Ability™ Developer Portal
Try Sandbox for free
Get a month of free access to ABB Ability™ Platform to learn and experiment!
API Playground
Play with ABB Ability™ Platform APIs (no time limits)

# Device with Direct Internet Connection

TIP

If the device is behind ABB Proxy server, As a first step, configure proxy server information in the device environment file.

  • Open the /etc/environment file.
  • Add http_proxy=https://<proxy_address>:<proxy_port> and save the file.
  1. Download the ABB Ability™ Edge Security Debian packages that match your device architecture (currently it supports only x86 and ARM) and TPM version.
  • Keep all Debian packages in the same folder.

  1. On the target device, enter the root user shell, run apt-get update to download the latest dependency manifests, then navigate to the directory of Debian package files and use apt-get install ./*.deb to install.

  2. Run sudo abb_TakeOwnership_tpmxx (xx is 20 for TPM2.0 and 12 for TPM1.2). This is for new devices.

  • Successful execution of this step says Taking ownership successful.

  1. Open the /etc/dpcm.config file and configure the following parameters:

    • PKI_RA_SERVER_ADDRESS - RA server URL to be changed to Ability CA SCEP HTTPS end point
    • PKI_RA_SERVER_PORT - RA server port changed to 443
    • PKI_CERTIFICATE_O - Organization name fixed to ABB Information Systems Ltd //Fixed, Not changeable
    • PKI_ENROLL_PASWD - Enrollment Code
PKI_RA_SERVER_ADDRESS=<Ability PKI SCEP end point URL>
PKI_RA_SERVER_PORT=443
PKI_CERTIFICATE_OU=PG9964 //A value of the requested certificate''s OU field
PKI_CERTIFICATE_O=ABB Information Systems Ltd //cannot be changed
PKI_KEY_LENGTH=2048
PKI_RENEW_KEY_LENGTH=2048
PKI_CA_AUTH_HASH=<Ability PKI Root CA Hash>
PKI_ENROLL_PASWD=<Entrollment Code>
PKI_CERT_EXPIRE_THRESHOLD=30
PKI_POLL_ATTEMPTS=10
PKI_POLL_INTERVAL=10000
AZURE_IOT_CERT=/var/ability/certs/edgedevice-cert.pem
AZURE_IOT_CA=/var/ability/certs/edgeca.pem
AZURE_IOT_KEY=/var/ability/certs/edgedevice-key.pem
PKI_CSR=/var/ability/certs/CSR.pem
SETUP_FILE=/var/ability/config/setup.sh
EDGE_ENV_FILE=/var/ability/config/edge.env
REGISTER_DEV_ID=1
OFFLINE_ENROLLMENT=0
IDServiceURL=<Global ID Generator URL>
EnrollKeyBlobPath=/var/ability/certs/edgedevice-key.pem.

  1. Run systemctl enable --now nanotap.service.

  2. Run systemctl enable --now securestoragetpmxx.service.

  3. Run systemctl enable --now dpcmtpmxx.service.

The certificate and key file will be generated in the following configured paths:

AZURE_IOT_CERT=/var/ability/certs/edgedevice-cert.pem

AZURE_IOT_KEY=/var/ability/certs/edgedevice-key.pem

# Device with No Internet Connection during Manufacturing

  1. Download the ABB Ability™ Edge Security Debian packages that match your device architecture (currently it supports only x86 and ARM) and TPM version.
  • Keep all Debian packages in the same folder.
  • Kernel must have all dependencies.

  1. On the target device, as a root user, navigate to the directory of Debian package files and use apt-get install ./*.deb to install.

  2. Run sudo abb_TakeOwnership_tpmxx (xx is 20 for TPM2.0 and 12 for TPM1.2). This is for new devices.

  3. Open the /etc/dpcm.config file and configure the following parameters:

    • PKI_RA_SERVER_ADDRESS - RA server URL to be changed to Ability PKI CA SCEP HTTPS end point
    • PKI_RA_SERVER_PORT - RA server port changed to 443
    • PKI_CERTIFICATE_O - Organization name fixed to ABB Information Systems Ltd
    • PKI_ENROLL_PASWD - ABB Administrator retrieves the Enrollment password by authenticating using the API key
PKI_RA_SERVER_ADDRESS=<Ability PKI SCEP end point URL>
PKI_RA_SERVER_PORT=443
PKI_CERTIFICATE_OU=PG9964 //A value of the requested certificate''s OU field
PKI_CERTIFICATE_O=ABB Information Systems Ltd //fixed, cannot be changed
PKI_KEY_LENGTH=2048
PKI_RENEW_KEY_LENGTH=2048
PKI_CA_AUTH_HASH=<Ability Root CA Hash>
PKI_ENROLL_PASWD=<Enrollment password> 
PKI_CERT_EXPIRE_THRESHOLD=30
PKI_POLL_ATTEMPTS=10
PKI_POLL_INTERVAL=10000
AZURE_IOT_CERT=/var/ability/certs/edgedevice-cert.pem
AZURE_IOT_CA=/var/ability/certs/edgeca.pem
AZURE_IOT_KEY=/var/ability/certs/edgedevice-key.pem
PKI_CSR=/var/ability/certs/CSR.der
SETUP_FILE=/var/ability/config/setup.sh
EDGE_ENV_FILE=/var/ability/config/edge.env
REGISTER_DEV_ID=1
OFFLINE_ENROLLMENT=0
IDServiceURL=<Global ID Generator URL>
EnrollKeyBlobPath=/var/ability/certs/edgedevice-key.pem
ContainerScriptPath=/var/ability/config/DPS_Container/start_dps_container.sh

Note

Refer the abbreviations page to learn more about these terms.

  1. Change the OFFLINE_ENROLLMENT parameter to 1 for offline enrollment scenario (without internet connectivity).

  2. Device ID must be generated manually and registered to the ID Database. Device ID must be configured in the edge.env file.

  3. Run systemctl enable dpcmtpmxx.service.

  • CSR (Certificate Signing Request file) and key file will be generated in configured path.

  1. Create a support ticket by choosing Ability PKI in the category and submit the ticket by attaching the CSR file generated in the previous step. Ability PKI team will use the CSR to generate device certificate from the Ability PKI CA and attach the CA root certificate and Device cert as a response to the tocket.

  2. The BL administrator has to place the above two certificates in the edgeca.pem file in the configured path available in dpcm.config file without modifying the existing content in edgeca.pem.

AZURE_IOT_CA=/var/ability/certs/edgeca.pem // Root CA
AZURE_IOT_KEY=/var/ability/certs/edgedevice-key.pem //Device Certificate
Last updated: 9/6/2021, 1:25:50 PM

Compatible Edge Hardware

Feedback