Provision VPN Network

Introduction

Provisioning in IoT can be a tough job if the managing platform doesn’t provide the tools needed to do the job for two main players: manufacturer and platform users, specially organization managers and administrators.

Manufactures have to be able to present their devices provisioning as a plug and play solution so that their clients don’t suffer creation and configuration on device per device base of a considerable number of devices.

On the other hand, platform users like manager and administrators should be able to handle thousands or millions of devices creation, connection authentication, authorization and data telemetry collection in an automatic way.

Cervello makes it easy for manufacturers and for platform manager and administrators to get their devices onboard by providing all the tools needed in a highly secured manner.

Cervello gives to an organization administrator or manager the power to create and manage multiple VPN network to secure the connection and the communication of his/her device(s) and automate provision of VPN configuration using devices unique identifiers provided by the manufacturer. These unique identifiers can be IMEI, MAC address, Serial Numbers or any other identifier considered unique by the devices manufacturers. As soon as the VPN is ready and the device(s) assigned to it Cervello will user user defined command to send an update request to the device, the system will be responsable of the rest of getting these devices on board by providing automatically VPN client configuration.

On the other side, Cervello provide manufacturers with the tools to generate plug and play provisioning option to their clients. A manufacturer can use Cervello Manufacturer Portal user interface to generate a security X.509 standard certificate to attach it to a number of devices/sensors. Once a device with a valid certificate establishes a connection to Cervello, the platform will authenticate the manufacturer and handle all required action to add the device to its organization, as well as to receive the device telemetry.

1. Organization Manager

An organization manager is a Cervello user with privilege to administer an organization.

In Cervello an organization is a tenant that represents an instance of the whole platform functionalities. These functionalities can be devices assignment to different applications and dashboards. To know more about organizations please see Cervello User Guide.

As mentioned before, device VPN provisioning is designed to allow large number of devices connected to an organization to download VPN client certificate.

1.1 Create new VPN network

Navigate to Network manager.

alt text

Next, Create new VPN.

alt text

Next, fill VPN main detail form.

alt text

Next, in order to add groups and clients to VPN network navigate to one of organization’s VPN(s)

alt text

alt text

1.2 Create new VPN Group

VPN Group is a collection of devices that share the same update command that will be sent to devices to force update device VPN client certificate.

  1. From VPN management page navigate to VPN Groups page and click on Create Group.

alt text

  1. Next, fill main VPN group details:
    • Name: VPN group name.
    • Command: the command that will be sent to device(s) to force update certificate.

alt text

  1. Next, mange VPN Group clients

alt text

Add and remove clients can be done easily by selecting and moving devices across source and target.

alt text

1.3 Create new VPN Client

VPN Client is device or user that will access a VPN network, clients can only be created within VPN Group page.

  1. Navigate to VPN Group page and click on the required VPN Group.

alt text

  1. Next, click on Create Client

alt text

  1. Next, fill Client details form

First, when creating a user client organization admin must provide user email from existing organization users in the search email field (support autocomplete).

  • Client to client is option to allow the client to communicate with other clients but access to routed network will be blocked and this option is recommended in case user client to prevent user from accessing other routed VPN networks

alt text

Second, when creating a device client organization must provide existing device in the search field (support autocomplete)

  • Client to client is option to allow the client to communicate with other clients but access to routed network will be blocked and this option is recommended in case user client to prevent user from accessing other routed VPN networks

alt text

1.4 Manage VPN Client

VPN Group clients can be managed from Clients page or VPN Group page to preform the following actions:

  • Disable: disallow client access to VPN network.
  • Download client certificate: manually download Client certificate.
  • Edit
  • Delete

Clients page

alt text

VPN Group page

alt text

alt text

2.4 Provision request

Now everything is ready to make HTTPS POST request to Cervello to provision device vpn using “Cervello Certificate Access key” as URI param and encryption result from pervious step as a request JSON body.

Cervello will verify the encrypted token using the manufacturer Cervello certificate public key generated in the previous steps. Once this is done, Cervello will create the device in the owner organization devices repository if the device unique identifier exists.