By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to match responses to requests when multiple devices use the 'Device provisioning MQTT API' at same time?

0

I am developing an industrial IoT device that will need to use the fleet provisioning by claim workflow. Specifically, my devices are using the CreateCertificateFromCsr API. My question is, what happens when multiple devices send a CreateCertificateFromCsr request at the same time? The accepted and rejected topics associated with the CreateCertificateFromCsr request are shared, so how can a device determine which accepted response is for it? There is nothing like an ID in the request or accepted response to easily filter on to match responses to requests. There is the public key, which is embedded in the CSR in the request and the certificate in the response. It can be extracted and used to match responses to requests, but that seems like a lot of work. Lastly, the error response from the rejected topic includes no identifying information. How can a device know an error is for it?

I fear I might be missing or misunderstanding something, so please let me know if I am.

For more context, my devices are for an industrial application. As such, 100s can attempt to provision at the same time. Also, I'm not using the AWS SDK, so SDK-specific answers won't be very helpful.

Thanks!

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
qptl
asked a month ago51 views
3 Answers
1

Hi. Those topics are not regular MQTT pub sub topics. AWS IoT Core tracks the requester, and sends the response only on the same connection from which the request came. Other devices can't subscribe to receive the response. And they can't subscribe to receive a request from any other device (requests only route to the fleet provisioning service).

profile pictureAWS
EXPERT
Greg_B
answered a month ago
profile pictureAWS
EXPERT
Jose Soto
reviewed a month ago
0

You've raised some important points about using the Device provisioning MQTT API, particularly when multiple devices are attempting to provision simultaneously. Let's address your concerns:

  1. Matching responses to requests: When using the CreateKeysAndCertificate API, you're correct that there isn't a built-in request ID mechanism to easily match responses to specific requests. However, there are a few strategies you can employ:

a. Unique Client IDs: Ensure that each device uses a unique MQTT client ID when connecting to AWS IoT. This helps prevent connection conflicts and allows for better tracking of individual device communications.

b. Timing and Public Key Matching: While it may seem like extra work, matching the public key in the response to the one in the request is a reliable method to ensure the correct response is processed by each device. Given the security implications of provisioning, this additional step is justified.

  1. Handling error responses: You're correct that the error responses on the rejected topic don't include identifying information. To mitigate this:

a. Implement a timeout mechanism: If a device doesn't receive a response on the accepted topic within a certain timeframe, it can check the rejected topic for any errors.

b. Retry with backoff: If an error is received or no response is detected, implement a retry mechanism with an exponential backoff to reduce the likelihood of collisions.

  1. Scaling for industrial applications: For scenarios where hundreds of devices may attempt to provision simultaneously:

a. Implement a staggered provisioning approach: Program devices to attempt provisioning at slightly different times or with random delays to reduce simultaneous requests.

b. Use Fleet Provisioning Templates: These allow you to define the provisioning process more precisely and can help manage large-scale provisioning more effectively.

c. Consider using the RegisterThing API instead of CreateKeysAndCertificate if your use case allows. RegisterThing provides more structured provisioning and includes a templateName in the response, which can be used for correlation.

While the current API design may present some challenges for high-volume, simultaneous provisioning, these strategies should help manage the process more effectively. Remember to thoroughly test your provisioning process under various conditions to ensure reliability at scale.

It's worth noting that before publishing any request message, you should always subscribe to the corresponding response topics first. This ensures that you don't miss any responses due to timing issues.
Sources
Device provisioning MQTT API - AWS IoT Core
Device provisioning - IoT Lens
Provisioning identity in AWS IoT Core for device connections - Device Manufacturing and Provisioning with X.509 Certificates in AWS IoT Core
MQTT multiple subscribers to one topic not working | AWS re:Post

profile picture
re:Post Agent
answered a month ago
0

I erroneously wrote that I was using the CreateKeysAndCertificate API in my original post when I am actually using the CreateCertificateFromCsr API. I corrected my post, but the AI-generated response appeared before I made the edit. The core of my question also applies to the CreateKeysAndCertificate API, as both API calls suffer from the same problem.

The AI-generated response is what I was already considering (implementing), namely filtering on public keys and using timeouts. I am just curious if there are alternative approaches.

qptl
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content