Soracom Krypton Now supports Azure IoT Hub Device Provisioning

Written by: Naoki Mikuni Published: January 24, 2023 Projects

Tags: Azure | Provisioning | Soracom Krypton

Soracom Krypton, a secure provisioning service, now supports Azure IoT Hub.

In this blog, we will provide a brief introduction to Azure IoT Hub and Soracom Krypton, and delve into what can be accomplished when these two services work together. Details on how to use it effectively can be found here.

What is Azure IoT Hub?

Azure IoT Hub is a cloud-based gateway service created by Microsoft Azure that enables communication between IoT devices and the cloud. It allows devices to send data to and receive commands from the cloud while enabling bidirectional communication between the IoT devices themselves.

The service provides a secure and reliable communication hub, supports a variety of device protocols, and can be used to manage devices’ registration, provisioning, authentication, and authorization. 

This Azure documentation is helpful in understanding Azure’s suite of IoT services.

What is Soracom Krypton?

One of the critical challenges in IoT is authentication between devices and cloud services. For example, if you want to securely send data from your device to Azure IoT Hub, the device needs to be authenticated. How should credentials such as certificates be distributed to devices? If you have only one device, you can connect your PC directly to it and distribute the certification manually – but what if you have 100 or 1000 devices?

Soracom Krypton can be used to distribute credentials to devices securely and efficiently.

How to use Soracom Krypton

To prepare, be sure that your device is set up and loaded with a Soracom SIM, then follow the aforementioned documentation to set up Azure and Soracom. For this test, the IoT device we used is a Raspberry Pi with a Soracom Onyx LTE USB dongle and our IoT SIM as an example, though the process for your device will likely be similar.

How to Retrieve Credentials Using Soracom Krypton

Invoke 2 HTTP requests at your IoT device as below.

pi@raspberrypi:~ $ ID=$(curl -s -X POST https://krypton.soracom.io:8036/v1/provisioning/azure/iot/register | jq -r .operationId)
pi@ raspberrypi:~ $ RES=$(curl -s https://krypton.soracom.io:8036/v1/provisioning/azure/iot/registrations/${ID})

 The following information is stored in the variable RES:

• X.509 root certificate to connect to Azure IoT Hub
• X.509 device certificate to connect to Azure IoT Hub
• X.509 private key to connect to Azure IoT Hub
• Hostname of Azure IoT Hub
• Provisioned device name of Azure IoT Hub

X.509 is a standard for digital certificates used for authentication and secure communication on the internet. These certificates contain data about the identity of the certificate holder, such as their name and address, as well as a public key.

You can save information from variable RES to files or other variables. For details, see the documentation.

How to connect to Azure IoT Hub

Connect and send data to Azure IoT Hub with an MQTT client such as mosquitto_pub, using the information stored in variable RES.

pi@raspberrypi:~ $ mosquitto_pub -d -h ${iot_hub_hostname} -p
\
--cert ./certificate.pem \
--key ./privatekey.pem \
-i ${device_id} -u "${iot_hub_hostname}/${device_id}/?api-version=2021-04-12" \
-t "devices/${device_id}/messages/events/" \
-m ' {
  "message": "Hello from Device with Krypton"
}'
Client myDevice-29505xxxxxxxxxx sending CONNECT
Client myDevice-29505xxxxxxxxxx received CONNACK (0)
Client myDevice-29505xxxxxxxxxx sending PUBLISH (d0, q0, r0, m1, 'devices/myDevice-29505xxxxxxxxxx /messages/events/', ... (49 bytes))
Client myDevice-29505xxxxxxxxxx sending DISCONNECT

As you can see, even a device without any credentials can connect to the Azure IoT Hub after only two HTTP requests to Soracom Krypton to obtain credentials.

How Krypton Securely Distributes Credentials

IoT devices access Soracom Krypton endpoints on the Soracom platform to request the distribution of credentials. There are two ways to ensure security for access to Soracom Krypton.

1. Access via the secure cellular network used by Soracom’s IoT SIM

2. Authenticate with Soracom Endorse using information stored in the IoT SIM card

This is why we call Soracom Krypton a “Secure” provisioning service.

How Krypton Efficiently Distributes Credentials

When should you prepare the credentials for distribution to devices? In IoT, it can be difficult to predict how many devices will be needed and when. Devices don’t go live all at once, and it would be a waste to have credentials that are not yet used. Therefore, it is efficient to prepare the credentials only when they are needed.

When preparing the credentials, the cloud side will create a new IoT device definition. This “creating a new IoT device” can also be called “provisioning,” which is why we call Soracom Krypton a secure provisioning service.

Soracom Krypton uses the Azure IoT Hub Device Provisioning Service (DPS) to provision the Azure IoT Hub devices that are now supported. Soracom Krypton uses Azure IoT Hub DPS to help retrieve credentials when the device is needed.

For details on Azure IoT Hub Device Provisioning Service (DPS), refer to this Azure documentation.

The Use Case of Soracom Krypton with Azure IoT Hub

As introduced earlier in “How to use Soracom Krypton,” IoT devices can easily get Azure IoT Hub credentials with Krypton. They can use the credentials for various IoT services in Azure.

Furthermore, as a combination with other Soracom services, you can build a private network connection to Azure IoT Hub

• Connecting via Soracom Door, Azure VPN Gateway, and Azure Private Link 
• Connecting via Soracom Direct, Azure Express Route, and Azure Private Link 

Check the service pages if you are interested in Soracom Door or Soracom Direct.

Other Cloud Services Supported by Soracom Krypton

You can use Soracom Krypton for provisioning AWS IoT Core, Soracom Inventory, and Soracom Arc, as well as Azure IoT Hub. Krypton can also be used to retrieve temporary AWS IAM credentials from Amazon Cognito. See this documentation for more information.

Other Soracom Services That Support Device Authentication

Soracom Krypton can be used to safely and efficiently distribute credentials to devices. On the other hand, there is also the option of ​​not having credentials on the device and having the Soracom service handle the authentication.

Below are three examples of services that delegate authentication to Soracom.

1. Soracom Beam
2. Soracom Funk
3. Soracom Funnel

If you have any questions about architecting the IoT solution, please contact us.

Conclusion

Soracom will continue to provide services to help solve your IoT challenges, and we hope you will take advantage of the combination of Soracom Krypton and Azure.

………………

Got a question for Soracom? Whether you’re an existing customer, interested in learning more about our product and services, or want to learn about our Partner program – we’d love to hear from you!