AWS IoT Core is a managed Cloud service that lets connected devices easily and securely interact with Cloud applications and other devices. AWS IoT Core can support billions of devices and trillions of messages and can process and route those messages to AWS endpoints and other devices reliably and securely. Devices can connect to AWS IoT Core using the following protocols: HTTP, WebSockets, and MQTT.
In this tutorial, you will learn how to securely connect an Opta™ device to AWS IoT Core using the MQTT protocol. MQTT (Message Queuing Telemetry Transport) is a highly lightweight machine-to-machine (M2M) connectivity protocol that uses a publish/subscribe messaging model. It is particularly suitable for Internet of Things (IoT) applications due to its bandwidth efficiency and ability to ensure message delivery over unstable networks. By the end of this tutorial, you will have the necessary skills to set up your Opta™ device to publish data to the AWS IoT Core and receive data from it.
AWS IoT Core is at the heart of the AWS IoT suite of services, providing a centralized platform where IoT devices can connect to the Cloud. Its robust framework supports millions of devices and billions of messages, seamlessly and securely routing those messages between devices and various AWS Cloud services. Some key features of AWS IoT Core are the following:
X.509 certificates provide a robust layer of security for devices communicating with AWS IoT Core. When connecting using MQTT, these certificates are essential as they confirm the device's identity to AWS IoT Core, which is impossible with basic username and password authentication. This certificate-based system is part of the mutual authentication process, which is more secure than traditional credential-based methods.
With each device possessing a unique X.509 certificate, AWS IoT Core can ensure that the messages are secure and come from a trusted source. This method is fundamental in IoT ecosystems, where trust and identity verification are paramount to maintaining the system's integrity.
More information on X.509 certificate support on AWS IoT can be found here.
This tutorial will need the latest version of the Arduino IDE; you can download it here. If it is your first time setting up an Opta™ device with the Arduino IDE, it is advisable to check its User Manual first. In the Arduino IDE, you need to install the core for Opta™ devices; you can do this by navigating to Tools > Board > Boards Manager. In the Board Manager tab, search for
opta
and install the latest Arduino Mbed OS Opta Boards
version.
This tutorial also requires the latest version of the
NTPClient
, Arduino_JSON
, ArduinoECCX08
, ArduinoBearSSL
, ArduinoMqttClient
, Arduino_ConnectionHandler
and Arduino Cloud Provider Examples
libraries installed on the Arduino IDE. You can do this by navigating to Tools > Manage Libraries or clicking the Library Manager icon in the left tab of the IDE. In the Library Manager tab, search for NTPClient
, Arduino_JSON
, ArduinoECCX08
, ArduinoBearSSL
, ArduinoMqttClient
, Arduino_ConnectionHandler
and Arduino Cloud Provider Examples
and install the latest version.
If you do not have an existing AWS account and user, refer to the online AWS documentation at Set up your AWS account. To get started, follow the steps outlined in the sections below:
As mentioned, AWS IoT Core requires devices that connect to it using the MQTT protocol to use X.509 certificates for authentication. We'll use an example sketch from the
ArduinoECCX08
library to generate a Certificate Signing Request (CSR) from an Opta™ device and then upload this CSR in the AWS console to create an X.509 certificate.Open the
ECCX08CSR
example sketch by navigating to File > Examples > ArduinoECCX08 > Tools. To upload the code to your Opta™ device, click the Verify button to compile the sketch and check for errors; then click the Upload button to program the device with the sketch.
When finished, open the IDE's Serial Monitor. Ensure the line ending configuration is set to Both NL & CR, as shown in the image below.
Provide the information requested by the example sketch to generate a new CSR for your Opta™ device. Copy the generated CSR from the IDE's Serial Monitor, including
-----BEGIN CERTIFICATE REQUEST-----
and -----END CERTIFICATE REQUEST-----
and save it to a new .txt
file or .csr
file using your favorite text editor. You will upload this file to the AWS console next.
Now that we have a CSR to identify your Opta™ device, we need to login into the AWS IoT Core console and create a certificate.
Refer to the online AWS documentation at Create AWS IoT resources. Follow the steps outlined in the following sections to provision resources for your device:
Pay special attention to the notes in the shared sections.
Login to your AWS account; in the Console Home search bar, search for the "IoT Core" service and select it.
In the IoT Core services area, navigate to the menu on the left side and choose Manage > All devices > Things, then select the Create things button.
Once you click the Create things button, you will be transferred to a page where you can create a single or many things. Select the Create single thing option and then the Next button.
After selecting the Next button, you will be transferred to a page where you can name your Thing, name your Thing as same as the common name that you defined in the generated CSR, and then select the Next button.
After selecting the Next button, you will be transferred to a page where you can upload the generated CSR. Choose the CSR file, then select the Next button.
After selecting the Next Button, you will be transferred to a page where you can choose the policies you want to attach to your Thing, and then select the Create thing button.
In the image shown below, you can see an example policy created for testing purposes only. Please do not use this policy in production since it is a wide-open policy and is not the best practice and standards. Refer to the online AWS documentation at Create an AWS IoT policy.
Select the Thing you just created and navigate to the Certificates tab; select the Certificate ID as shown in the image below.
Once in the Certificate area, select the Actions dropdown menu and choose Activate. After the certificate is activated, the next step is to download the certificate. Save the downloaded certificate in a place where you can find the certificate for future action.
The first step to connect your Opta™ device is getting the device data endpoint from your AWS account. In your AWS account, navigate to the menu on the left side and choose Settings; copy the provided endpoint.
The next step depends on the variant of your Opta™ device you have.
For Opta™ Lite (SKU: AFX00003): Open the AWS IoT Ethernet example sketch in the Arduino IDE using the File > Examples > Arduino Cloud Provider Examples > AWSIoT > AWS_IoT_Opta > AWS_IoT_Opta_ethernet.ino
For Opta™ RS485 (SKU: AFX0001): Open the AWS IoT Ethernet example sketch in the Arduino IDE using the File > Examples > Arduino Cloud Provider Examples > AWSIoT > AWS_IoT_Opta > AWS_IoT_Opta_ethernet.ino
For Opta™ WiFi (SKU: AFX00002): If you connect using Ethernet, open the AWS IoT Ethernet example sketch in the Arduino IDE using the File > Examples > Arduino Cloud Provider Examples > AWSIoT > AWS_IoT_Opta >AWS_IoT_Opta_ethernet > AWS_IoT_Opta_ethernet.ino. If you connect using Wi-Fi®, open the AWS IoT Wi-Fi® example sketch in the Arduino IDE using the File > Examples > Arduino Cloud Provider Examples > AWSIoT > AWS_IoT_Opta->AWS_IoT_Opta_wifi > AWS_IoT_Opta_wifi.ino
In the
arduino_secrets.h
tab update the Wi-Fi® Setting with the SSID and password of your Wi-Fi® network. Update the secret_broker
with the device data endpoint captured before, and update the secret_port
with the proper port used to connect to AWS IoT. Finally, open the certificate file you downloaded with a text editor and copy/paste the value in the sketch in the secret_certificate
area. In the image below, the arduino_secrets.h
tab for the AWS_IoT_Opta_wifi.ino
sketch is shown.Within the
setup()
, the lines sslClient.setEccSlot(0, certificate)
and the mqttClient.setId(“clientID”)
are important. The setECCSlot
function sets the slot you used before for the CSR; the setId
function sets the name you gave to your Thing in the AWS IoT Core. Once the example sketch is set with proper values, the next step is to upload the sketch and test it.
After modifying the example sketch, click the Verify button to compile the sketch and check for errors; then click the Upload button to program the device with the sketch. Open the IDE's Serial Monitor to monitor the connection Wi-Fi connection of your device and its connection to AWS.
The example sketch automatically connects to an Ethernet or a Wi-Fi® network and the AWS IoT Core broker. Then, it subscribes to the
arduino/incoming
topic and sends messages to the arduino/outgoing
topic every five seconds.As soon as your Opta™ device is connected to the AWS IoT broker, it publishes automatically a simple message to the
arduino/outgoing
topic every five seconds. On the AWS IoT Core console, open the MQTT test client and add a subscription for the arduino/outgoing
topic; choose the JSON formatting as display option. See messages arriving from your Opta™ device every five seconds.
On the AWS IoT Core console, open the MQTT test client and select the "Publish to a topic" tab. Add
arduino/incoming
as Topic name and click the "Publish" button to send data to Opta™. Data in the "Message payload" text area shows on the Serial Monitor of the Arduino IDE.
Please note the example sketch can parse only JSON messages in the form:
1{2 "message": "Hello from AWS IoT console"3}
The message can be modified as you like, remember to adapt the example sketch accordingly.
For more information with AWS, refer to the AWS online documentation on Troubleshooting AWS IoT. For more details on Opta™ devices, refer to Opta™'s online documentation on Arduino Docs.
If your Opta™ device fails to connect to AWS IoT Core, check the following:
arduino_secrets.h
file must be compiled (SECRET_SSID
, SECRET_PASS
, SECRET_BROKER
, SECRET_PORT
, and SECRET_CERTIFICATE
).