This section lists the steps to onboard a gateway using the Trusted Platform Module based authentication method.

Prerequisites

  • You must enable TPM from your gateway's BIOS settings.
  • You must have installed the IoTC Agent on your gateway.
  • To verify that TPM permissions and settings are in place, run the following command on your gateway:
    [root@localhost ~]# su iotc -c /opt/vmware/iotc-agent/bin/tpm_verify
    The following output must be displayed: 
    VMware secured.
  • The following steps are mandatory for gateways running on Ubuntu operating systems:
    • If VMware secured is not displayed, run the following commands on the gateway and rerun the tpm_verify command:
      sudo groupadd --system tss
#This command creates a system level ‘tss’ group.
sudo useradd --system tss -g tss
#This command creates a system level ‘tss’ user and adds it to the ‘tss’ group.
sudo usermod -a -G tss iotc
#This command adds ‘iotc’ user to the ‘tss’ group.
sudo usermod -g tss iotc
#This commands makes ‘tss’ as the primary group of ‘iotc’
    • To run every time your gateway starts, add the following commands in a run script:
      sudo chown tss:tss /dev/tpmrm0
#Changes the ownership of /dev/tpmrm0 from ‘root:root’ to ‘tss:tss’.
sudo chmod g+rw /dev/tpmrm0
#Adds read+write permissions for group on the device /dev/tpmrm0.
  • You must have the CREATE DEVICE permission to perform this operation.
  • You must have created a device template with TPM Based as the Provider Type, and it must be available on the VMware Pulse IoT Center console.
  • You must know the name that you want to assign to your gateway in the VMware Pulse IoT Center console.

Procedure

  1. From the VMware Pulse IoT Center UI, go to Inventory > Devices.
    The Devices - All Devices page is displayed.
  2. Click REGISTER.
    The Register Gateway wizard is displayed.
  3. Enter your gateway name and select the device template that has the TPM-Based authentication method enabled to associate with your gateway.
  4. Click REGISTER.
    Your gateway is registered and is listed in the Devices - All Devices page.
  5. To enroll your gateway, create a credential :
    1. Log in to your gateway and run the fingerprint command to generate the TPM Endorsement Public Key: 
      [root@localhost bin]# ./opt/vmware/iotc-agent/bin/fingerprint <Device Name>
{
"name": "<Device Name>",
"machine.address": [
"00:01:C0:23:22:CD",
"00:01:C0:23:22:E0"
],
"tpm.ek.public": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtcjmahxIIdvvtIqgYn/xeMS3xy7MSAmD1Th9MDbDR9HVepiDD92OJwb5ARDjYnEUCRlrNfWGV5iXLZDQ7i8h4953GZhPLwK4x0MVcjPtPD8Of5fXxdPepuLFl8IPh4zPU9GAaTnY1+jkK8ccQP57iqBUDBZa2UU6z+VcWjAf7fnXzHug0meWExMFSMTi5qne7sNVbf8x54W6AceGO1KKSEKZpUWs0heTKIQBg4dZ3kWgws8HSvg07bd81CZPnaL0EHuaShboZnRXcTErN7a86bOJGUlD23CPJHk6Gt1XaqJrFthfWRWqLHbao3XxFkmh2vacXc5Ifs+CssTjbSzdNQIDAQAB",
"tpm.pcrs.sha256": [
"85749DAD791A4125477BF1454958D4647A95FC41A08219E9387F6546C4121E19",
"7B7228F53616F5E08E28408195E4185A051769910303C7CF5C5F6F424D5852DB",
"3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969",
"3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969",
"3B797EDC3BFB790010B485156AA52936A3D7AA87B9106D7C162C17CA1C840B5F",
"B3A66804696158C623E1793BF07FB3157269C4F10A0F09EA405683E9D4B04097",
"3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969",
"B5710BF57D25623E4019027DA116821FA99F5C81E9E38B87671CC574F9281439",
"4A8DC3CBC1A0D2434FB61B103ED79A9B05702935D92C94643F84D312C100C75A",
"D01A23BE3296064075393AA584E5646B182210FF3D03594893F35542BB022B39",
"31E21E1644983F4E013CE13476AB20424362FFFCFB31CF22AE491E56E2C20A1D",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000",
"0000000000000000000000000000000000000000000000000000000000000000"
]
}
JSON file successfully generated
    2. Copy the TPM Endorsement Public Key to your clipboard.
    3. In the VMware Pulse IoT Center console, navigate to the Inventory > Devices page and select the gateway to enroll.
    4. In the Devices -All Devices page, click the Actions drop-down menu and select Create Gateway Credentials.
    5. Paste the TPM Endorsement Public Key and click CREATE.
  6. To enroll, log in to your TPM enabled gateway and run the following command: 
    /opt/vmware/iotc-agent/bin/DefaultClient  enroll --auth-type=TPM
  7. To enable your TPM enabled gateway for an automatic enrollment, perform the following steps:
    1. Go to /opt/vmware/iotc-agent/conf/iotc-agent.cfg.
      The iotc-agent.cfg file lists the details about your gateway enrollment.
    2. Scroll down to the autoEnrollmentType parameter and change its value to 1.
      This change enables your registered gateway to be enrolled automatically.
    3. You can also configure the retry interval by specifying a autoEnrollRetryIntervalSeconds value. The VMware Pulse IoT Center server tries to enroll your whitelisted gateway after the specified interval. The default interval value is 300 seconds.
    4. Save the configuration and restart the VMware Pulse IoTC Agent.
      The following example is a sample iotc-agent.cfg file for auto enrollment: 
      /opt/vmware/iotc-agent/conf/iotc-agent.cfg
Auto Enrollment:
# Auto enrollment of a registered gateway. 0 - No auto enrollment and 1 - TPM based
autoEnrollmentType = 1
# Enrollment retry interval in seconds, should be > 0
autoEnrollRetryIntervalSeconds = 300

Results

You have successfully enrolled a TPM enabled gateway.