Create a cloud gateway product (SL 651)
To connect telemetry stations to IoT Platform by using a cloud gateway that supports the SL 651 protocol, you must create a corresponding product. This topic describes the procedure.
Background information
To learn how to connect devices to IoT Platform with a cloud gateway that supports the SL 651 protocol, see SL 651 protocol overview.
Add a cloud gateway
-
Log on to the IoT Platform console.
-
On the Instance Overview page, click your target Enterprise Edition instance.
-
In the left-side navigation pane, choose , and then click Add Cloud Gateway.
-
Configure the Basic information and click Next.
Parameter
Description
Cloud gateway name
Enter a name for the cloud gateway. The name must be unique within the instance. The name can be 4 to 30 characters in length and can contain Chinese characters, Japanese characters, letters, digits, and underscores (_). A Chinese or Japanese character is counted as two characters.
Protocol
Select SL 651.
Custom port
The value must be an integer from 1024 to 65535. The default port is 8898.
Authentication type
One-way authentication
You must import the telemetry station address
telemetryAddressand passwordpasswordto IoT Platform. IoT Platform uses these credentials to authenticate the device.Third-party authentication
-
Alibaba Cloud FC: You must configure the Device Authentication FC Service, Device Authentication FC Function, and Authorization. You can select an existing Function Compute (FC) function or create a new one. While the function name can be customized, the input and output parameters of the FC authentication function must comply with the required format. For more information about the input and output parameters, see the FC function example at the end of this topic.
-
Click Create Service to go to the Function Compute console and create a service. For more information, see Manage services.
-
Click Create Function to go to the Function Compute console and create a function. For more information, see Manage functions.
-
If the
AliyunIOTAccessingFCRoledoes not exist, click Create RAM role to open the RAM console. For instructions on creating a RAM role and an authorization policy, see Create a RAM role.
-
Transport protocol
TCP
For better security, use a leased line instead of a public network for direct TCP connections.
ImportantIf you select the TCP protocol, you can click Finish to create the cloud gateway. No certificate configuration is required.
TLS
Connecting with TLS allows you to enable server-side one-way authentication, device-side OCSP, and two-way secure access.
-
Enable X.509 device authentication. You must configure the Enable OCSP parameter:
-
Disabled
-
Server-side OCSP validation
-
Client-side OCSP validation
-
Client and server-side OCSP validation
-
-
Disable X.509 device authentication. You must configure the Enable OCSP parameter:
-
Disabled
-
Server-side OCSP validation
-
NoteOnline Certificate Status Protocol (OCSP) is an Internet protocol used to query a certificate authority (CA) about the revocation status of a certificate.
OCSP verification for a client certificate is performed when the client sends a message. If the certificate is revoked, the server actively closes the connection.
The default cache duration for the server-side OCSP Stapling feature is 5 to 60 minutes. After the cache expires, OCSP Stapling does not take effect for the first access request until the OCSP Stapling information is obtained again.
-
-
Complete the certificate configuration and click OK.
Important-
IoT Platform supports private CAs that use RSA, ECC, and the Chinese cryptographic algorithms SM2, SM3, and SM4.
-
Certificate configuration is not required for the TCP transport protocol.
Use Alibaba Cloud PCA service
ImportantIf you enabled OCSP in the previous step, you cannot use the PCA service and must enter the certificate manually.
Use an existing PCA or create a new one. For more information about the Private Certificate Authority (PCA) service, see What is a PCA certificate?.
-
You must configure the server certificate and server certificate private key.
-
If you enabled X.509 certificate authentication for devices, you must also configure the device certificate.
-
If you set the OCSP authentication method to Server-side OCSP validation or Client and server-side OCSP validation, the Trust certificate parameter defaults to the server's root certificate.
Enter manually
You can use a self-issued CA certificate. For information about how to issue a custom certificate, see Issue a custom certificate.
ImportantAll certificates that you configure must be in PEM format.
-
Configure the server certificate and server certificate private key.
-
If you enabled X.509 certificate authentication for devices, you must also configure the device root certificate.
-
If you set the OCSP authentication method to Server-side OCSP validation or Client and server-side OCSP validation, the Trust certificate parameter defaults to the server's root certificate.
-
-
In the cloud gateway list, view the cloud gateway details: name, ID, gateway URL, status, and associated product.
ImportantYour devices' access domain for connecting to the IoT Platform must be replaced with this gateway URL. You can directly configure the gateway URL as the new access domain, or configure a CNAME record to resolve your access domain to this gateway URL.
Results
When you create a cloud gateway, IoT Platform automatically creates and associates a corresponding product. The product name is formatted as cloud gateway+${Cloud Gateway Instance ID}. You can view the new product on the .
Click View in the Actions column for the product. On the Product Details page, you can view the product information. The default configuration is shown in the following figure.
The default product settings are as follows: Node type is directly connected device, Category is Custom Category, Data format is Passthrough/Custom, Data validation level is Weak, Authentication method is Device Secret (Third-party), Dynamic registration is Disabled, and Status is In Development.
After you create a cloud gateway, find it in the cloud gateway list and click Edit in the Actions column to modify the gateway's name, certificate information, and FC authentication function.
Updating certificates requires restarting the device connection layer service. This process disconnects and then reconnects all online devices in the instance. Before clicking Confirm, ensure this action will not affect your business.
Next steps
-
After creating a cloud gateway that uses third-party authentication, IoT Platform automatically creates a device when it connects for the first time. The device name is the value of the
telemetryAddressrequest parameter from the FC authentication function. The device is then authenticated and connected. -
For a cloud gateway that uses one-way authentication, you must create a device in IoT Platform by importing its authentication information. For more information, see Add devices in batches.
FC authentication function and parameters
-
Request parameters
{ "telemetryAddress":"", "passWord":"", "protocol":"sl651", "action":"auth" } -
Response parameters
{ "result":"true", "message":"" } -
Parameter description
Parameter type
Parameter name
Type
Description
Request
telemetryAddress
String
The address of the telemetry station.
passWord
String
The password.
protocol
String
The protocol that the telemetry station uses to connect to IoT Platform. The value is fixed to
sl651.action
String
The value is fixed to
auth, which indicates an authentication request for a device logon.Response
result
String
Indicates whether the device successfully logged on to IoT Platform. Valid values:
-
true: The logon is successful. -
false: The logon failed.
message
String
The error message that is returned if the logon fails.
-