Hi Arthur, Set the ResourceProperty.SECURE flag will instruct the stack to use the secured coaps:// endpoint, so you must use "auth_crypt" connection type ACE for that resource, and the credentials must be installed for mutual authentication. As you only wanted to run the existing code, you might leave the ResourceProperty.SECURE flag unset to use unsecured coap:// endpoint, so that the SRM can match the "anon_clear" connection type ACE and grant the access. FYR.
Regards, Tonny On 19 December 2017 at 21:10, Arthur Barros Lapprand <a...@cin.ufpe.br> wrote: > Hi Tonny, > > Yes, initially I want to run existing code and that ACE will hopefully be > helpful even though I've once tried to use that wildcard ACE without > success. I do use the ResourceProperty.SECURE flag when registering > resources but I'm not sure if I really need to set credentials in the SVR > database if I want a wildcard ACE to work. Right now I'm fighting some > build issues when building SECURED=1 for Android that came with the 1.3.1 > release. I'll certainly give feedback once I manage to do that. > > Thank you, > A. Lapprand > > Em ter, 19 de dez de 2017 às 09:58, Tonny Tzeng <tonny.tz...@gmail.com> > escreveu: > >> Hi Arthur, >> >> The concept to get secure access to a resource is the same for C++ and >> JavaScript -- use secure endpoint in C++/JavaScript, and have proper ACL >> and credential setup in the SVR database. If what you want is to run >> existing code intact but with SECURED=1, then add an anonymous connection >> type ACE as Max described above will work. Let us know it's not the case... >> >> Regards, >> Tonny >> >> On 18 December 2017 at 21:15, Arthur Barros Lapprand <a...@cin.ufpe.br> >> wrote: >> >>> Sorry I meant I want to state this, not a few things, hehe. Basically I >>> want to focus on local ACL permissions without dealing with the whole >>> device ownership and pairing process. Thank you again! >>> >>> 2017-12-18 10:12 GMT-03:00 Arthur Barros Lapprand <a...@cin.ufpe.br>: >>> >>>> Hi, thank you for the quick replies! >>>> >>>> @Max >>>> >>>>> I never succeeded with setting the "di" using API >>>>> >>>> >>>> I also never succeeded. However, since there was a recent release I >>>> should first give it a try. >>>> >>>> @Tonny >>>> I had an overview of the article. Very interesting indeed! But it uses >>>> javascript which isn't what I'm looking for this particular problem. >>>> Nonetheless, it is related to security 😁. Since I didn't have the time to >>>> read it in detail yet I may be saying things that are answered there, so >>>> pardon me in advance if you may. I need to state a few things: >>>> >>>> (3) use an Onboarding Tool to establish ownership with both the Client >>>>> and the Server; >>>> >>>> (4) mutual install the credentials of each other by pairing the devices >>>>> with the OBT >>>>> >>>> I'm trying to simulate these by setting the device owner through the >>>> ACL for development purposes. >>>> >>>> >>>> >>>> 2017-12-17 5:16 GMT-03:00 Tonny Tzeng <tonny.tz...@gmail.com>: >>>> >>>>> Hi, >>>>> >>>>> We just posted an article at 01.org >>>>> <https://01.org/blogs/ttzeng/2017/securely-accessing-iot-devices-based-javascript> >>>>> talking >>>>> few security concept in IoTivity. Though we were using iotivity-node as an >>>>> example, I think the following steps would get your Client accesses to the >>>>> Server securely: >>>>> (1) your Server need to register the resource with >>>>> ResourceProperty.SECURE flag in order to use the secured endpoint; >>>>> (2) allow the "auth-crypt" connection requests in the SVD dB; >>>>> (3) use an Onboarding Tool to establish ownership with both the Client >>>>> and the Server; >>>>> (4) mutual install the credentials of each other by pairing the >>>>> devices with the OBT >>>>> >>>>> Regards, >>>>> Tonny >>>>> >>>>> On 17 December 2017 at 14:38, Max Kholmyansky <max...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi Arthur, >>>>>> >>>>>> You should be able to communicate between the client and the server >>>>>> on Android, using SECURED=1 library. >>>>>> >>>>>> First, to set your "di" (client or server) - you need to specify the >>>>>> "di" value inside the DAT file (containing security information) - you >>>>>> can >>>>>> look at the samples. I never succeeded with setting the "di" using API, >>>>>> and >>>>>> I don't know if it's supported. >>>>>> >>>>>> Second, even using SECURED=1, in the server, you can allow any client >>>>>> (even not authenticated) to access any resource. >>>>>> The relevant ACL entry looks like: (you may need to change the >>>>>> "aceid"): >>>>>> { >>>>>> >>>>>> "aceid": 5, >>>>>> "subject": { "conntype": "anon-clear" }, >>>>>> "resources": [ >>>>>> { "href": "*" } >>>>>> ], >>>>>> "permission": 14 >>>>>> } >>>>>> >>>>>> This is definitely not the way to configure it in production, but it >>>>>> should allow you to keep developing, without caring about access >>>>>> permissions for a while. >>>>>> >>>>>> >>>>>> Max >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Dec 14, 2017 at 8:54 PM, Arthur Barros Lapprand < >>>>>> a...@cin.ufpe.br> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I have a few beginner-leveled questions about secure mode in >>>>>>> Android. Let me explain the situation: >>>>>>> >>>>>>> I have created two apps (one for Server/Controlee and the other for >>>>>>> the Client/Controller) and I'm able to FIND and GET/POST/OBSERVE them >>>>>>> without problems. As this is a simple example, I now want to do the same >>>>>>> things but with SECURED=1. I should note that I am usually running both >>>>>>> apps in the same device (not the emulator, but my cellphone). >>>>>>> >>>>>>> So I started looking everywhere and discovered I could do this with >>>>>>> a local ACL and supposedly everything would be ok. Turns out it didn't, >>>>>>> which is why I am here. So my questions are: >>>>>>> >>>>>>> - Do I need anything else to use the SECURED flag in Android apart >>>>>>> from registering resource as secure and passing the ACL to the >>>>>>> PlatformConfig and configure it? >>>>>>> >>>>>>> - I read that when configuring the Platform with an ACL the DeviceID >>>>>>> should be set with the ID inside it. So as it failed I tried debugging >>>>>>> the >>>>>>> ID, which led me to confusion about PlatformID and DeviceID. When >>>>>>> loading >>>>>>> the ACL the DeviceID comes as a random byte[]. However, I can set the >>>>>>> DeviceID in the code and retrieve it just fine. The thing is, the ID >>>>>>> recieved by the Client (ServerID) isn't the same I set in the code. I'm >>>>>>> not >>>>>>> sure if it's something about the encoding tricking me or if it's >>>>>>> something >>>>>>> else. Can someone please shed me some light? >>>>>>> >>>>>>> In short, the Client can find the resources (they are registered >>>>>>> with SECURE type) but can't make a correct GET/POST/OBSERVE request, >>>>>>> returning UNAUTHORIZED_REQ. Any tips about this flag and Android are >>>>>>> welcome. >>>>>>> >>>>>>> Sorry for the long post, thank you in advance! >>>>>>> >>>>>>> _______________________________________________ >>>>>>> iotivity-dev mailing list >>>>>>> iotivity-dev@lists.iotivity.org >>>>>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev >>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> iotivity-dev mailing list >>>>>> iotivity-dev@lists.iotivity.org >>>>>> https://lists.iotivity.org/mailman/listinfo/iotivity-dev >>>>>> >>>>>> >>>>> >>>> >>> >>
_______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev
