0

In the Azure Internet of Things environment, when trying to connect any devices that cannot support the usage of Microsoft's reference architecture protocol translation is recommended.

I have implemented a translation gateway that multiplexes connections, and functions similar to this implementation that uses the "device connect" access policy to send messages to the Cloud IoT Hub as whatever device, over a single AMQP connection. As an example the messages are sent over the following link '/devices/' + deviceIdentifier + '/messages/events';

This is completely functional for a connection formed by device -> my middleware -> Cloud IoT Hub and for the reverse direction. I would like to implement the same with the introduction of a transparent gateway, that is device -> my middleware -> Edge IoT Hub -> Cloud IoT Hub

My issue arises from the Edge Hub seemingly not accepting the "device connect" access policy key.

As authentication I am building a SharedAccessSignature as can be seen on the example repository and below, however as far as I can tell unlike SharedAccessKeyAuthenticationProvider.fromConnectionString there is no way to specify the gatewayHostName.

this.sas = SharedAccessSignature.create(
    encodeURIComponent(this.endpoint), this.keyName, this.key,
    Math.ceil((Date.now() / 1000) + this.KEY_TIMEOUT)
);

In short, I am trying to have my middleware "impersonate" any of the devices on the hub, over a single TLS connection, using the "device connect" access policy key, through a Transparent IoT Edge Gateway, however I see no place to specify the gatewayHostName parameter on a SharedAccessSignature or find a way to find and configure IoT hub-level shared access policies on a IoT Edge hub.

azthec
  • 173
  • 9
  • 1
    When a client sees `HostName={a};GatewayHostName={b}` in a connection string, it knows to make the TCP connection to {b} instead of {a}. But it also has to add {a} to the username when it makes the connection, so Edge Hub knows which IoT Hub to connect to. When the client makes the connection to Edge Hub with a hub-level token, the username should be `{policy}@sas.root.{a}`. Can you try that? – Damon Barry Mar 19 '19 at 23:37
  • 1
    Also, I believe the environment variable `AuthenticationMode=Cloud` has to be set in Edge Hub, otherwise the Edge Hub will try to authenticate the device, which it doesn't know how to do for the "device connect" policy key. Setting that variable makes Edge Hub passive; it will pass the auth request to IoT Hub. The downside is that it disables offline capabilities so it usually isn't recommended. – Damon Barry Mar 19 '19 at 23:43
  • Hello, first of thanks for the help, I have managed to get it to complete the `connect` and `initializeCBS` steps after configuring the transportConfig to include the SSL CA Cert, I only mention this as it might help someone else. – azthec Mar 20 '19 at 17:45
  • More related to this question when placing the audience token I am getting `Matching template not found for audience amqps://${string}`, for any of the following three strings: `"iothubdemo91.azure-devices.net"`, `"iothubdemo91"` and `"edgeDevice1"`. Next goes my SAS and my audience. `let sas = SharedAccessSignature.create( encodeURIComponent(${any_of_strings_above}), keyName,key,Math.ceil((Date.now() / 1000) + 3600) ); let audience = keyName + "@sas.root.iothubdemo91.azure-devices.net" // + this.endpoint let token = sas.toString(); amqp.putToken(audience, token);` – azthec Mar 20 '19 at 17:45
  • @DamonBarry Could you take a look at my last comment? I am able to do everything connection wise, but I don't know the correct audience token, it is not iothubowner@sas.root.iothubdemo91.azure-devices.net, which only works for the Azure Cloud IoT Hub. – azthec May 20 '19 at 17:33
  • so it looks like you are at the point where you need the AMQP connection string to be right for IoT Edge, right? (if I'm reading the thread right).. it is a little tricky, and not well documented. the correct format is amqps://[device_id]@sas.[short-hub-name]:[sas-token]@[target-endpoint]/[operation] where short-hub-name is the name of your hub *without* the .azure-devices.net and the the target-endpoint is the FQDN of your Edge device.. you can find an write-up on how do to this with an example at http://busbyland.com/raw-amqp-to-iot-hub-and-iot-edge/ – Steve Busby - MSFT May 21 '19 at 17:55
  • in other words, try it without the 'root' in sas.root.[hub name] (and make sure the target endpoint is your edge box).. full disclosure, this is with a device scoped key, so there will be some adjustments for a hub scoped key, but it's possible just removing the 'root' will work. I haven't tried it with a hub scoped key – Steve Busby - MSFT May 21 '19 at 18:20
  • @azthec Sorry I pinged someone who knows more about AMQP than me but didn't hear back, then I forgot about it. It looks like Steve may have the answer for you anyway... – Damon Barry May 25 '19 at 00:35

0 Answers0