Certificate Provisioning

[hectorerb]

Hi, @ajsb85.

I will introduce X509 certificates for application level authentication and authorization.

When using HiveMQ as your MQTT broker, you can also use X509 client certificates for application-level authentication and authorization. While the client is permitted to establish a (secure) connection, you may want to use the client certificate for additional application logic. You can e.g. perform authorization based on the X509 certificate.

Reference: http://www.hivemq.com/blog/mqtt-security-fundamentals-x509-client-certificate-authentication

Instanciation of the agent

After a session token is acquired, the agent must create itself in the platform

POST http://api.domain.com/PluginFlyvemdmAgent?session_token=83af7e620c83a50a18d3eac2f6ed05a3ca0bea62
Content-Type: application/json

Payload

{"input":
  {
    "_email": "[email protected]",
    "_invitation_token": "lkhjfkgsdf546634s",
    "_serial": "0123456ATDJ-045",
    "csr": "",
    "firstname": "my first name",
    "lastname": "my lastname",
    "version": "0.99.0"
  }
}

Note: csr is a certificate signing request : not fully implemented for now.

Answer if the enrollment fails, an JSON array is returned
400 Bad Request

[
  "ERROR_GLPI_ADD",
  "wrong email address"
]

The first string is a software error code.
The second string is an error message displayable to the user.

Answer if the enrollment succeeds

200 OK

{
  "id": "17"
}

id is the ID if the agent in the database. It is needed for the next request.

Get agent's initial settings (only if enrollment succeeded)

GET http://api.domain.com/PluginFlyvemdmAgent/17?session_token=83af7e620c83a50a18d3eac2f6ed05a3ca0bea62
Content-Type: application/json

Answer if the request succeeds
200 OK

{
  "id": 65,
  "name": "[email protected]",
  "version": "1.0.0",
  "computers_id": 65,
  "wipe": 0,
  "lock": 0,
  "enroll_status": "enrolled",
  "entities_id": 76,
  "plugin_flyvemdm_fleets_id": 103,
  "last_report": null,
  "last_contact": null,
  "certificate": "",
  "topic": "/76/agent/AZERTY",
  "mqttpasswd": "YTQUJagG7iBas45thrbwDxtzaQxZIhp4g",
  "broker": "demo.flyve.org",
  "port": 8883,
  "tls": 1,
  "android_bugcollecctor_url": "",
  "android_bugcollector_login": "",
  "android_bugcollector_passwd": "",
  "links": [
    {
      "rel": "Computer",
      "href": "https://demo.flyve.org/glpi/apirest.php/Computer/65"
    },
    {
      "rel": "Entity",
      "href": "https://demo.flyve.org/glpi/apirest.php/Entity/76"
    },
    {
      "rel": "PluginFlyvemdmFleet",
      "href": "https://demo.flyve.org/glpi/apirest.php/PluginFlyvemdmFleet/103"
    }
  ]
}

Note: the property certificate in the JSON payload is the certificate delivered to the agent if the client certificate feature is enabled.

Reference: https://github.com/flyve-mdm/flyve-mdm-glpi-plugin/issues/42

Regards.