Predix Cloud Identity Management Service

The Predix Cloud Identity Management Service allows you to enroll a Predix Machine device using certificate enrollment, which transparently uses OAuth2 access tokens to send data to protected endpoints.

Device Enrollment

A Predix Edge-enabled device initially has no identity associated with the Predix cloud. Similarly, the Predix cloud has no knowledge of the device. The Predix cloud Identity Management service allows you to create an identity on the cloud and associate it with the device using Predix cloud credentials. No device-specific credentials are needed. The sequence of steps for this flow is shown below:
Figure 1. Device Enrollment Process

Enrollment Prerequisites

Some solutions that consume Predix Edge may require the following prerequisites because many manufacturing processes have various methods to obtain these values and are non standard.
  • Predix Edge provides the ICertificateEnrollParameters interface, a service interface that provides required values for automatic enrollment.
  • The solution must implement an OSGi service that implements the ICertificateEnrollParameters interface. A default implementation is provided to pull these values from environment variables or an INI file.
    public interface ICertificateEnrollParameters
{
    /**
     * @return - String - the serial number of the device
     */
    public String getSerialNumber();
    /**
     * @return - String - the URL to for the edge manager server
     */
    public String getEdgeManagerURL();
    /**
     * @return shared secret required for enrollment
     */
    public String getSharedSecret();
}
  • Before provisioning the device to the cloud, the following settings must be provided or generated:
    • The solution must provide an external application to call the Edge Manager API for adding a device.
    • An operator must generate a client_id and client_secret with the correct scopes for this application so that the application can access the Edge Manager APIs.
    • Along with other attribute values, the application must provide the serial number and shared secret implemented by the interface in the call to Edge Manager.
      Note: To view all attribute values for the/addDevice API, see the https://www.predix.io/api.
    • The application must have a way to obtain this shared secret.

      This can either pull the shared secret from the device or generate the secret and push it to the device before enrollment. Because these processes can vary by solution, the way to perform this is left open.

Consumer Configuration

A Maven dependency and an OSGi import are required to consume the certificate-based device authentication and enrollment service if your solution uses its own implementation of the ICertificateEnrollParameters interface.
Note: If your are using the default implementation of the ICertificateEnrollParameters interface, the following dependency and import are not required.
  • The following Maven dependency is required to consume the service: 
    <dependency>
    <groupId>com.ge.dspmicro</groupId>
    <artifactId>device-api</artifactId>
    <version>{Predix Machine version}</version>
</dependency>
  • The following OSGi import is required to consume the bundle:
    Import-Package: com.ge.dspmicro.device.api;version="[1.0,2)"