Skip to Content

In the last blog we create a “device” in SAP Cloud Plaform IoT service, pls check also the complete series:

Now its time to get data…….

We want connect our real “device” (The TI Sensor Tag) to SAP Cloud Plaform IoT service, as already mentioned i using here an Raspberry PI as my bridge to IoT service.

At the RPI we using “node-RED”, which allows us on a graphical way to wiring our “TI Sensor Tag” and something more. For details please refer to the documentation.

How you can install node-RED can be found here.

At “node-RED” we need for our scenario the following “nodes” :

node-red-node-sensortag

node-red-contrib-mqtt-broker

As we know that we connect to IoT service in a secure way by using MQTTS, “node-RED” needs therefore the “device” certificates.

Futhermore the certificates must be in the “PEM” format:

Get the certificates from IoT service

First we will download the certificates from the IoT service cockpit by clicking on the corresponding widget:

We store this “certificate” now on or local machine and extracting the archive.

After this is successfully extracted we got the following three files:

 

To achieve the requirement that “node-RED” needs here the “PEM” format we must do some steps:

  • Open the pswd.properties file an note down the password
  • Now open the “client.ks” file, i using here the “KeyStore Explorer” tool an enter the password. As result we cann now see our device cert.

  • The next step is now to export the keypair as “p.12” file, enter again the password and define now the password for this:

  • After this is successfully saved we cerate the “PEM” files by typing following openssl commands. For a detail description check pls the documentation. In short we will transform our “p12. file first into a “PEM” file and creating finally two files one with the public cert and one with the private cert:
openssl pkcs12 -in 22112211.p12 -out 22112211.pem
Enter Import Password: <pswd for the newly created p12 file>
MAC verified OK
Enter PEM pass phrase: <new pass phase for the PEM>
Verifying - Enter PEM pass phrase: <new pass phase for the PEM>

Remove the pass phrase from our “PEM” and writing also the public key:

openssl rsa -in 22112211.pem -out 22112211_priv.pem
Enter pass phrase for 22112211.pem: <the pass phrase whcih we´ve defined before>
writing RSA key
<now writing the public key (chain) into an the new pem file>
openssl x509 -in 22112211.pem >>22112211_chain.pem

 

If we now have a look into these two “PEM” files we can see we have our required certs for “node-RED”.

Finally i store now the CA “PEM” file from m IoT service tenant direcly from the browser.

As result we´ve now the three required files for “node-RED” to establish the connection.

Please copy now the files to a directory of your choice at the “Raspberry” and check that the “PI user” is allowed to access these files.

The node-RED modelling

In the MQTT node we must start the for connection to IoT service.

We add a new “MQTT Broker”:

Entering the required data and create a new “tls-config”:

Specify the path to our “PEM” files on the “RPI”:

If we now deploy the flow we can see that our “MQTT” node is successfully connected to IoT service:

Also we see now on the IoT service that we are now connected.

 

Time to connect our TI Sensortag:

For this we add the “sensorTag” node to our flow and define the required data:

Finally we create two little functions which collect the measueremenst (Air Temperature and Luminosity) from the “TI Sensor Tag” and send the data in the right format to iot service:

if (typeof msg.payload.object !== "undefined" ){

msg.payload = {"measureIds":1, "values":msg.payload.object, "logNodeAddr": "1"};

return msg;
}
if (typeof msg.payload.lux !== "undefined" ){

msg.payload = {"measureIds":4, "values":msg.payload.lux, "logNodeAddr": "1"};

return msg;
}

We connect now our nodes and as result we have now this easy and simple flow:

 

Check what happen in IoT service

If we go back to IoT service and press the “Real-Time Measures” widget we can hopefully see our “live data”:

An yeah whoot!……our data is now visible in IoT service ;o)

Please refere for more details to the offical documentation

If we go back to our initial screen we´ve now a working  flow from the device to IoT service via Raspberry PI:

In the next blog i will explain how we can create a device via the API of IoT service.

 

cheers,

fabian

 

To report this post you need to login first.

5 Comments

You must be Logged on to comment or reply to a post.

  1. Former Member

    These things with the certificates should explained a little bit more. Generated certificates and the used certificates in the screenshot do not fit together.

    (0) 
    1. Fabian Lehmann Post author

      hi marco,

       

      ok i´ve seen you mean this step?

      openssl rsa -in 22112211.pem -out 22112211_nopass.pem

      I´ve corrected it now to the right name:

      openssl rsa -in 22112211.pem -out 22112211_priv.pem

      br,

      fabian

       

       

      (0) 
  2. Former Member

    Hi,

    Excelent blog and article, videos is short and perfect for me!

    Im trying with esp32 board in Arduino IDE (is very dificult compare to python connect to mqtt – tls)

    I dont know how extract CA Certificate (private, cert and CA). Could you explain how to do it?

     

    (0) 
    1. Former Member

      Reply:

      openssl s_client -showcerts -connect someservermqtt:8883 </dev/null 2>/dev/null|openssl x509 -outform PEM >ca_cert.pem

      You must extract ROOT certified from ca_cert.pem , intermediate certificate not work (in python with paho and esp32 with arduino ide). Im use keystore explorer, and issuer is  Digicert sha2 secure server. Find in google for digicert CA Certificate, https://www.digicert.com/digicert-root-certificates.htm , download Digicert sha2 secure server certificate, open it with keystore explorer and the issuer is Digicert Globalroot CA, then open again with keystore explorer, extract PEM file and use as CA’s in python with paho (bad practice: use ca-certificates.crt or cacert (main java trustore):

      #my_ca_cert = "/etc/ssl/certs/ca-certificates.crt"
      my_ca_cert ="/home/developer/mqtt/python/1/DigiCertGlobalRootCA.pem"
      my_key_cert = "/home/developer/mqtt/python/1/client-nuevo.private.pem"
      my_pri_cert = "/home/developer/mqtt/python/1/client-nuevo_chain.pem"
      
      client.tls_set(ca_certs=my_ca_cert, 
      	certfile=my_pri_cert, 
      	keyfile=my_key_cert,
      	cert_reqs=ssl.CERT_REQUIRED,
      	tls_version=ssl.PROTOCOL_TLSv1_2, 
      	ciphers=None)
      (0) 

Leave a Reply