How do I connect Minew BLE Gateway with Azure Iot Central?

Question

I am trying to connect a Minew BLE Gateway Device (https://en.minewtech.com/gateway.html) to azure IOT Central. The device template has a prebuilt for this device named as FM 201 BLE and I just went along with it. The gateway requires you connect it thru the X509(ECC) certificates and so I created some selfsigned certificates and uploaded them to the gateway device and uploaded it from it's dashboard

I grabbed the URL from here

Is there anything I'm doing wrong? I'm expecting something in the analtyics of my iotcentral application or atleast a log file from BLE Gateway somewhere if the authentication with certificates failed. Any lead will be highly appreciated. Ive spent hours on the web trying to get this working

The application URL you are using is not the endpoint the device should talk to. Normally to connect with Central the device first contacts DPS and then gets assigned the IoT Hub endpoint. My guess is that you need to fill in that IoTHub endpoint on your Minew device. — Matthijs van der Veer, Dec 23 '19 at 13:36
Hey, Thank you. I did a bit google.The minew device can not utilize the SDK to get the hub's url you are referring to. It literally has a simple dashboard where I am to enter a host url. Do you know where can I get this underlying iothubs url from the dashboard which I Can just paste into my minew device's host field? — Shahab Uddin, Dec 23 '19 at 15:01
@ShahabUddin you can obtain the *HostName* of the underlying IoTHub from the connection string generated by utility **dps_cstr**, see the following link https://github.com/Azure/dps-keygen/tree/master/bin/windows — Roman Kiss, Dec 24 '19 at 11:02
@roman: Hey, I just tried that tool. and got a string in this format Hostname=x;Deviceid=y;ShareAccesskey=z I copied the x(hostname) and entered into url input field of my BLE gateway's dashboard. Nothing seems to have changed so far(The gateway device doesn't generate any logs to make the matter worse). PS, I'm trying to connect with x509 certificates as you know. I've already tried this url previously in host url global.azure-devices-provisioning.net and neither has done the job for me. — Shahab Uddin, Dec 24 '19 at 11:19

Roman Kiss · Answer 1 · 2020-01-05T08:05:38.497

I do recommend the following steps before connecting the real device to the IoT Central:

Create 3 devices (e.g. device1, device2 and device3) each with the different authentication type such as sas, selfSigned and certificateAuthority on the IoT Hub (you can used also the Free tier)
Create the simulated device (console program) for each authentication type, connect them to the IoT Hub and send couple messages.
I believe that all devices will work properly (like in my test), so the authentication through a CA certificate (and the leaf certificate) and self signed certificate are OK.

Note, that the above steps passed in my test using a C# simulated devices (.Net SDK) and also with a MQTT direct protocol with my Azure IoT Hub Tester.

Once your simulated devices are working, this step is to replace them (except the sas device) with your real device. This is a critical step, which will prove it that your real device can be connected to the Azure IoT Hub.
In this step, we are going to replace the IoT Hub by IoT Central Application. You can create a free preview application. You can upload the device template such as FM-201 IoT Gateway and create the 3 devices like in the step1 from this template. Note, use the same device ids like in the step1, we can use the same device leaf certificate.
Using the tool dps_cstr we can get the device connection string for underlying IoT Hub of the IoTC App.
Replace the hostname in your simulated devices and also you need to create the sas token from this connection string for the device authenticate with the sas token.
Run the simulated devices connected to the IoTC App.
Based on my recently test, you will see, that only sas device is working, the others such as certificate devices are failed for authentication error.
This step is for troubleshooting why the X509 simulated devices switching to the IoTC App doesn't authenticate with the same certificates. There is no properly document for this case and I hope that some one from the IoT Central team will answer it if we can switch the X509 device between the IoT Hub and IoTC App like we can do it for sas device.

Update:

Based on the Provisioning Device Client Sample - Microsoft Azure IoT SDK for .NET the steps 6 and 7 are fine for sas device, where the utility dps_cstr will registered a device for a SecurityProviderSymmetricKey. Once the device has been registered and provisioned with this security provider, the real device(s) must be connected using this way, only. That's the reason why we getting an error for simulated x509 devices. So, the following step is an example of the provisioning a X509 device with a leaf certificate (device3.pfx). Note, that the CA certificate must be uploaded to the IoTC Application.

6a. Registering the device3 (from the step1) to the IoTC App

string GlobalDeviceEndpoint = "global.azure-devices-provisioning.net";
string idScope = "<idScope_IoTCapp>";
string certificateFileName = @"<your path>\device3.pfx";            
//
var cert = new X509Certificate2(certificateFileName, "1234");
var securityProvider = new SecurityProviderX509Certificate(cert);
var transport = new ProvisioningTransportHandlerMqtt(TransportFallbackType.TcpOnly);
var provClient = ProvisioningDeviceClient.Create(GlobalDeviceEndpoint, idScope, securityProvider, transport);           
var result = provClient.RegisterAsync().Result;
string hostname = result.AssignedHub;
string deviceId = result.DeviceId;

In this point, the device status in the IoTC App is Provisioned and the simulated or real device can be connected.

6b. You can use for a device provisioning to the IoT Central App also the REST APIs. The following screen snippets show provisioning the X509 device3 authenticated by its leaf certificate using the Postman:

In prior of using the REST calls, we have to add the device3 leaf certificate to the Postman:

Now, we can call a provisioning service:

PUT https://global.azure-devices-provisioning.net/0ne000AA0F5/registrations/device3/register?api-version=2019-03-31

To get the registrationState object:

GET https://global.azure-devices-provisioning.net/0ne000AA0F5/registrations/device3/operations/{operationId}?api-version=2019-03-31

As you can see the above picture, the IoTC application is ready for connection with a real X509 device.

 "registrationState": {
    "x509": {
        "enrollmentGroupId": "fa472b95-b5f6-47af-a4ef-9490f45c3961"
    },
    "registrationId": "device3",
    "createdDateTimeUtc": "2020-01-04T17:09:15.5147034Z",
    "assignedHub": "iotc-bceedf66-9792-4f32-b49f-7674a6aa09ff.azure-devices.net",
    "deviceId": "device3",
    "status": "assigned",
    "substatus": "initialAssignment",
    "lastUpdatedDateTimeUtc": "2020-01-04T17:09:15.6947214Z",
    "etag": "IjBmMDA3YTgzLTAwMDAtMGMwMC0wMDAwLTVlMTBjNmJiMDAwMCI="
}

Note, that in the case of provisioning a sas device (such as a device1 in this test) using the REST calls, the Authorization header must be configured with a sas token:

string sas = generateSASToken($"{scopeId}/registrations/{deviceId}", deviceKey, "registration");

7a. The following code snippet is an example of the sending a telemetry data from the X509 device with its leaf certificate (device3.pfx):

using (var dc = DeviceClient.Create(hostname, new DeviceAuthenticationWithX509Certificate(deviceId, cert), Microsoft.Azure.Devices.Client.TransportType.Mqtt))
{
   var telemetryDataPoint = new { bleCnt = 50, telemetryLocation = new { lat = 49.85, lon = 20.99, alt = 29.41 } };
   dc.OpenAsync().ConfigureAwait(false);
   dc.SendEventAsync(new Message(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(telemetryDataPoint)))).ConfigureAwait(false);
   dc.CloseAsync().ConfigureAwait(false);
}

Also, using my Azure IoT Hub Tester which is based on the M2Mqtt library the device3 with a leaf certificate device3.pfx has been successful connected to the IoTC app.

Based on the above update, I would like to correct the step 10. It looks like, the devices (such as the sas and X509) can be switched between the Azure IoT Hub and IoT Central Application once the devices have been provisioned on the IoTC App. In other words, the hostname (e.g. from my test IoTC App preview iotc-bceedf66-9792-4f32-b49f-7674a6aa09ff.azure-devices.net) from the provisioning process is a valid device facing endpoint.

Also my test shown that the device with MQTT direct protocol using a leaf certificate (device3.pfx) for connection to the IoTC app is working very well both directions included a PnP model.

The following screen snippets show the device side and IoTC application: