Provisiong a 9160 on our AWS VPC

RE: Provisiong a 9160 on our AWS VPC

Øyvind — Wed, 05 Feb 2025 09:08:25 GMT

Hey! That is great news! Happy to hear that you have solved the issue.

Kind regards,
Øyvind

RE: Provisiong a 9160 on our AWS VPC

JackW — Tue, 04 Feb 2025 23:41:13 GMT

Hi Oyvind,

Thanks for looking into this case for us, however we have solved our problem. We now have one of our nRF9160 based devices successfully sending MQTT messages to an IoT Thing that we created in our AWS VPC. So, no further help required for now.

Thanks

RE: Provisiong a 9160 on our AWS VPC

Øyvind — Mon, 03 Feb 2025 11:56:11 GMT

Hello JackW ,

I am Øyvind from the Nordic Tech support team. Are you able to provide logs output from your device when it times out? Do you receive any other error? Have you verified that your device is connected to LTE network? Have you followed all steps in Setting up AWS and configuring permissions? Have a look at Lifecycle events, where you can e.g. see the reason why the client is disconnecting on the server side

[quote user=""]You'll need to securely load AWS IoT credentials onto your nRF9160:[/quote]

could you please elaborate more on exactly what version of the nRF Connect SDK you are working with? From the description you have provided, these steps seems a little outdated, also with regards to handling certificates.

Kind regards,
Øyvind Sandberg

RE: Provisiong a 9160 on our AWS VPC

JackW — Sun, 02 Feb 2025 17:24:31 GMT

Hi Achim. I think we have a misunderstanding.

We believe we have successfully flashed our certificates into the 9160, so we weren't looking for help with the AT%CMNG command.

What we're looknig for is making sure that all the other variables needed to make MQTT work between the 9160 and our AWS VPC are configured correctly in our firmware.

We're also looking for ways to troubleshoot the AWS side of things. I now understand that that's not your expertise, so I'll try AWS tech support next.

Thanks again for your help, I really appreciate it.

RE: Provisiong a 9160 on our AWS VPC

Achim Kraus — Sun, 02 Feb 2025 10:00:10 GMT

The "AT%CMNG" above is a link to the documentation of that command. Did you try to read it?

I'm not common to the MQTT nor AWS samples, I used samples/net/https_client to start with. That uses the C API instead of the AT commands but is logically the same. For MQTT/AWS maybe someone from Nordic helps (I'm an other user).

You mainly store all credentials you need for a connection with one "sec_tag", which is then also passed to the socket (similar line "setsockopt(fd, SOL_TLS, TLS_SEC_TAG_LIST, tls_sec_tag, sizeof(tls_sec_tag));" in the https_client sample). For certificate based connections that's the "Root CA certificate/0" (sometimes called the "trust anchor"). If you want to authenticate your client also using a client certificate, you need to provide also the "Client certificate/1" and the corresponding "Client private key/2". Usually the "client certificate" must be signed by a CA the server trusts. Though I'm not common to MQTT/AWS the exact procedure, how that is handled for AWS, is unknown by me.

RE: Provisiong a 9160 on our AWS VPC

JackW — Sat, 01 Feb 2025 19:14:27 GMT

Thanks Achim. Please point me to the appropriate documentation.

RE: Provisiong a 9160 on our AWS VPC

Achim Kraus — Sat, 01 Feb 2025 06:49:43 GMT

At least in mfw 1.3.7, the credentials in AT%CMNG are organized in "sec_tag" and "type".

AT%CMNG=0,16842753,0,"-----BEGIN CERTIFICATE-----..."
AT%CMNG=0,16842754,0,"-----BEGIN RSA PRIVATE KEY-----..."
AT%CMNG=0,16842755,0,"-----BEGIN CERTIFICATE-----..."

writes to type 0 => "root ca" to several "sec_tag". No idea, where this was found.

AT%CMNG=0,16842753,2,"-----BEGIN CERTIFICATE-----..."
AT%CMNG=0,16842753,1,"-----BEGIN RSA PRIVATE KEY-----..."
AT%CMNG=0,16842753,0,"-----BEGIN CERTIFICATE-----..."

(assuming the 1. entry of type 2 sets the client certificate, and the 3. of type 0 the trusted server certificate root).

Anyway, please read the documentation and use the samples to start with.