demos/linux/aws/readme.rst

..
    Copyright 2019,2020 NXP


.. highlight:: shell

.. _linux-demos-aws:

AWS Demo for iMX Linux / RaspberryPi
==================================================

This demo demonstrates connection to AWS IoT Console using pre-provisioned
device credentials and publish/subscribe procedure using MQTT.

Prerequisites
-------------

-  AWS account
-  SD Card image with SE050 Middleware pre-installed. The application is
   built on the iMX platform.
-  IMX6UL-EVK platform or Raspberry pi connected to the Internet

Preparing the credentials and Provisioning the secure element
-------------------------------------------------------------

Use ssscli tool from iMX/Rpi platform

1) Complete :numref:`cli-doc-pre-steps` :ref:`cli-doc-pre-steps`

#)  To create certificates on imx and Raspberry Pi, call::

        cd simw-top/pycli/Provisioning/
        python3 GenerateAWSCredentials.py
        python3 ResetAndUpdate_AWS.py

#) Certificates and Keys are generated at ``simw-top/pycli/Provisioning/aws``


Build the OpenSSL engine [Optional]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. note::
    This step is optional in case you are using a prepared SD card
    image from NXP.

The OpenSSL engine uses the sss abstraction layer to access the crypto
services of the secure element, the implementation remains dependent on
the secure element attached. The following illustrates compiling the
OpenSSL engine for SE050 connected over I2C.

::

   cd simw-top
   python scripts/create_cmake_projects.py
   cd ../simw-top_build/imx_native_se050_t1oi2c
   cmake --build .
   make install
   ldconfig /usr/local/lib


.. note::
    Replace ``imx_native_se050_t1oi2c`` with ``raspbian_native_se050_t1oi2c``
    when building for Raspberry Pi.

Run the example
---------------

1)  Clone the Code ::

       cd /simw-top/demos/linux/aws/
       git clone https://github.com/aws/aws-iot-device-sdk-cpp.git

    .. note:: If curl is not installed - run ``sudo apt-get install libcurl4-openssl-dev``


.. highlight:: cmake

#) Modify the ``CMakeLists.txt`` file under ``samples/PubSub`` so it ensures ``OPENSSL_LOAD_CONF`` is defined (see excerpt below)::

        if (UNIX AND NOT APPLE)
            ADD_DEFINITIONS(-DOPENSSL_LOAD_CONF)
            # Prefer pthread if found
            set(THREADS_PREFER_PTHREAD_FLAG ON)
            set(CUSTOM_COMPILER_FLAGS "-fno-exceptions -Wall -Werror")
        elseif (APPLE)
            set(CUSTOM_COMPILER_FLAGS "-fno-exceptions -Wall -Werror")
        elseif (WIN32)
            set(CUSTOM_COMPILER_FLAGS "/W4")
        endif ()

.. highlight:: shell

#) Use 'buildScript.sh' script at simw-top/demos/linux/aws/ to build the mqtt application for aws call::

    ./buildScript.sh

.. highlight:: json

#) Adapt the PubSub example specific configuration file so that it refers to the reference key and the device certificate.
    - Update the endpoint to match your AWS account
    - Ensure the AmazonRootCA1.pem certificate is in place (it is used by the iMX/rpi to validate the AWS IoT counterpart\
    - Update the configuration file (/simw-top/demos/linux/aws/aws-iot-device-sdk-cpp/build/bin/config/SampleConfig.json) with endpoint, device_certificate_relative_path, device_private_key_relative_path  (Ensure the value for "endpoint" matches your setup, you must replace "xxxxiukfoyyyy-ats.iot.eu-central-1.amazonaws.com")
    - Sample Json file ::

            {
              "endpoint": "xxxxiukfoyyyy-ats.iot.eu-central-1.amazonaws.com",
              "mqtt_port": 8883,
              "https_port": 443,
              "greengrass_discovery_port": 8443,
              "root_ca_relative_path": "certs/AmazonRootCA1.pem",
              "device_certificate_relative_path": "<UID>_device_certificate.crt",
              "device_private_key_relative_path": "<UID>_device_reference_key.pem",
              "tls_handshake_timeout_msecs": 60000,
              "tls_read_timeout_msecs": 2000,
              "tls_write_timeout_msecs": 2000,
              "aws_region": "",
              "aws_access_key_id": "",
              "aws_secret_access_key": "",
              "aws_session_token": "",
              "client_id": "CppSDKTesting",
              "thing_name": "CppSDKTesting",
              "is_clean_session": true,
              "mqtt_command_timeout_msecs": 20000,
              "keepalive_interval_secs": 600,
              "minimum_reconnect_interval_secs": 1,
              "maximum_reconnect_interval_secs": 128,
              "maximum_acks_to_wait_for": 32,
              "action_processing_rate_hz": 5,
              "maximum_outgoing_action_queue_length": 32,
              "discover_action_timeout_msecs": 300000
            }

.. highlight:: cfg

#) Search for `default_algorithms` in ``/simw-top/demos/linux/common/openssl_sss_se050.cnf`` file and set it as ::

        default_algorithms = RSA,RAND,ECDSA,ECDH    ----- For openssl 1.0.0
        default_algorithms = RSA,RAND,EC            ----- For openssl 1.1.1

.. highlight:: shell

#)  Set the openssl config path as call::

    $ export OPENSSL_CONF=/simw-top/demos/linux/common/openssl_sss_se050.cnf

#) Upload the root certificate (/simw-top/pycli/Provisioning/aws/rootCA_certificate.cer) to AWS account. Refer :ref:`prepare-aws-cloud`


#)  Run the application::

        cd /simw-top/demos/linux/aws/aws-iot-device-sdk-cpp/build/bin
        ./pub-sub-sample


.. note::
    1) Export the OpenSSL conf path to the exact location of the file. The above example is for illustrative purpose