Provisioning Manager could act as a security administrator of IoT devices in its IP subnet. When new device is introduced in the IP subnet, Provisioning Manager takes the ownership of the new device and provisions security information such as credential and access control policy to manage new device securely. If PM doesn’t take ownership and provide proper security policy to the newly introduced device in its IP subnet, the new device might be under control of unwanted subjects and perform undesirable operations such as turning on the light during midnight and ignoring user’s commands.
The Provisioning Manager has three major roles:
When performing this role, PM discovers un-owned devices from the network and tries to transfer ownership of the discovered device to the admin (provisioning manager application). Ownership Transfer Manager sub-module is in charge of this role. Current version supports following methods of ownership transfer
When performing this role, PM provisions credentials and ACL to the owned devices. Also, PM has a capability to revoke credentials from every owned device in the network and remove ACL on the provisioned device. To support revocation, PM has to keep tracks of provisioned credentials and ACLs. The provisioning database manager keeps provisioned credential history to manage OIC network. Provisioning Database Manager and Secure Resource Provider sub-modules are in charge of this role.
In an ideal IoT scenario, various tool(s) and/or services (e.g. provisioning tool (PT), credential management service(CMS), access manager service(AMS), and so on) establish security features for IoT devices. These tool(s) and/or services are assumed to be available all the time. However, this assumption may not always be true in real life. For example, consider a user who has a PT on his/her mobile phone for IoT devices at home. Assume that a new device is introduced while he/she has gone out with the phone. Then the security features for this new device cannot be provisioned as the PT is not available.
Consider another scenario in which Person A wants to control a device owned by Person B for some time. As the device is owned by Person B, Person A cannot even discover the device he/she wants to control and claim ownership in order to control it.
A Direct Pairing method enables a security establishment between two IoT devices without any help of security tools and/or services. This may apply to the follow user scenarios;
Direct Pairing consists of 2 steps: direct pairing configuration sequence and device pairing sequence
Direct pairing configuration sequence
After the Ownership Transfer, the Direct Pairing configuration API of the Provisioning Manager is responsible for provisioning the necessary configuration resources for the Direct Pairing to the Server device, given that the IoT device supports Direct Pairing. The pre-configuration resources (/oic/sec/pconf) contain the following information: - Whether or not Direct Pairing is enabled - Supported Pairing methods - The pre-configured PIN (if pre-configured PIN D2D Pairing is supported) - Pre-configured access control list(ACL) template containing ACL information On the application layer, the user may decide the preferred methods of Direct Pairing and the PIN to be used for Direct Pairing.
Current version supports the following methods of Direct Pairing: - Pre-configured pairing method - Random-PIN pairing method
During the device pairing between a Client device and a Server device, the Direct Pairing instance provides Resource Manager with APIs needed for creating Device Pairing resources at the Secure Virtual Resource database. Through Device Pairing discovery API, the Client device discovers the pre-configuration of the Server device created during Device Pairing configuration. Once the method of Direct Pairing is chosen, the Client will enter the PIN (pre-configured or random) in order to continue with pairing process. The Client and Server each creates Direct Pairing resources at the Secure Virtual Resource database and a secure channel between the two devices is established using the PIN. The SRM of the Server device will create ACL based on the pre-configured ACL template. The device pairing step finishes with the exchange of confirmation messages between the two devices. After Direct Pairing is done, the Client can establish a secure channel using the newly created credential resource for the Direct Pairing, and the ACL stored in the Direct Pairing resource database of the Server will allow the Policy Engine of the Server to grant access to and control over secure resources to the Client device.
This section introduces how to run sample applications which includes discovery of devices on network, ownership transfer, provisioning of ACL, provisioning of direct pairing, provisioning credentials for pairwise things, check linked status of a selected device, unlink of pairwise things and removal of a selected device. There are three sample applications: 2 for sample servers (i.e. justworks and random pin) and a Provisioning Client.
Preliminary, run server applications sampleserver_justworks and sampleserver_randompin as follows:
Now, run a provisioning client application as follows:
iotivity/out/linux/x86_64/release/resource/csdk/security/provisioning/sample/ ./provisioningclient ************************************************************ ****** OIC Provisioning Client with using C-level API ****** ************************************************************ ** [A] DISCOVER DEVICES ON NETWORK ** 10. Discover All Un/Owned Devices on Network ** 11. Discover Only Unowned Devices on Network ** 12. Discover Only Owned Devices on Network ** [B] REGISTER/OWN ALL DISCOVERED UNOWNED DEVICES ** 20. Register/Own All Discovered Unowned Devices ** [C] PROVISION/LINK PAIRWISE THINGS ** 30. Provision/Link Pairwise Things ** 31. Provision Credentials for Pairwise Things ** 32. Provision the Selected Access Control List(ACL) ** 33. Provision Direct-Pairing Configuration ** 34. Check Linked Status of the Selected Device on PRVN DB ** [D] UNLINK PAIRWISE THINGS ** 40. Unlink Pairwise Things ** [E] REMOVE THE SELECTED DEVICE ** 50. Remove the Selected Device ** [F] EXIT PROVISIONING CLIENT ** 99. Exit Provisioning Client ************************************************************ >> Enter Menu Number:
Once provisioning client application is executed you can see the log on your screen like above, it confirms that all preliminary steps are done successfully.
First step is to discover only the unowned devices on the network. If you select option “11” in the above screen, you will get the list of all unowned devices on the network.
** 11. Discover Only Unowned Devices on Network OUTPUT: > Discovered Unowned Devices  64697265-6374-7061-6972-696E67446576  72616E64-5069-6E44-6576-557569643030
As you can see on your screen there are two unowned devices on the network (namely sampleserver_justworks and sampleserver_randompin)
Now the next step is ownership transfer of the unowned devices. If you select option “20”, this will register (transfer ownership) all the unowned devices on the network.
** 20. Register/Own All Discovered Unowned Devices > Discovered Unowned Devices > INPUT PIN: NOTE: While registering the sampleserver_randompin application a PIN is generated at sampleserver_randompin side, the same has to be manually entered at the provisioningclient. e.g On sampleserver_randompin side the display will be like SAMPLE_RANDOMPIN: ============================ SAMPLE_RANDOMPIN: PIN CODE : 73883075 SAMPLE_RANDOMPIN: ============================ copy the same PIN at provisioningclient. OUTPUT: > Registered Discovered Unowned Devices > Please Discover Owned Devices for the Registered Result, with [10|12] Menu
Once the ownership transfer for both the devices are done, it can be verified by selecting option “12”.
** 12. Discover Only Owned Devices on Network > Discovered owned Devices OUTPUT:  64697265-6374-7061-6972-696E67446576  72616E64-5069-6E44-6576-557569643030
Select option “32” to provision the ACL
** 32. Provision the Selected Access Control List (ACL) OUTPUT: >> Enter Menu Number: 32 > Enter Device Number, for Provisioning ACL: 1 **** Create ACL for the Selected Device > [A] Enter Subject Device Number: 2 > [B] Enter Number of Accessed Resources (under 16): 1 Enter Each Accessed Resource Name (each under 128 char) Enter Accessed Resource Name: door > [C] Enter Permission for This Access Enter CREATE Permission (y/n): y Enter READ Permission (y/n): y Enter WRITE Permission (y/n): y Enter DELETE Permission (y/n): y Enter NOTIFY Permission (y/n): y > [D] Enter Owner Device Number: 1 > Provisioned Selected ACL
Select option “33” to provision direct pairing configuration.
>> Enter Menu Number: 33 OUTPUT: > Enter Device Number, for Provisioning Direct-Pairing: 1 > SUCCESS to provision Direct-Pairing !!
Select option “31” to provision credentials for pairwise things.
** 31. Provision Credentials for Pairwise Things OUTPUT: >> Enter Menu Number: 31 > Enter Device Number, for Linking CRED(s): 1 > Enter Device Number, for Linking CRED(s): 2 Select PSK length.. 1 - 128bit(Default) 2 - 256bit 1 > Provisioned Selected Pairwise Credentials
Select option “34” to check linked status of the selected device
>> Enter Menu Number: 34 OUTPUT: > Enter Device Number, for Checking Linked Status on PRVN DB: 1 Checking Selected Link Status on PRVN DB.. > Checked Selected Link Status on PRVN DB  72616E64-5069-6E44-6576-557569643030
Select option “40” to unlink pairwise things
>> Enter Menu Number: 40 OUTPUT: > Enter Device Number, for Unlinking Devices: 1 > Enter Device Number, for Unlinking Devices: 2 > Unlinked Selected Pairwise Devices > Please Check Device's Status for the Unlinked Result, with  Menu
Select option “50” to remove the selected device
>> Enter Menu Number: 50 OUTPUT: > Enter Device Number, for Removing Device: 2 Removing Selected Owned Device.. > Removed Selected Owned Device > Please Discover Owned Devices for the Registered Result, with [10|12] Menu
For instance, MAC address seed may be entered into “deviceuuid” using SetDoxmDeviceID().
Note : SVR DB is for Security Virtual Resource which contains OCF-standard security resources such as doxm/pstat/cred/acl…etc.
NOTE : Currently, some features are not supported
Note : it will be sample or test purpose, as for the commercial version, this resource may be refering to security element such as TZ or eSE.(you can see TZ wrapper guide document in iotivity)