IOTD-08

Developing an Edge System with Advanced Device Management

Capabilities

David Woodard - Eurotech

Eurotech Overview

• One of the world top players in the Embedded Computers market

• 20+ Years of experience in “M2M” and distributed systems

• Behind the products of more than 20 Global 500 companies

• Strong vertical market competences:

– Industrial & Logistics

– Transportation

– Defense & Security

– Healthcare & Medical

Eurotech Overview

JAPAN

SINGAPOREITALYFRANCEUSA

USA UK

INDIA

Marketing and Sales

Development & Engineering

Production

The Internet of Things

• Performance constrains

• Hardly any standards

• Human resource constrains (C++)

• Expensive, limited communication

• Monolithic approach

• Single-purpose devices

• Hardware-defined systems

• Store-and-Forward communication

• Operations-centric approach

• Powerful embedded systems

• Open and industry standards

• No HR constrains (Java)

• Inexpensive, available communication

• Systemic & platform approach

• Multi-service systems

• Software-defined systems

• Real-time data and communication

• IT-centric approach

“Old M2M” M2M 2.0 = IoT

Eurotech’s Approach to IoTBusiness

Applications

Sensors,

Actuators,

Displays, …

@

Multi-ServiceGateway

Everyware CloudM2MIntegrationPlatform

Multi-Service Gateway Approach

• Multiple business relevant tasks areaddressed and technically consolidated

• Data delivery using a open protocol effectively decoupling data providers and data consumers

• IT centric device application development using Software Frameworks to implement business logic in smart edge devices / multi-service gateways

• More efficient bandwidth utilization –carrier cost optimization

• Off the shelf purpose built devices designed to meet vertical market value propositions

Sensors

Actuators

Legacy

Systems

Smart

Machines

M2M

Multi

Services

Gateway

Human /

Machine

Interfaces

Meters

Multi-Service Gateway Approach

OSGi

on

Linux

Hardware

Java SE Embedded

CodeCode

Code

IoT Gateway Framework

• Open Sourced at Eclipse Kura

• Extended and Commercially supported on Industrial Hardware by Eurotech

• Modular software components• Manage cloud connectivity• Network configuration and administration• Support for different protocols• Remote management and access• Integrated development environment• Application portability

Linux OS

Java / OSGi

Open HWIndustrial

HW

Embedded App

Open Java/OSGi Middleware for IoT Gateways

IoT Gateway Challenges:

• Pressure to add value in shrinking timeframes

• Velocity of technology changes outstrips staffing

• Interoperability trumps exclusive differentiation

• Quest for quality w/o lock-in

Open Source is the Answer!

Founded in 2012 by

Now …23 Members15+ new projects1M+ lines of source code The fastest growing Eclipse workgroup

ESF Overview

OpenJDK 7, Oracle Java SE 7 Embedded

OSGi Application Container (Eclipse Equinox, Concierge)

Device Abstraction

javax.comm / RS-485

Basic Gateway Services

DB Service

Clock Service

Device Profile

Watchdog

Network ConfigurationNetwork Configuration

Field ProtocolsConnectivity and Delivery

Data Services MQTT Paho

Ad

min

istr

atio

n G

UI

Applications

Your Application

Re

mo

te M

anag

em

en

t

Co

nfi

gura

tio

n

Man

agem

ent

javax.usb + udev

Cloud Services

Your Application

Firewall, Port Forwarding

Network Monitors

Cellular, Wi-Fi, Ethernet

GPS PositionGPIO / SPI / PWM / I2C

jdk.dio

ModBUS

CAN bus

Custom Protocols

Up

dat

esM

anag

emen

tR

emo

te A

cces

s

Java USB HID APIs javax.bluetooth / BLEjavax.smartcardio

Security

Security Manager Certificate Manager SSL Manager Provisioning

Device Management

• Device Provisioning– Provisioning of Device Credentials– Provisioning of Configuration with Account Affiliation

• Embedded Application / Bundle Management– Bundle Start/Stop– Incremental Software Updates

• Service Configuration Management– Configuration Updates– Management of Snapshots and Rollbacks– Remote Certificate Management

• Device Batch Operations– Scheduled Device Management Operations – Single/Group Devices Targets– On-reconnect Device Management Operations

• Remote Access and Management– Remote Command Executions– Remote Access through Everyware VPN– System Monitoring and Diagnostics for CPU, MEM, …

MQTT

on

Security

Ad

min

istr

atio

n

Data ManagementDev

ice

Co

nn

ecti

vity Application Integration

Device Management

Application Management

Local and remote configurability of OSGi framework is key for system reliability

Application Management

Local and remote manageability of applications provides easier path for upgrades and rollouts

Service Configuration Management• Exposing configurable

parameters allows remote tuning of running service

• Live updates of running services prevents costly downtime

Service Configuration Management• Providing “snapshots” of the

framework provides continual known states of the system

• New snapshots can be applied to quickly update the entire framework

• Snapshots can be rolled back to known good state if needed

Service Configuration Management• Exposing the device keystore for

remote management allows for easily adding new certificates to a gateway

• Quickly revoke/update compromised certificates

Device Batch Operations• Gateways can be

organized into groups• Jobs can target user-

defined gateway groups

• Support flexible scheduling and retries

• Support executions upon device reconnects

• Report job execution status

Remote Access

Everyware Cloud

MQTT

Everyware VPN Server

Remote Terminal

or ApplicationManagement

Console

VPN

VPN

1

23

4

1. Gateway connected through MQTT2. VPN connection to Gateway is requested3. VPN connection from Remote Terminal is established

and bridged to the Gateway4. VPN connection from Gateway is established5. Through ESF NAT and port forwarding, Remote Terminal

can access devices connected to the Gateway subnet

Gateway

5

Device SecuritySecuring Device to Cloud (Communication Security)

• Device Authentication Options

– Unique per-device credentials distributed by Provisioning

– SSL/TLS Mutual Authentication

• Platform-Signed Device Management Messages

• Device Initiated Connections (No open ports on Device)

• Allowed traffic is secure and mutual authenticated (SSL/TLS)

• Everyware VPN Service

Securing the Device• Secure device identity

• Secure execution environment (ESF 3.2)

• Encrypted Configuration Storage and Certificates Stores

• Device Unique Master Password

• Remote Certificate Management

• Firewall

• OSGi / Signed Code

• Everyware VPN Client

• Secure Boot

on

Hardware

Java VM

Code

Linux

Separate Data from Management

Connection ManagementAuto-connectConnection RetriesStore and ForwardMessage Priorities

Application ProtocolTopic NamespacesMessage CompressionLife-cycle MessagesRequest/Response

Connection ProtocolTransport Abstraction

CloudService

DataService

TransportService

ESF/Kura Application

CloudService

DataService

TransportService

Device ManagementTelemetry Data

Telemetry Data

Thank You!Visit

eurotech.comeclipse.org/kuraiot.eclipse.org

Follow@EurotechFan@eclipsekura