Granting FreeRTOS Permissions - Guide looks out of date and unusable!

uTasker wrote on December 11, 2017:

Hi All

I have been trying for a couple of days to get the Amazon FreeRTOS Windows simulator to work but initially had problems with the getting starting guide missing out the step of creating credentials. In the IoT forums I was pointed to the missing step and have been trying to do that, plus I was given a link to this forums for further questions.

Now the problem is that the guide looks to be older than the web site and so has so many incorrect pieces of information that it would take quite a lot of luck to get something working.

I have just tried for another 2 hour or so but there seems to be so many dead-ends in the step-by-step guide (buttons don’t exist or names don’t match, or the only similar ways to do what is detained can only be found on completely different areas.
Eg. I spend ages looking for the “AWSFreeRTOSFullAccess” that should be added to user permissions, whereby it looks to actually be called "“AmazonFreeRTOSFullAccess”
Also I had to add a user with my name (logged in as root!) because otherwise there was nothing there).

Working in the console and in a way quite different to the step-by-step I have been able to create a certificate (and embed the details in the code) which are attached to a policy (set up with the JSON code) and also attached to a thing.

But I have two problems with the simulator:

  1. If I just let it run it never sends anything out onto the network, but, if I set a break-point at MQTT_AGENT_Connect() and then let it run again it does.
    +This I can live with but there must be something wrong somewhere+
  2. It connects to the broker but the broker closes with the TLS Alert “Certificate unknown”.

Since the guide is only partly accurate I can’t work out what is not set up correctly.
Any ideas???

Regards

Mark

Edited by: uTasker on Dec 10, 2017 8:21 PM

Edited by: uTasker on Dec 10, 2017 8:22 PM

adjervis wrote on December 12, 2017:

uTasker, hello, thank you for using Amazon FreeRTOS. The most common explanation for the broker disconnecting the socket is a misconfiguration of the Thing, certificate, and/or policy in the AWS IoT registry. To understand why, keep in mind that Amazon FreeRTOS and the AWS IoT MQTT broker are using TLS with mutual certificate-based authentication. The broker performs authentication before it performs authorization. If you have a trusted, time-valid certificate from AWS, then TLS negotiation (i.e., authentication) will succeed. But if the authorization is misconfigured, the broker will then reset the connection, so the next thing you’ll see is the TLS alert.

The section entitled “Asymmetric Cryptosystem Support” in http://docs.aws.amazon.com/freertos/latest/userguide/freertos-security.html describes the steps for creating a Thing, certificate, and policy using the AWS command-line interface (CLI). (Those steps specifically describe using an ECDSA key; I can provide instructions for RSA if you prefer.) Building on that, here are the steps for using the CLI to confirm that configuration:

First, I look up my Thing by name. This also serves as a sanity check that I’m in the correct region:

aws iot describe-thing --thing-name dcgecc {
“version”: 1,
“thingName”: “dcgecc”,
“defaultClientId”: “dcgecc”,
“attributes”: {},
“thingArn”: “arn:aws:iot:us-east-1:785484208847:thing/dcgecc”,
“thingId”: “2ed8fce1-c70e-46fe-ab26-dbfc03bd85df”
}

Double-check that your Thing name matches the string you’re using for clientcredentialIOT_THING_NAME in aws_clientcredential.h. Next, confirm that there’s a certificate attached to the thing:

aws iot list-thing-principals --thing-name dcgecc {
“principals”: [
“arn:aws:iot:us-east-1:785484208847:cert/86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”
]

The latter half of the principal ARN is the certificate ID. Now that I have the that, I request a more detailed description:

aws iot describe-certificate --certificate-id 86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729
{
“certificateDescription”: {
“certificateArn”: “arn:aws:iot:us-east-1:785484208847:cert/86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”,
“status”: “ACTIVE”,
“certificateId”: “86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”,
“lastModifiedDate”: 1510943901.24,
“certificatePem”: "-----BEGIN CERTIFICATE-----
MIIC6DCCAdCgAwIBAgIUUgSRCb0VmhLV1cGbwsxQAwWDECswDQYJKoZIhvcNAQEL
BQAwTTFLMEkGA1UECwxCQW1hem9uIFdlYiBTZXJ2aWNlcyBPPUFtYXpvbi5jb20g
SW5jLiBMPVNlYXR0bGUgU1Q9V2FzaGluZ3RvbiBDPVVTMB4XDTE3MTExNzE4MzYy
MVoXDTQ5MTIzMTIzNTk1OVoweDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAw
DgYDVQQHDAdTZWF0dGxlMQwwCgYDVQQKDANBV1MxDDAKBgNVBAsMA0RldjEPMA0G
A1UEAwwGRGNnRWNjMR0wGwYJKoZIhvcNAQkBFg5kY2dAYW1hem9uLmNvbTBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABOUWX2DvO308Fg3KVCyPMAuAaTJSs4rBwfs+
gmjsFRtcZoQ5w6HMrzxoNLsRWNnJgIOsDz6V6Q2eXe0fgJd9o2ujYDBeMB8GA1Ud
IwQYMBaAFD4dbtKV39NZIGasMr8dSvBtdJfTMB0GA1UdDgQWBBTa3A4nxYVx8ZgK
MAH/G0cMf3x5ITAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG
9w0BAQsFAAOCAQEAZuHwyS0j4kyaZ6fL4tPo6UDgzyHf95DTsUsMRDbxt4psAM0R
WQsy5uifaGs8ObGi7ydNchUDc5XdN/tatEHV2JDCe9AQEGnoKHswjr7Xij3h0Cgr
hTV/s2dYE3Mn7QzFhZ1f23d/wT5I4E5VV4gk2Ql0gHj1eT0Oz++fhEF76ABZQV7L
EBVNTWQpSj75949JO6PuF7wjxCxC9SLUYOq9K9HDMMrILmy6wYVLerZ9ynIsMWSs
PR40b/yPkH2kOg5ePTwJFaMqIG94EfQlC1ktsXPEc4vtfoKp91EBIYy8oaZMzOnt
h6z+VOvrE5sKPQ48LPDTGXrRyiiU4gWsV86Kjg==
-----END CERTIFICATE-----
",
“transferData”: {},
“ownedBy”: “785484208847”,
“creationDate”: 1510943901.24
}
}

In the above output, note that the contents of the ownedBy field in the certificate description match the serial number that’s embedded in the Thing ARN. As a further sanity check, confirm that the contents of the certificatePem field match your definition for clientcredentialCLIENT_CERTIFICATE_PEM in aws_clientcredential_keys.h in your project.

Next, using the certificate ARN, confirm that there’s a policy attached to it:

aws iot list-principal-policies --principal “arn:aws:iot:us-east-1:785484208847:cert/86e41339a6d1bbc67abf31faf455092cdebf8f21ffbc67c4d238d1326c7de729”
{
“policies”: [
{
“policyName”: “FullControl”,
“policyArn”: “arn:aws:iot:us-east-1:785484208847:policy/FullControl”
}
]
}

Finally, confirm that the rules expressed by that policy are as expected:

aws iot get-policy --policy-name FullControl {
“policyName”: “FullControl”,
“policyArn”: “arn:aws:iot:us-east-1:785484208847:policy/FullControl”,
“policyDocument”: “{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “iot:",
“Resource”: "

},
{
“Effect”: “Allow”,
“Action”: “greengrass:",
“Resource”: "

}
]
}”,
“defaultVersionId”: “1”
}

Once you’ve confirmed the above, verify that your clientcredentialMQTT_BROKER_ENDPOINT definition in aws_clientcredential.h matches what you see in the AWS IoT console. In the console, select Manage, Things, then your Thing name. Then select Interact. The URL at the top of the screen, of the form .iot..amazonaws.com, is your endpoint.

Regarding the mistake in the permissions instructions on our Getting Started page, thank you for calling that to our attention. We’ll get it fixed.

uTasker wrote on December 13, 2017:

Thanks!!!

This is helping - I can now connect to the broker (it is accepting the certificate).
I am getting an alert when the “thing” sends data so I expect that the “thing” itself is not yet correctly registered in some way so I’ll dig in more there and expect to get it sorted shortly…:wink:

Very grateful!!

Regards

Mark

Edited by: uTasker on Dec 12, 2017 9:31 PM