- DTLS configuration using PEM certificates file
- Additional configuration properties
- Self-signed certificates generation
- Client Examples
ThingsBoard provides the ability to run LwM2M server over DTLS. Platform supports Pre-Shared Key, Raw Public Key and X.509 Certificate credentials over DTLS. DTLS provisioning requires valid ECDSA certificates. ECDSA keys are smaller than RSA keys and thus more preferable for constrained devices. See comparison article for more details. We recommend to use valid SSL certificates generated using trusted CA authorities and avoid spending time on resolving issues with self-signed certificates. See instructions below on how to configure SSL for certificates stored in PEM file format or Java Keystore.
DTLS configuration using PEM certificates file
|Available since TB Version 3.3.2
Configure the following environment variables via configuration file, docker-compose or kubernetes scripts. We will use thingsboard.conf for example:
# To enable Bootstrap and Bootstrap over DTLS
- LWM2M_SERVER_CREDENTIALS_ENABLED - Enable/disable X509 Certificate/RPK credentials support;
- LWM2M_SERVER_CREDENTIALS_TYPE - Server credentials type. PEM - pem certificate file; KEYSTORE - java keystore;
- LWM2M_SERVER_PEM_CERT - Path to the server certificate file. Holds server certificate or certificate chain, may also include server private key;
- LWM2M_SERVER_PEM_KEY - Path to the server certificate private key file. Optional by default. Required if the private key is not present in server certificate file;
- LWM2M_SERVER_PEM_KEY_PASSWORD - Optional server certificate private key password.
After completing the setup, start or restart the ThingsBoard server.
Additional configuration properties
You may configure following additional environment variables via configuration file, docker-compose or kubernetes scripts.
- LWM2M_SECURITY_BIND_ADDRESS - the bind address for the secure LwM2M server. Default value 0.0.0.0 indicates all interfaces;
- LWM2M_SECURITY_BIND_PORT - the bind port for the secure LwM2M server. Default value is 5686;
- TB_LWM2M_SERVER_SECURITY_SKIP_VALIDITY_CHECK_FOR_CLIENT_CERT - Skip certificate validity check for client certificates. Default value is false.
- LWM2M_BS_SECURITY_BIND_ADDRESS - the bind address for the secure LwM2M Bootstrap server. Default value 0.0.0.0 indicates all interfaces;
- LWM2M_BS_SECURITY_BIND_PORT - he bind port for the secure LwM2M Bootstrap server. Default value is 5688;
Self-signed certificates generation
Use instructions below to generate your own certificate files. Useful for tests, but time consuming and not recommended for production.
PEM certificate file
Note This step requires Linux based OS with openssl installed.
To generate a server self-signed PEM certificate and private key, use the following command:
openssl ecparam -out server_key.pem -name secp256r1 -genkey
openssl req -new -key server_key.pem -x509 -nodes -days 365 -out server.pem
You can also add -nodes (short for no DES) if you don’t want to protect your private key with a passphrase. Otherwise, it will prompt you for “at least a 4 character” password.
The days parameter (365) you can replace with any number to affect the expiration date. It will then prompt you for things like “Country Name”, but you can just hit Enter and accept the defaults.
Add -subj ‘/CN=localhost’ to suppress questions about the contents of the certificate (replace localhost with your desired domain).
Self-signed certificates are not validated with any third party unless you import them to the browsers previously. If you need more security, you should use a certificate signed by a certificate authority (CA).
See following resources: