Uploaded image for project: 'Help-Desk'
  1. Help-Desk
  2. HELP-16405

[fiware-stackoverflow] How to provision a Dockerized secure IoT Agent with Keyrock?



      Created question in FIWARE Q/A platform on 06-12-2019 at 15:12
      Please, ANSWER this question AT https://stackoverflow.com/questions/59215410/how-to-provision-a-dockerized-secure-iot-agent-with-keyrock

      How to provision a Dockerized secure IoT Agent with Keyrock?

      I'm failing to find this information within the existing documentation - either permanent or non-permanent tokens.

      Using Keyrock 7.8, Ultralight 1.11.0 (though any current agent will do)

      The following Docker parameters are set:

      • IOTA_AUTH_ENABLED=true
      • IOTA_AUTH_TYPE=oauth2
      • IOTA_AUTH_HEADER=Authorization
      • IOTA_AUTH_HOST=keyrock
      • IOTA_AUTH_PORT=3000
      • IOTA_AUTH_URL=http://keyrock:3000
      • IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp

      The default Docker configuration is used in the image, so no provisioning group types are created.

      I am able to provision a trusted group as shown:

      curl -X POST \
      http://iot-agent:4041/iot/services \
      -H 'fiware-service: openiot' \
      -H 'fiware-servicepath: /' \
      -d '{
      "services": [

      { "apikey": "4jggokgpepnvsb2uv4s40d59ov", "cbroker": "http://orion:1026", "entity_type": "Motion", "resource": "/iot/d", "trust": "<motn-auth-token>" }


      Question 1 - how do I generate the trust token within Keyrock.

      When I provision the device

      curl -X POST \
      http://iot-agent:4041/iot/devices \
      -H 'Content-Type: application/json' \
      -H 'fiware-service: openiot' \
      -H 'fiware-servicepath: /' \
      -d '{
      "devices": [
      "device_id": "motion001",
      "entity_name": "urn:ngsi-ld:Motion:001",
      "entity_type": "Motion",
      "timezone": "Europe/Berlin",
      "attributes": [

      { "object_id": "c", "name":"count", "type":"Integer"}

      "static_attributes": [

      {"name":"refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"}


      I receive the following error in the IoT Agent:

      { "name": "SECURITY_INFORMATION_MISSING", "message": "Some security information was missing for device type:Motion" }

      And the following in the Keyrock logs:

      Fri, 06 Dec 2019 14:13:52 GMT idm:oauth2-model_oauth_server ------getClient------
      Executing (default): SELECT `id`, `redirect_uri`, `token_types`, `jwt_secret`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'tutorial-dckr-site-0000-xpresswebapp' AND `OauthClient`.`secret` = 'tutorial-lcal-host-0000-clientsecret';
      Fri, 06 Dec 2019 14:13:52 GMT idm:oauth_controller Error { invalid_client: Invalid client: client is invalid

      Question 2: What additional information needs to be supplied?


        backlogmanager Backlog Manager created issue -
        backlogmanager Backlog Manager made changes -
        Field Original Value New Value
        Component/s FIWARE-TECH-HELP [ 10278 ]
        fla Fernando Lopez made changes -
        Assignee Alvaro Alonso [ aalonsog ]
        fla Fernando Lopez made changes -
        HD-Enabler KeyRock [ 10889 ]
        Created question in FIWARE Q/A platform on 06-12-2019 at 15:12
        {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/59215410/how-to-provision-a-dockerized-secure-iot-agent-with-keyrock

        How to provision a Dockerized secure IoT Agent with Keyrock?

        I'm failing to find this information within the existing documentation - either permanent or non-permanent tokens.

        Using Keyrock 7.8, Ultralight 1.11.0 (though any current agent will do)

        The following Docker parameters are set:

              - IOTA_AUTH_ENABLED=true
              - IOTA_AUTH_TYPE=oauth2
              - IOTA_AUTH_HEADER=Authorization
              - IOTA_AUTH_HOST=keyrock
              - IOTA_AUTH_PORT=3000
              - IOTA_AUTH_URL=http://keyrock:3000
              - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp
           # - IOTA_AUTH_PERMANENT_TOKEN=true

        The default Docker configuration is used in the image, so no provisioning group types are created.

        I am able to provision a trusted group as shown:

        curl -X POST \
          http://iot-agent:4041/iot/services \
          -H 'fiware-service: openiot' \
          -H 'fiware-servicepath: /' \
          -d '{
         "services": [
             "apikey": "4jggokgpepnvsb2uv4s40d59ov",
             "cbroker": "http://orion:1026",
             "entity_type": "Motion",
             "resource": "/iot/d",
             "trust": "&lt;motn-auth-token&gt;"

        Question 1 - how do I generate the trust token within Keyrock.

        When I provision the device

        curl -X POST \
          http://iot-agent:4041/iot/devices \
          -H 'Content-Type: application/json' \
          -H 'fiware-service: openiot' \
          -H 'fiware-servicepath: /' \
          -d '{
         "devices": [
             "device_id": "motion001",
             "entity_name": "urn:ngsi-ld:Motion:001",
             "entity_type": "Motion",
             "timezone": "Europe/Berlin",
             "attributes": [
               { "object_id": "c", "name":"count", "type":"Integer"}
              "static_attributes": [
                 {"name":"refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"}

        I receive the following error in the IoT Agent:

            "message": "Some security information was missing for device type:Motion"

        And the following in the Keyrock logs:

        Fri, 06 Dec 2019 14:13:52 GMT idm:oauth2-model_oauth_server -------getClient-------
        Executing (default): SELECT `id`, `redirect_uri`, `token_types`, `jwt_secret`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'tutorial-dckr-site-0000-xpresswebapp' AND `OauthClient`.`secret` = 'tutorial-lcal-host-0000-clientsecret';
        Fri, 06 Dec 2019 14:13:52 GMT idm:oauth_controller Error { invalid_client: Invalid client: client is invalid

        Question 2: What additional information needs to be supplied?
        Created question in FIWARE Q/A platform on 06-12-2019 at 15:12
        {color: red}Please, ANSWER this question AT{color} https://stackoverflow.com/questions/59215410/how-to-provision-a-dockerized-secure-iot-agent-with-keyrock

        How to provision a Dockerized secure IoT Agent with Keyrock?

        I'm failing to find this information within the existing documentation - either permanent or non-permanent tokens.

        Using Keyrock 7.8, Ultralight 1.11.0 (though any current agent will do)

        The following Docker parameters are set:

              - IOTA_AUTH_ENABLED=true
              - IOTA_AUTH_TYPE=oauth2
              - IOTA_AUTH_HEADER=Authorization
              - IOTA_AUTH_HOST=keyrock
              - IOTA_AUTH_PORT=3000
              - IOTA_AUTH_URL=http://keyrock:3000
              - IOTA_AUTH_CLIENT_ID=tutorial-dckr-site-0000-xpresswebapp
           # - IOTA_AUTH_PERMANENT_TOKEN=true

        The default Docker configuration is used in the image, so no provisioning group types are created.

        I am able to provision a trusted group as shown:

        curl -X POST \
          http://iot-agent:4041/iot/services \
          -H 'fiware-service: openiot' \
          -H 'fiware-servicepath: /' \
          -d '{
         "services": [
             "apikey": "4jggokgpepnvsb2uv4s40d59ov",
             "cbroker": "http://orion:1026",
             "entity_type": "Motion",
             "resource": "/iot/d",
             "trust": "&lt;motn-auth-token&gt;"

        Question 1 - how do I generate the trust token within Keyrock.

        When I provision the device

        curl -X POST \
          http://iot-agent:4041/iot/devices \
          -H 'Content-Type: application/json' \
          -H 'fiware-service: openiot' \
          -H 'fiware-servicepath: /' \
          -d '{
         "devices": [
             "device_id": "motion001",
             "entity_name": "urn:ngsi-ld:Motion:001",
             "entity_type": "Motion",
             "timezone": "Europe/Berlin",
             "attributes": [
               { "object_id": "c", "name":"count", "type":"Integer"}
              "static_attributes": [
                 {"name":"refStore", "type": "Relationship","value": "urn:ngsi-ld:Store:001"}

        I receive the following error in the IoT Agent:

            "message": "Some security information was missing for device type:Motion"

        And the following in the Keyrock logs:

        Fri, 06 Dec 2019 14:13:52 GMT idm:oauth2-model_oauth_server -------getClient-------
        Executing (default): SELECT `id`, `redirect_uri`, `token_types`, `jwt_secret`, `scope`, `grant_type` FROM `oauth_client` AS `OauthClient` WHERE `OauthClient`.`id` = 'tutorial-dckr-site-0000-xpresswebapp' AND `OauthClient`.`secret` = 'tutorial-lcal-host-0000-clientsecret';
        Fri, 06 Dec 2019 14:13:52 GMT idm:oauth_controller Error { invalid_client: Invalid client: client is invalid

        Question 2: What additional information needs to be supplied?
        backlogmanager Backlog Manager made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        backlogmanager Backlog Manager made changes -
        Status In Progress [ 3 ] Answered [ 10104 ]
        backlogmanager Backlog Manager made changes -
        Resolution Done [ 10000 ]
        Status Answered [ 10104 ] Closed [ 6 ]
        fla Fernando Lopez made changes -
        Fix Version/s 2021 [ 12600 ]


          • Assignee:
            aalonsog Alvaro Alonso
            backlogmanager Backlog Manager
          • Votes:
            0 Vote for this issue
            1 Start watching this issue


            • Created: