Are CRLs checked by Azure IoT Edge? - azure-iot-edge

In this documentation: https://learn.microsoft.com/en-us/azure/iot-edge/production-checklist#networking, many URLs are mentioned, but nothing about CRLs for certificates used with IoT Hub, DPS or Blob Storage. Does IoT Edge verify CRLs and if using PrivateEndpoints or PrivateLink, do I need to be concerned about CRL checking?

Thanks AS Azevedo for the answer and the later conversation. For others, IoT Edge does not check the CRL, meaning when using a Private Endpoint, Edge will not attempt and fail to talk to a CRL.
Thanks!

Related

Recommended way to store sql password on Azure iot edge

I am using Azure IoT Edge where I am using Azure SQL Edge module from the marketplace. I have another module written in Python which makes a connectivity with the SQL Server module on the IoT edge device. To make the connection, I have to hardcode the SQL password in the code.
I thought of storing SQL password on Azure KeyVault and pull it in Python module on edge while making SQL connectivity though this would defeat the purpose of edge. What if there is no internet connection for a while and my module will stop working.
Is there a safe way to store the SQL password on the IoT edge device or What is the recommended way to make the connection on edge? Please advice. Thanks.
I guess you are talking about Azure SQL Edge module. Just wanted to ask how is the device secured? Is it using the TPM, X.509 or Symmetric keys?
Also can you please let me know if the default password was already change to a strong password? Usually, when you change the default password for MSSQL_SA_PASSWORD to a strong password, it is more than enough as no one will have access to the device if it has been secured.
Refer to this document for more clarification -
https://learn.microsoft.com/en-us/azure/azure-sql-edge/deploy-portal#connect-to-azure-sql-edge

Is there a way to secure an IOT device (e.g. ESP32) that is physically accessible?

How do you secure IOT devices (e.g. ESP32) out in the field that is physically accessible, given that their SSL client certificate can be copied and used for impersonation and/or publishing wrong data to the server/broker? Alternatively, is there a way of knowing if the IoT client has been compromised?
The best way to secure the hardware is by adding an embedded security module, and if not possible an external one.
The range of solutions range from embedded modules such as
-Integrated Circuit modules like the https://www.microchip.com/wwwproducts/en/ATECC508A
which might be compatible with the module you specified
-to more general purpose hardware secured USB stick, like here: https://www.techradar.com/news/best-secure-drives
-to a secured local storage module on the IOT device
-to a dedicated Hardware Security Module (HSM)
All pending on your specific application and needs.

Fiware MQTT IoT Agent: need to have slashes in the API Key

We have are using the Fiware MQTT Iot Agent. We understand that the topic should be in the format /api_key/device_id/attrs when publishing data from the device.
But we have a requirement where our topic is a long string with multiple slashes in it. But Fiware currently is not supporting any additional slashes(/) in api_key.
Can you please let us know if there is a way to overcome this issue. Thanks for your support!
You won't be able to use a Standard IoT Agent for that, you will need to create your own custom IoT Agent.
The definition of the MQTT Topics to subscribe to can be found within MQTTBinding.js
The reading of incoming messages can be found in commonBindings.js
To alter the path you will need to follow the instructions found in 205 - Custom IoT Agent
clone the base repository
branch from the latest release.
Amend MQTTBinding.js and commonBindings.js to listen to your preferred location
Create your own Dockerfile which uses the COPY instruction
Obviously same applies if using the JSON IoT Agent.

Property changes on module twins

Would a change in a reported property in a module on IoT Edge generate an event that can be 'observed' by an application via IoT Hub APIs?
You can use the IoT Hub Service API (REST) to "poll" the current state of your module twin.
If you want to be notified in real time, you can setup a route to have your twin change events be sent to Blob storage, Event Hub, Service bus…
Polling and setting up a route are definitively the 2 ways to go on the back-end side of things. You can also find more details on back-end operations in the docs.

LwM2M specification for multiple clients

We are reading the LwM2M 2m spec for a college assignment simulation and trying to implement client and server requests.
Finding it hard to understand few details. Documentation is limited on it. We were told a requirement was to configure multiple clients. Does that mean each end point will have its own object ids according to LwM2M? What will be unique for each client? What we understood was each client has several objects like location, device, access control, security etc. Is there any good documentation out there or can someone give us a pointer for basic hierarchy of LwM2M?
LwM2M server registers client devices by uniqued endpoint name. To understand the lwm2m server and client flow better, you should play this demo sand box from leshan lwm2m
https://leshan.eclipseprojects.io/#/clients
You can read this to understand more about API in lwM2M
https://www.win.tue.nl/~lrahman/iot_2016/tutorial/LeshanTutorial_2016_v2.pdf

Resources