new TrustedAssetsManager(taStoreFileopt, taStorePasswordopt)
The
TrustedAssetsManager
interface defines methods for handling trust
material used for activation and authentication to the IoT CS. Depending on
the capability of the client or device as well as on the security
requirements implementations of this interface may simply store sensitive
trust material in a plain persistent store, in some keystore or in a secure
token.
- Authentication of Devices with the IoT CS
-
- Before/Upon Device Activation
- A device must use client secret-based authentication to authenticate with the OAuth service and retrieve an access token to perform activation with the IoT CS server. This is done by using an activation ID and a shared secret.
- After Device Activation
- A device must use client assertion-based authentication to authenticate with the OAuth service and retrieve an access token to perform send and retrieve messages from the IoT CS server. This is done by using the assigned endpoint ID and generated private key.
- Authentication of Pre-activated Enterprise Applications with the IoT CS
-
- Before/After Application Activation
- An enterprise integration must use client secret-based authentication to authenticate with the OAuth service and retrieve an access token to perform any REST calls with the IoT CS server. This is done by using the integration ID and a shared secret.
Parameters:
Name | Type | Attributes | Description |
---|---|---|---|
taStoreFile |
string |
<optional> |
The trusted assets store file path to be used for trusted assets manager creation. This is optional. If none is given the default global library parameter is used: iotcs.oracle.iot.tam.store. |
taStorePassword |
string |
<optional> |
The trusted assets store file password to be used for trusted assets manager creation. This is optional. If none is given the default global library parameter is used: iotcs.oracle.iot.tam.storePassword. |
Methods
(static) generateKeyPair(algorithm, keySize) → {boolean}
Generates the key pair to be used for assertion-based client authentication with the IoT CS.
Parameters:
Name | Type | Description |
---|---|---|
algorithm |
string | The key algorithm. |
keySize |
number | The key size. |
Returns:
true
if the key pair generation succeeded.
- Type
- boolean
(static) getClientId() → (nullable) {string}
Retrieves the ID of this client. If the client is a device the client ID is the device
activation ID; if the client is a pre-activated enterprise application the client ID
corresponds to the assigned integration ID. The client ID is used along with a client secret
derived from the shared secret to perform secret-based client authentication with the IoT CS
server.
Returns:
The ID of this client or
null
if any error occurs retrieving
the client ID.
- Type
- string
(static) getConnectedDevices() → (nullable) {object}
Retrieves the IoT CS connected devices.
Returns:
The IoT CS connected devices or
null
if any error occurs
retrieving connected devices.
- Type
- object
(static) getEndpointCertificate() → (nullable) {string}
Retrieves the assigned endpoint certificate.
Returns:
The PEM-encoded certificate or
null
if no certificate was
assigned, or if any error occurs retrieving the endpoint certificate.
- Type
- string
(static) getEndpointId() → (nullable) {string}
Retrieves the assigned endpoint ID.
Returns:
The assigned endpoint ID or
null
if any error occurs retrieving
the endpoint ID.
- Type
- string
(static) getPublicKey() → (nullable) {string}
Retrieves the public key to be used for certificate request.
Returns:
The device public key as a PEM-encoded string or
null
if any
error occurs retrieving the public key.
- Type
- string
(static) getServerHost() → (nullable) {string}
Retrieves the IoT CS server host name.
Returns:
The IoT CS server host name or
null
if any error occurs
retrieving the server host name.
- Type
- string
(static) getServerPort() → (nullable) {number}
Retrieves the IoT CS server port.
Returns:
The IoT CS server port (a positive integer) or
null
if any
error occurs retrieving the server port.
- Type
- number
(static) getServerScheme() → (nullable) {string}
Retrieves the IoT CS server scheme.
Returns:
The IoT CS server scheme, or
null
if any error occurs
retrieving the server scheme.
- Type
- string
(static) getTrustAnchorCertificates() → (nullable) {Array}
Retrieves the trust anchor or most-trusted Certification Authority (CA) to be used to validate
the IoT CS server certificate chain.
Returns:
The PEM-encoded trust anchor certificates, or
null
if any error
occurs retrieving the trust anchor.
- Type
- Array
(static) isActivated() → {boolean}
Returns whether the client is activated. The client is deemed activated if it has at least
been assigned endpoint ID.
Returns:
true
if the device is activated.
- Type
- boolean
(static) provision(taStoreFile, taStorePassword, serverScheme, serverHost, serverPort, clientId, sharedSecret, truststore, connectedDevices)
Provisions the designated Trusted Assets Store with the provided provisioning assets. The
provided shared secret will be encrypted using the provided password.
Parameters:
Name | Type | Description |
---|---|---|
taStoreFile |
string | The Trusted Assets Store file name. |
taStorePassword |
string | The Trusted Assets Store password. |
serverScheme |
string | The scheme used to communicate with the server. Must be http(s). |
serverHost |
string | The IoT CS server host name. |
serverPort |
number | The IoT CS server port. |
clientId |
string | The ID of the client. |
sharedSecret |
string | The client's shared secret. |
truststore |
string | The truststore file containing PEM-encoded trust anchors certificates to be used to validate the IoT CS server certificate chain. |
connectedDevices |
object | The indirect connect devices. |
(static) reset() → {boolean}
Resets the trust material back to its provisioning state; in particular, the key pair is
erased. The client will have to go, at least,through activation again; depending on the
provisioning policy in place, the client may have to go through registration again.
Returns:
true
if the operation was successful.
- Type
- boolean
(static) setEndpointCredentials(endpointId, certificate) → {boolean}
Sets the assigned endpoint ID and certificate as returned by the activation procedure. Upon a
call to this method, a compliant implementation of the
TrustedAssetsManager
interface must ensure the persistence of the provided endpoint credentials. This method can only
be called once; unless the TrustedAssetsManager
has been reset.
If the client is a pre-activated enterprise application, the endpoint ID has already been
provisioned and calling this method MUST fail with an IllegalStateException
.
Parameters:
Name | Type | Description |
---|---|---|
endpointId |
string | The assigned endpoint ID. |
certificate |
string | The PEM-encoded certificate issued by the server or
null if no certificate was provided by the server. |
Returns:
whether setting the endpoint credentials succeeded.
- Type
- boolean
(static) signWithPrivateKey(data, algorithm) → (nullable) {Array}
Signs the provided data using the specified algorithm and the private key. This method is only
use for assertion-based client authentication with the IoT CS.
Parameters:
Name | Type | Description |
---|---|---|
data |
Array | string | A byte string to sign. |
algorithm |
string | The algorithm to use. |
Returns:
The signature bytes or
null
if any error occurs retrieving the
necessary key material or performing the operation.
- Type
- Array
(static) signWithSharedSecret(data, algorithm, hardwareIdnullable) → (nullable) {Array}
Signs the provided data using the specified algorithm and the shared secret of the device
indicated by the given hardware id. Passing
null
for hardwareId
is
identical to passing #getClientId()
.
Parameters:
Name | Type | Attributes | Description |
---|---|---|---|
data |
Array | The bytes to be signed. | |
algorithm |
string | The hash algorithm to use. | |
hardwareId |
string |
<nullable> |
The hardware id of the device whose shared secret is to be used for signing. |
Returns:
The signature bytes or
null
if any error occurs retrieving the
necessary key material or performing the operation.
- Type
- Array