Hi Gregg, Yes, you should be able to statically provision the .db file (i.e. provision the device out-of-band/sidechannel, without going through for example the JustWorks Owner Transfer Method per-se).
However, please note that there is more to that than just providing ACLs. The onboarding process also sets up various values in the /doxm, /pstat and /cred resources, as well as the /acl resource. So you?ll want to make sure that the values for those resources are correct if you don?t want to use the onboarding tool to configure them. The security sample apps (see below) do it this way, too, by providing pre-configured .db files. See ?resource/csdk/security/unittest/oic_svr_db_prov.json? for an example of a .json file for a server device that is already onboarded and ready to run. To test your setup, the first thing is to make sure your SECURED=1 build is working. Run the security-enabled unit tests and sample apps. See ?./resource/csdk/security/README-building-and-running-secure-IoTivity-stack.txt?. NOTE: I just looked at this README and the success check is unclear. You should expect to see ?Secure = yes? for the secured resources that are discovered, and ?Secure = no? for the unsecure resources. You?ll see what I mean if you follow the README. FYI there is a more ?fully documented? version of this same info on the IoTivity wiki: https://wiki.iotivity.org/security_resource_manager#guidelines_on_building_applications_with_security_enabled The next thing to try is to follow the instructions for modifying the ACL to include an ACE (Access Control Entry) for your application resource. See the section ?SVR Database Format Conversion? in the same wiki page above (there?s not a bookmark currently to that heading; there should be). That *should* all work as documented, but I haven?t tested in a few months, so if something is broken/wrong in the wiki, please let me know and I?ll troubleshoot. Thanks, Nathan From: iotivity-dev-bounces at lists.iotivity.org [mailto:[email protected]] On Behalf Of Gregg Reynolds Sent: Wednesday, September 28, 2016 2:23 PM To: iotivity-dev <iotivity-dev at lists.iotivity.org> Subject: Re: [dev] svr db, static provisioning - help needed On Sep 28, 2016 10:51 AM, "Gregg Reynolds" <dev at mobileink.com<mailto:dev at mobileink.com>> wrote: > > Hi, > > I'm trying to experiment with various svr databases and running into trouble. > > My understanding is that I should be able to provisioning a client and a > server statically, by writing the appropriate JSON config file and using > json2cbor to create a dat file to be ingested at startup. > > However, I'm finding that my .dat files always get overwritten by the default > svr database. > > Running cbordump on the original .dat file and the created default .dat file > shows different formats. The generated file seems to use bytestrings for > everything. > > For example, during init processing, initDoxmResource (doxmresource.c) calls > GetSecureVirtualDatabaseFromPS (psinterface.c), which opens my .dat file and > finds the doxm key. However, it only sets the result if the value is a > bytestring: > > CborError cborFindResult = cbor_value_map_find_value(&cbor, > rsrcName, &cborValue); > if (CborNoError == cborFindResult && > cbor_value_is_byte_string(&cborValue)) > { > cborFindResult = cbor_value_dup_byte_string(&cborValue, > data, size, NULL); > VERIFY_SUCCESS(TAG, CborNoError==cborFindResult, ERROR); > ret = OC_STACK_OK; > } > > (here rsrcName is "doxm"). But in fact the found value is a map. > > So I'm very confused about how all this is supposed to work and would > appreciate any guidance. > ok, howsabout a simpler question: is it the case that I should be able to build my client and server with SECURED=1, provide each with a compiled .dat file with appropriate doxm, acl, etc. settings, and expect them to play nicely with each other *without* using dynamic on-boarding? gregg > Thanks, > > Gregg -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.iotivity.org/pipermail/iotivity-dev/attachments/20160929/43f78840/attachment.html>
