Create a cloud gateway product (GB/T 32960)

Background information

For more information about GB/T 32960 protocol cloud gateways on IoT Platform, see Overview of GB/T 32960 protocol cloud gateways.

Add a cloud gateway

1. Log on to the IoT Platform console.

2. On the Instance Overview page, click the target Enterprise instance of the Exclusive Edition.

3. In the navigation pane on the left, choose Device Management > Cloud Gateway, and then click Add Cloud Gateway.

4. Configure the Basic Information and click Next.

   Parameter	Description
   Cloud gateway name	Enter a name for the cloud gateway. The name must be unique within the instance. The name can contain Chinese characters, English letters, Japanese characters, digits, and underscores (_). It must be 4 to 30 characters in length. A Chinese or Japanese character is counted as two characters.
   Protocol	Select GB/T 32960.
   Custom port number	The value must be between 1024 and 65535. The default port number is 8999.
   Authentication type	One-way authentication You must import device authentication information (UserName, Password, and SN) into IoT Platform. IoT Platform authenticates devices based on this information. Third-party authentication Alibaba Cloud FC: You must set Device Authentication FC Service, Device Authentication FC Function, and Authorization. You can select an existing Function Compute (FC) function or create a new one. The request and response parameters of the FC authentication function must comply with the specifications. You can specify a custom name for the authentication function. For more information about the request and response parameters of the authentication function, see FC authentication function example. Click Create Service to go to the Function Compute console and create a service. For more information about services, see Manage services. Click Create Function to go to the Function Compute console and create a function. For more information about functions, see Manage functions. If you have not created the AliyunIOTAccessingFCRole role, click Create RAM Role to go to the Resource Access Management (RAM) console. To create a RAM role and an authorization policy, see Create a RAM role.
   Transport protocol	TCP When you use TCP for direct connections, do not connect over the Internet. Use a leased line for better security. Important If you select the TCP protocol, click Finish to create the cloud gateway. You do not need to configure a certificate. TLS When you connect using TLS, features such as server-side one-way authentication, device-side Online Certificate Status Protocol (OCSP), and bidirectional secure access for devices and the server are supported. Enable X.509 certificate-based device verification. You must configure Enable OCSP: Disabled OCSP verification for server-side certificate OCSP verification for client certificate OCSP verification for client and server-side certificates Disable X.509 certificate-based device verification. You must configure Enable OCSP: Disabled OCSP verification for server-side certificate Note Online Certificate Status Protocol (OCSP) is an Internet protocol used to query a certificate authority (CA) about the revocation status of a certificate. OCSP verification for a client certificate is performed when the client sends a message. If the certificate is revoked, the server actively closes the connection. The default cache duration for the server-side OCSP Stapling feature is 5 to 60 minutes. After the cache expires, OCSP Stapling does not take effect for the first access request until the OCSP Stapling information is obtained again.

5. Complete the Certificate Configuration and click OK.

   Important

   • IoT Platform supports private CAs that use RSA and ECC, and the SM2, SM3, and SM4 Chinese cryptographic algorithms.

   • If you select TCP as the transport protocol, you do not need to configure a certificate.

   Use Alibaba Cloud PCA service

   Important

   If you enabled OCSP in the previous step, you cannot use the Alibaba Cloud Private Certificate Authority (PCA) service. You must enter the certificate information manually.

   You can use an existing PCA or create a new one. For more information about the PCA service, see What is a PCA certificate?.

   1. You must configure the Server-side Certificate and Server-side Certificate Private Key.

   2. If you enable X.509 certificate-based device verification, you must also configure the Client Certificate.

   3. If the OCSP authentication method is OCSP verification for server-side certificate or OCSP verification for client and server-side certificates, the Trusted Certificate defaults to the server-side root certificate.

   Enter manually

   You can use a CA certificate that you issue yourself. For information about how to issue a custom certificate, see Issue a custom certificate.

   Important

   The certificates that you configure must be in PEM format.

   1. You must configure the Server-side Certificate and Server-side Certificate Private Key.

   2. If you enable X.509 certificate-based device verification, you must also configure the Client Root Certificate.

   3. If the OCSP authentication method is OCSP verification for server-side certificate or OCSP verification for client and server-side certificates, the Trusted Certificate defaults to the server-side root certificate.

6. In the cloud gateway list, you can view the cloud gateway information, such as the cloud gateway name, cloud gateway ID, gateway URL, status, and associated product.

   Important

   Save the gateway URL. When a device that uses the GB/T 32960 protocol connects to IoT Platform, you must replace its access domain name with this gateway URL. You can directly configure the gateway URL as the new access domain name, or configure a canonical name (CNAME) record to resolve the original access domain name to this gateway URL.

   

• FC authentication function example:

  • Request parameters:

    {
        "vin":"test01", 
        "iccid":"123******",
        "serialNo":123,
        "subSystemNumber":1,
        "systemEncodeLength":12,
        "systemEncode":[], 
        "action":"auth",
        "year":2023,
        "month":12,
        "day":23,
        "hour":12,
        "minute":23,
        "second":12,
        "protocol":"gb32960"
    }

  • Response parameters:

    {
        "result":"true",
        "message":""
    }

• Parameter description for the FC authentication function:

  Note

  The values of the relevant parameters in the authentication function must comply with the GB/T 32960 protocol standard. For more information, see GB/T 32960-2016 (Communication Protocol and Data Format).

  Parameter type	Parameter name	Data type	Description
  Request parameter	vin	String	The vehicle identification number. It can contain English letters and digits, and must be 4 to 17 characters in length.
  	iccid	String	The ICCID of the vehicle.
  	serialNo	Integer	The serial number for the vehicle logon.
  	subSystemNumber	Integer	The number of rechargeable energy storage subsystems.
  	systemEncodeLength	Integer	The length of the rechargeable energy storage system code.
  	systemEncode	List	The rechargeable energy storage system code.
  	action	String	The value is fixed to auth, which indicates authentication for device logon.
  	year	Integer	The year of the logon time.
  	month	Integer	The month of the logon time.
  	day	Integer	The day of the logon time.
  	hour	Integer	The hour of the logon time.
  	minute	Integer	The minute of the logon time.
  	second	Integer	The second of the logon time.
  	protocol	String	The protocol used by the vehicle to log on to IoT Platform. The value is fixed to gb32960.
  Response parameter	result	String	Indicates whether the logon to IoT Platform was successful. Valid values: true: successful. false: failed.
  	message	String	The error message returned if the logon fails.

Optional: Edit a cloud gateway

After you create a cloud gateway, click Edit in the Actions column of the cloud gateway list to modify the gateway name, certificate information, FC authentication function, and other settings.

Result

After you create the cloud gateway, IoT Platform automatically creates a product and associates it with the gateway. The product name follows the format CloudGateway+${CloudGatewayInstanceID}. You can view the product on the Device Management > Products page.

In the product list, find the product and click View in the Actions column to view the product details. The following figure shows the default configurations.

What to do next

• If you create a cloud gateway that uses Third-party authentication, IoT Platform automatically creates and authenticates a device when the device establishes a connection for the first time. IoT Platform uses the value of the vin request parameter from the FC authentication function as the device name.

• If you create a cloud gateway that uses One-way authentication, you must import device authentication information into IoT Platform to create devices. For more information, see Add devices in batches.