Just in time provisioning for Greengrass v2 core devices


We want to provision the Greengrass core devices with unique device certificates and found that Just in time provisioning does a similar way of using root CA cert to create Device certificate. I have followed the steps mentioned in the knowledge-center.

It explains how to create a certificate but we are not sure how to install/run the Greengrass software with JITP provisioning certificates.

I am expecting a Java command with arguments to use the JITP certificate to provision the device. Kindly help resolve this issue.

asked a year ago142 views
1 Answer
Accepted Answer

First I would take a look at the AWS IoT Fleet provisioning integration with Greengrass V2. The AWS IoT Fleet Provisioning integration allows AWS IoT Core to securely deliver X509 certificates and keys to Greengrass V2 at first startup : https://docs.aws.amazon.com/greengrass/v2/developerguide/fleet-provisioning.html

If the AWS IoT Fleet Provisioning flow does not fit your requirements, for example because you need to use a custom CA with AWS IoT. Follow the steps in the JITP guide you linked in your questions to create a X509 cert , private keys, Thing and IoT policy (you just need to adapt the policy in the JITP template to allow access to the Greengrass Api "greengrass:*").

Once done, continue following the guide to provision AWS Greengrass manually from step 2 Retrieve AWS IoT endpoints : https://docs.aws.amazon.com/greengrass/v2/developerguide/manual-installation.html

In summary , you create an initial config file ./GreengrassInstaller/config.yaml where you reference the JITP provisioned certificates, private key and Thing name

  certificateFilePath: "/greengrass/v2/device.pem.crt"
  privateKeyPath: "/greengrass/v2/private.pem.key"
  rootCaPath: "/greengrass/v2/AmazonRootCA1.pem"
  rootpath: "/greengrass/v2"
  thingName: "MyGreengrassCore"

and install Greengrass V2 using :

sudo -E java -Droot="/greengrass/v2" -Dlog.store=FILE \
  -jar ./GreengrassInstaller/lib/Greengrass.jar \
  --init-config ./GreengrassInstaller/config.yaml \
  --component-default-user ggc_user:ggc_group \
  --setup-system-service true
profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions