Skip to main content

Connect Your Device Factory to ThingPark Activation

As a Device Manufacturer, onboarding device personalization records onto ThingPark Activation platform requires 3 preliminary steps:

  • The Transport layer configuration between the Device Manufacturer Server and the ThingPark activation platform.
  • Embed ThingPark Activation ownership token into the device distribution scheme (out-of-band distribution to the System Integrator/Subscriber).
  • Pushing security requirements on supported Application Servers, for an end-to-end encryption in particular.

Transport level

Device manufacturers can push personalization records onto ThingPark Activation from their factory servers. These servers are not necessarily on factory premises but must have access to factory personalization records for the devices, such as DevEUI or AppKey.

In order to connect manufacturer servers, a secure transport must be established to ThingPark Activation.

Firewall settings:

  • Open ports TCP:443
  • Whitelist domain name api-eu.thingpark.com and activation.thingpark.com

A VPN can be setup on-demand per project.

HTTPS is also supported using following parameters:

  • TLS1.1 or TLS1.2
  • PSK

Embed Token in QR-code

As described in ThingPark Activation pre-commissioning overview when device records are imported into ThingPark Activation, an ownerToken is issued to track the device ownership. This token must then be transported to the final end-user of the device out-of-band.

An example of out-of-band process to transport the ownerToken is to embed it the hexadecimal ownerToken into a QR-code, along with device-specific information. Embedding information into a graphical item manufactured with the Device allows a simplified and automated onboarding process.

The Device Manufacturer has two possibilities to generate the ownerToken/QR-code:

  • Offline generation
  • Online generation

Offline QR-code generation

With Secure Element integration

Requirement: A non-secured database with a pre-computed QR-code.

Constraint: Retrieve the QR-code from the database and match it on the manufacturing line.

When a Secure Element is used, no key need to be handled by the Device Manufacturer.

  1. All TKM_INFOs are retrieved from the SE Manufacturer before the Secure Element soldering on the BOM.
  2. The TKM_INFO is associated with a pre-defined DevEUI and AppEUI, so that ThingPark Activation calls can be made before manufacturing and ownerToken are retrieved.
  3. The QR-codes are generated and stored in a manufacturing line.
  4. During manufacturing, each device is powered on for tests and the DevEUI is read from the Device.
  5. The matching QR-code is retrieved/printed on the Device (or device documentation).

Without Secure Element integration

Requirement: Secured AppKey database.

Constraint: AppKey database must be accessible both from manufacturing line and connected to ThingPark Activation APIs.

If no Secure Element is used, the AppKey must be generated and handled by the Device Manufacturer.

  1. The AppKey is associated with a pre-defined DevEUI and AppEUI, so that ThingPark Activation calls can be made before manufacturing, and ownerToken are retrieved.
  2. QR-code are generated and stored jointly with the AppKey in the manufacturing line.
  3. During manufacturing, each device is powered on for tests and the DevEUI is read from the device.
  4. The matching AppKey is injected into the device.
  5. The matching QR-code is retrieved/printed on the Device (or device documentation).

Live QR-code generation

With Secure Element integration

Requirement: The Live QR-code printer in manufacturing (no database required).

Constraint: ThingPark Activation APIs must be called during production.

When a Secure Element is used, no key need to be handled by the Device Manufacturer.

  1. During manufacturing, each device is powered on for tests and DevEUI/TKM_INFO are read from device.
  2. ThingPark Activation call is made during manufacturing and ownerToken are retrieved.
  3. A QR-code is generated and printed on the manufacturing line and directly tagged on the device (or device documentation).

Without Secure Element integration

Requirement: A Random AppKey generation in manufacturing (no database required).

Constraint: ThingPark Activation APIs must be called during production.

If no Secure Element is used, the AppKey must be generated and handled by the Device Manufacturer.

  1. During manufacturing each device is powered on for tests and the DevEUI.
  2. The AppKey is generated randomly (or retrieved from a secure database) and injected into the device.
  3. ThingPark Activation call is made during manufacturing and ownerToken are retrieved.
  4. A QR-code is generated and printed on the manufacturing line and directly tagged on the device (or device documentation).

Application Server requirements

In case of the Device Manufacturer that are also Application Provider, note that Application Servers must implement Actility HSM security requirements for end-to-end data encryption:

  • ASTK provisioning/storage in the Subscriber account of the Application Server.
  • Support reception of encrypted AppSkey and decrypt it using AS Key.
  • Secure storage of the decrypted AppSKey for each subscriber.
  • Decryption of uplink data using AppSKey.
  • Encryption downlink data using AppSKey before sending to the Network Server.

All details of the implementation including test vectors are available in the LRC-AS Tunnel Interface Developer Guide.

Last updated on