Connecting

Asset Tracker Template

tags
Asset Tracker Template

Connecting a device to nRF Cloud involves three steps:

  • Claiming - Registering the device with your nRF Cloud account using the device's unique attestation token. This is an action performed in the nRF Cloud portal (or over the REST API).
  • Provisioning - Securely installing cloud access credentials onto the device. After claiming, the nRF Provisioning Service delivers these credentials to the device over a DTLS-protected CoAP channel, and the firmware writes them into the modem's secure storage.
  • Cloud connection - Establishing a secure CoAP connection from the device to nRF Cloud using the provisioned credentials.

The Asset Tracker Template firmware performs provisioning and cloud connection automatically once the device has been claimed. This page describes how to perform the required user actions (claiming) and how to trigger and reset the flow during development.

What happens during provisioning The Asset Tracker Template uses the nRF Device provisioning library to handle device provisioning automatically. The library provisions the root CA certificate for the provisioning service to the modem during boot if it is not already present. During provisioning, the following steps occur:
  1. Secure Connection: The library establishes a secure DTLS connection to the nRF Cloud CoAP Provisioning Service. The device verifies the server's identity using the root CA certificate.
  2. Device Authentication: The device authenticates itself using a JSON Web Token (JWT) signed with the modem's factory-provisioned Device Identity private key. This key is securely stored in the modem hardware and cannot be extracted.
  3. Command Retrieval: After successful authentication, the device requests provisioning commands from the server. These commands typically include cloud access credentials and configuration settings.
  4. Modem Configuration: To write the received credentials and settings, the library performs the following:
    - Suspends the DTLS session (to maintain the connection state).
    - Temporarily sets the modem offline.
    - Writes the credentials to the modem's secure storage.
  5. Result Reporting: After executing the commands, the library resumes or re-establishes the DTLS connection (if needed), authenticates again with JWT, and reports the results back to the server. Successfully executed commands are removed from the server-side queue.
  6. Validation: The device uses the newly provisioned credentials to connect to nRF Cloud CoAP services.

The modem must be offline during credential writing because it cannot be connected to the network while data is being written to its secure storage. Therefore, it is normal for LTE to disconnect and reconnect multiple times during provisioning.

The attestation token is different from the JWT - it is used during the initial device claiming process to prove device authenticity to nRF Cloud, not during the provisioning protocol itself.

For more details on the provisioning library, see the nRF Cloud device provisioning documentation.