Provisioning millions of devices in a secure and scalable manner without requiring any human interaction is what our plgd Device Provisioning Service (DPS) solves. Doesn’t matter if you’re running the plgd hub on-premise, off-premise or a fully managed instance, the DPS makes sure it trusts only your devices and provision them to the right plgd hub instance. Exactly no human interaction, zero-touch to provision and pre-configure millions of devices just-in-time and securely, using manufacturer certificates or TPMs.
plgd ecosystem supports various provisioning scenarios, including Zero-touch provisioning handled by the DPS. It’s your perfect choice when you try to solve:
Securely provisioned device by the DPS precedes 3 distinct steps:
To successfully attest the device’s identity during the provisioning process, a manufacturer certificate or/and a TPM need to be available on the device. It’s a key to verify if the device is trusted and belongs to the enrollment group created in the DPS. Creation of the device’s manufacturer identity usually occurs towards the end of the manufacturing process. At this point, hardware assembly is complete and the initial software has been loaded. A manufacturing PC is connected to the device and requests from the PKI a unique manufacturer certificate using the unique device identifier (e.g. serial number, depends on the manufacturer). In case the device contains the TPM, manufacturing PC stores the TPM’s endorsement key, required for it’s individual enrollment.
Process described above varies from manufacturer to manufacturer. Nevertheless, the unique device’s manufacturer identity is expected as the result. Additionally, formulation “Creation of the device’s manufacturer identity” was used to not confuse the reader if using more accurate term - “Provisioning of the device’s manufacturer identity”.
Creating an Enrollment Group in your plgd DPS instance is required in order to make sure the DPS can properly attest to the device’s identity when it comes looking for its provisioning configuration. The operator is responsible to include the identifying key information described in the manufacturer step and add it to the enrollment group. Part of the enrollment group configuration is among others also initial resource and ACL configuration, useful for the device-to-device scenarios where the plgd hub is not involved at all. Once the enrollment group is configured, DPS is ready to automatically provision devices. Unless the use-case or list of devices changes, the DPS service / enrollment group does not have to be modified. Number of enrollment groups is not limited; different set of devices can be attested by different enrollment groups containing different provisioning configuration.
The Enrollment Group created during the operation setup state has a set of required and optional configuration options, supporting various use-cases or security requirements. The following sequence diagram describes what goes on under the hood to get a device securely provisioned. This flow is dependent on the Enrollment Group configuration, which is a prerequisite.
Step number 4 and 9 are optional.
The DPS supports multiple PLGD Hubs or CoAP Gateways. This feature enables users to configure multiple PLGD hubs or CoAP gateways for the device through enrollment group configuration.
To configure multiple CoAP gateways, set the helm value .enrollmentGroups.[].hub.gateways to the list of CoAP gateways in the format SCHEME://HOST:PORT. For example, [ "coaps+tcp://plgd.cloud:5684", ... ].
To set multiple PLGD hubs, set the helm value .enrollmentGroups.[].hubs to the list of PLGD hub objects, which contain the same values as the .enrollmentGroups.[].hub object in the enrollment group configuration.
For multiple hubs, it is expected that the hubs are different instances.
plgd makes it simpler to build a successful IoT initiative – to create a proof of concept, evaluate, optimize, and scale.
