1]: Stopped Azure IoT Edge daemon.
6月 28 16:55:06 raspberrypi systemd[1]: Dependency failed for Azure IoT Edge daemon.
6月 28 16:55:06 raspberrypi systemd[1]: iotedge.service: Job iotedge.service/start failed with result 'dependency'.
the /etc/iotedge/config.yaml file

DPS symmetric key provisioning configuration

provisioning:
source: "dps"
global_endpoint: "https://global.azure-devices-provisioning.net"
scope_id: "0ne00xxxxxxx68"
attestation:
method: "symmetric_key"
registration_id: "dps-iotedgedevice-002"
symmetric_key: "Pk8v+zaUQIg0dQxxxxxxxxxxsXKlZwWw3WCqWk2GE="
`

[ilyas-it83]

Whats the status of X509 support for IoT Edge with DPS?

[veyalla]

@ilyas-it83 This support will be available in 1.0.9 release we're targeting for release by end of Sep. You can watch the azure-iotedge releases repo to get notified when the release goes live.

[lt72]

@ilyas-it83 @nhuurnink closing issue, please re-open if necessary.