the backplane is physically existing or virtual. The green part identifies the slot number of the
next bridge module (next hop) or the destination module.
8.18 MindConnect General Security Principles
The following are the security principles of MindConnect services:
Communication between devices and Industrial IoT cloud services through HTTPS and signed
URLs.
Authentication and authorisation using OAuth 2.0 mechanisms.
Security tokens have a limited timespan of validity and must be renewed.
Before installation, firmware is signed and signature is validated by the device.
Onboarding agent (example, MindConnect IoT2040)
To onboard an agent, establish the trust between agent and agent management:
1. Create an agent in Asset Manager.
2. Define the network and security profile in Asset Manager.
3. Download the initial access token and network configuration to your local machine.
4. Deploy the initial access token to agent, for example via USB stick.
With the initial access token, the agent can prove it‘s identity towards agent management by:
The Initial Access Token (IAT) is physically entitled to onboard the agent.
The initial access token is valid for 7 days for security measures to avoid the misuse.
Registering an agent (example, MindConnect IoT2040)
To register an agent at agent management, follow these OAuth 2.0 protocol in two cases:
Case 1:: Compute limited agent will use a shared secret in further communication. For example,
the agent registers at agent management with the IAT.
Case 2:: Powerfull agent uses public / private keys in further communication. For example, the
agent registers at agent management with the IAT and additionally, a JSON Web-Key is set
according to RFC7517 that contains a self generated public key.
Accepting the registration (example, MindConnect IoT2040)
With this response, the agent is onboarded and agent management accepts the registration.
There are two cases, the agent managmement responds with:
To Next Page
Loading...
