|
| 1 | +--- |
| 2 | +title: "Interoperability" |
| 3 | +description: "LoRaWAN Backend Interfaces" |
| 4 | +weight: 3 |
| 5 | +--- |
| 6 | + |
| 7 | +{{% tts %}} exposes the Join Server API defined by LoRaWAN Backend Interfaces 1.0 and 1.1. This is used for interoperability between LoRaWAN networks. The functionality can be exposed either by the Join Server or by the Identity Server, but not both at once. |
| 8 | + |
| 9 | +Join Server is capable of handling the join flow, that is `HomeNSReq`, `JoinReq` and `AppSKeyReq` requests. Identity Server can only answer to `HomeNSReq`. Typically, you should enable interoperability if you want to use device activations through Packet Broker. You can use Join Server interoperability if you want to expose the entire join flow to other LoRaWAN network servers. |
| 10 | + |
| 11 | +# Join Server interoperability |
| 12 | + |
| 13 | +## Deployment |
| 14 | + |
| 15 | +### Step 1: deploy {{% tts %}} |
| 16 | + |
| 17 | +Deploy {{% tts %}} normally. For the `PeerRequesterAccountId` parameter in `1-1-vpc`, use the ID of the account where you want to deploy Crypto Server. Do not enable interop and assume that {{% tts %}} doesn't connect to the Crypto Server. |
| 18 | + |
| 19 | +### Step 2: add certificates |
| 20 | + |
| 21 | +For the server certificate, use the certbot task. It will request a certificate and put it into AWS Secrets Manager. If you do not want to use the certbot task, but prefer to provide your own certificate, look up the relevant secret created in template `4-1-secrets` and substitute the dummy value. Certificates are expected to be in PEM format. |
| 22 | + |
| 23 | +Client certificates are stored in the interop config bucket, created in template `2-4b-routing-s3`. In this bucket you need to place a file `config.yml`, which contains a map `<net-id>: <ca.pem>`. Example configuration: |
| 24 | + |
| 25 | +```yaml |
| 26 | +000000: ca-000000.pem |
| 27 | +000009: ca-000009.pem |
| 28 | +``` |
| 29 | +
|
| 30 | +### Step 3: deploy the Crypto Server |
| 31 | +
|
| 32 | +Deploy the template `200-1-crypto`. This template is designed to be deployed in a separate account, but same region. No other templates are needed for Crypto Server, this is a self-contained deployment. |
| 33 | + |
| 34 | +- the tuple `{NetworkName}.${Environment}.${Cluster}` should NOT be identical. We suggest using the same `NetworkName` and `Environment`, but different `Cluster` |
| 35 | +- the `CidrBlock` parameter should NOT be identical |
| 36 | +- the `ClusterSecretValue` parameter MUST be identical |
| 37 | +- the `DefaultTenantID` parameter MUST be identical |
| 38 | +- the `Domain` parameter MUST be identical |
| 39 | +- skip the `ServicesDNSZone` parameter |
| 40 | +- refer to outputs of the `1-1-vpc` template for the `Peer*` parameters |
| 41 | + |
| 42 | +### Step 4: peer networks |
| 43 | + |
| 44 | +Deploy the template `6-1-vpc-peering` where you had deployed the Join Server to create the peering association. Refer to the Crypto Server stack for inputs of `6-1-vpc-peering`. |
| 45 | + |
| 46 | +{{% tts %}} uses Route53 for service discovery. In order to enable the Join Server <-> Crypto Server service discovery, you need to associate the `${NetworkName}.${Environment}.${Cluster}.cluster.local` hosted zone of Join Server with the VPC of Crypto Server and vice versa. For details on how to do it, refer to the [AWS Documentation](https://aws.amazon.com/premiumsupport/knowledge-center/route53-private-hosted-zone/). |
| 47 | + |
| 48 | +### Step 5: activate the connection |
| 49 | + |
| 50 | +Go through the Join Server stack and turn on switches for Interop and Crypto Server connection. The `CryptoServerDNSName` parameter in template `5-4-services` is expected to be in format `cs.${NetworkName}.${Environment}.${Cluster}.cluster.local`. |
| 51 | + |
| 52 | +Go through the Crypto Server template and turn on switches for Join Server connection. The `ServicesDNSZone` parameter is expected to be in format `${NetworkName}.${Environment}.${Cluster}.cluster.local`. |
| 53 | + |
| 54 | +### Step 6: encrypt key values for secure element parts |
| 55 | + |
| 56 | +Go to the Crypto Server stack and encrypt secure element parts keys using the AWS KMS key from stack output `MicrochipPartsTableKey` and put them into the DynamoDB table from output `MicrochipPartsTable`. You can do it in the following way: |
| 57 | +1. Create a file `input.json` with the following contents: `{"KeyId": "<MicrochipPartsTableKey>", "Plaintext": "<SecureElementKeyValueInBase64>"}` |
| 58 | +2. `aws kms encrypt --cli-input-json file://input.json`. It is important to use the input json file so that secret value doesn't stay in history |
| 59 | +3. Change the contents of `input.json` to `{"TableName": "<MicrochipPartsTableKey>", "Item": {"part_number": {"S": "<PartNumber>"}, "psk_root_keys_encrypted": {"S": "<CiphertextBlobFromKMSEncrypt>"}}}` |
| 60 | +4. `aws dynamodb put-item --cli-input-json file://input.json` |
| 61 | +5. `rm input.json` |
| 62 | + |
| 63 | +At this point interoperability should be working. It might be required to restart the containers before they pick up new configuration. |
| 64 | + |
| 65 | +# Identity Server interoperability |
| 66 | + |
| 67 | +Identity Server interoperability doesn't need Crypto Server, therefore you don't need to set up two accounts and peer networks. Still, you need to set up TLS certificates in a similar fashion. |
0 commit comments