Dear Tonny, Thank you for sharing the blog, but I got "404 Oops, we couldn't find that page" even after I logined to 01.org.
>> Did you specify the use of secure endpoint while registering the Server? I think Yes, because I followed steps from https://wiki.iotivity.org/steps_for_enabling_security_in_iotivity_applications (SECURED=1, OcPlatform.registerResource with EnumSet.of(ResourceProperty.DISCOVERABLE, ResourceProperty.OBSERVABLE, ResourceProperty.SECURE)) I will check the 'setHost() method' as soon as I'm back to office. Does it means using OcPlatform.constructResourceObject() to manually construct the resource with a new host (assign a secured port?) (I'm currently out of the office for several days with no access to the project code, I will be back on Jan. 24, ) And below is the message I replyed to Gregg. ---- According to https://wiki.iotivity.org/security_resource_manager |Requests from DevOwner are allowed without checking ACL. * |Requests from NonDevOwner are checked against ACL against subjectuuid, permission and period-recurrence. * The SVRs databases which I used are sample from 'iotivity-1.3.1\resource\csdk\stack\samples\linux\secure\', the client is the device owner of the server, and they contain a cred pairs for each other. but due to the "D/OIC_SRM: ctx->subjectUuid for request: 00000000-0000-0000-0000-000000000000." problem, the client can't use cred to access the server. ---- Best Regards, ChiaYu ________________________________ HI Chiayu, Did you specify the use of secure endpoint while registering the Server? If yes, when the Client received the discovered server resource info, the Client should designate the use of the secure endpoint using setHost() method. Then, if the Server has proper "auth-crypt" connection type ACE setup, and both the Sever and Client have been paired by a Provisioning Client (or a On-boarding Tool), the Client should be able to access the Server over a secure channel. We have a blog<https://01.org/blogs/ttzeng/2017/securely-accessing-iot-devices-based-javascript> describes the process. Though it uses JavaScript, the concept is the same, I did modify the IoTivity Android Client to talk to a Server over secure channel in my personal project. You might give it a try. Regards, Tonny On 18 January 2018 at 13:49, <chiayu...@ite.com.tw<mailto:chiayu...@ite.com.tw>> wrote: Dear all, I have questions about Android SECURED mode, too. I’m using IoTivity-1.3.1 SECURED=1 to create Android client/server apps with the sample SVRs databases from iotivity-1.3.1\resource\csdk\stack\samples\linux\secure\ Scenario1: Android client, sample oic_svr_db_client_devowner Android server, sample oic_svr_db_server plus customized ACE2 of conntype: anon-clear for new resources => Discovery OK, Get new resources OK. Scenerio2: Android client, sample oic_svr_db_client_devowner Android server, sample oic_svr_db_server => Discovery OK, Get new resources Failed(UNAUTHORIZED_REQ) client: E/…: org.iotivity.base.OcException: stack error in onGetCallback UNAUTHORIZED_REQ server: D/OIC_SRM: ctx->subjectUuid for request: 00000000-0000-0000-0000-000000000000. D/OIC_SRM: CA_SECURE flag is not set, and Subject ID of requester is NULL; indicates unsecure channel. According to https://wiki.iotivity.org/faq_s |Client selects appropriate channel based on the information it received about the resource via resource discovery. |Marking a resource as 'OC_SECURE' at hosting Server, allows Iotivity stack to include 'secure port' information in discovery responses. I followed https://wiki.iotivity.org/steps_for_enabling_security_in_iotivity_applications to do this: - Client/server SVRs databases are ready. - Client OcPlatform.getDeviceId() is not nil uuid. - Server OcPlatform.registerResource with EnumSet.of(ResourceProperty.DISCOVERABLE, ResourceProperty.OBSERVABLE, ResourceProperty.SECURE) => After the client discovery finished, the client could just use ocResource.getConnectivityTypeSet() which tells the OcConnectivityType. CT_FLAG_SECURE is not set. Also the client ocResource.get() method are not allowed to set CA_SECURE manually. (BTW, I alse used platformConfig.setAvailableTransportType()); to both client and server side. It won’t impact the result.) The only way I could let Android client set the CA_SECURE flag is by OcPlatform.findResource with EnumSet.of(OcConnectivityType.CT_FLAG_SECURE) However it doesn’t make sence, because the caipadapter.c shows that Multicast discovery won’t trigger CaencryptSsl() Hence the server received an unencrypted message and secure flag set, when the server trys to decrypt it, it leads to bad handshake. Could anyone help me to figure out why the Android client can’t choose a 'secure' channel to get resources from Android server? Thanks. Best Regards, ChiaYu _______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org<mailto:iotivity-dev@lists.iotivity.org> https://lists.iotivity.org/mailman/listinfo/iotivity-dev _______________________________________________ iotivity-dev mailing list iotivity-dev@lists.iotivity.org https://lists.iotivity.org/mailman/listinfo/iotivity-dev
