If you enable dynamic registration in the IoT Platform console, you can authenticate a directly connected device by using the unique-certificate-per-product method. This way, the device can connect with IoT Platform over MQTT. The device establishes a TLS connection with IoT Platform to obtain the DeviceSecret that is required for an MQTT connection. Then, the device ends the TLS connection and establishes the MQTT connection for communication. This article describes the dynamic registration process.

Prerequisites

The following steps that are specified in the Unique-certificate-per-product authentication article are performed:
Notice The preregistration-free unique-certificate-per-product authentication method is available only in the China (Shanghai) region.
  1. Creates a product.
  2. Enable dynamic registration.
  3. Add a device.
  4. Burn the device certificate to the device.

Dynamic registration process

Process
  1. The device sends a CONNECT message that includes dynamic registration parameters to establish a connection.
    Note Dynamic registration supports only TLS-based connections. It does not support direct TCP connections. During dynamic registration, IoT Platform does not verify the keep-alive time of the MQTT connection. Therefore, you do not need to set the keep-alive time.
    • MQTT endpoint:

      ${YourProductKey}.iot-as-mqtt.${YourRegionId}.aliyuncs.com:1883

      • ${YourRegionId}: Replace this variable with the ID of the region where your IoT Platform device resides. For more information about region IDs, see Regions and zones.
        Note If you authenticate a directly connected device by using the preregistration-free unique-certificate-per-product method, replace ${YourRegionId} with cn-shanghai.
    • Dynamic registration parameters of the CONNECT message:

      If you use the pre-registration unique-certificate-per-product authentication method, specify the following parameters:

      mqttClientId: clientId+"|securemode=2,authType=xxxx,random=xxxx,signmethod=xxxx|"
      mqttUserName: deviceName+"&"+productKey
      mqttPassword: sign_hmac(productSecret,content) 

      Parameters

      • mqttClientId

        The following table describes the parameters that are included in the mqttClientId parameter.

        Parameter Description
        clientId The ID of the client. The client ID must be 1 to 64 characters in length. We recommend that you use the MAC address or serial number (SN) of the device as the client ID.
        securemode The mode of security. Valid values:
        authType The authentication method. Different parameters are returned based on authentication methods. Valid values:
        random The random number. You can specify a random number.
        signMethod The signature algorithm. Valid values: hmacmd5, hmacsha1, and hmacsha256.
      • mqttUserName

        Format: deviceName+"&"+productKey

        Example: device1&al123456789

      • mqttPassword

        Calculation method: sign_hmac(productSecret,content)

        The value of the content parameter is a concatenated string of the parameters and their values that must be submitted to IoT Platform. These parameters include deviceName, productKey, and random. These parameters are sorted in alphabetical order and concatenated without using concatenation operators. Then, the value of the content parameter is encrypted based on the algorithm that is specified by signMethod in the mqttClientId parameter. The ProductSecret of the product is used as the secret key of the algorithm.

        Example: hmac_sha1(h1nQFYPZS0mW****, deviceNamedevice1productKeyal123456789random123)

  2. IoT Platform returns a CONNECT ACK message.
    • The value 0 indicates that the dynamic registration is successful.
    • Other values indicate that the dynamic registration fails. You must identify the cause based on the error code that is returned in the ACK message.

    The following table describes the response codes that may be returned after the device sends a connection request to IoT Platform.

    Response code Message Description
    0 CONNECTION_ACCEPTED The dynamic registration is successful.
    2 IDENTIFIER_REJECTED The parameters are invalid. This error may occur due to one of the following causes:
    • One or more required parameters are not specified or are in invalid formats.
    • You have established a direct TCP connection for registration. Dynamic registration supports only TLS-based connections.
    3 SERVER_UNAVAILABLE An error has occurred in IoT Platform. Try again later.
    4 BAD_USERNAME_OR_PASSWORD The dynamic registration failed. The device is not authenticated.

    Check whether the values of the mqttUserName and mqttPassword input parameters are valid.

  3. After the connection is established, IoT Platform uses the topic that is used to push device certificates to return authentication parameters. The authentication parameters vary based on the authType parameter in the CONNECT message.
    Note The device does not need to subscribe to the topic that is used to push the certificate.
    • If you use the pre-registration unique-certificate-per-product method, set the authType parameter to register. In this case, the /ext/register topic is used to return a DeviceSecret.

      The message payload that is pushed by IoT Platform is in the following format:

      {
        "productKey" : "***",
        "deviceName" : "***",
        "deviceSecret" : "***"
      }
    • If you use the preregistration-free unique-certificate-per-product method, set the authType parameter to regnwl. In this case, the /ext/regnwl topic is used to return a ClientID and a DeviceToken.

      The message payload that is pushed by IoT Platform is in the following format:

      {
        "productKey" : "***",
        "deviceName" : "***",
        "clientId" : "***",
        "deviceToken" : "***"
      }
  4. The device receives and saves the DeviceSecret or a combination of the ClientID and DeviceToken, and ends the current MQTT connection.

    The device can end the current connection by sending a DISCONNECT message or directly ending the TCP connection.

    If the device does not end the connection, IoT Platform disconnects the device after 15 seconds.

    If you are using the Eclipse Paho MQTT client, use the MqttConnectOptions.setAutomaticReconnect(false) function to disable automatic reconnection. Otherwise, after the registration succeeds and the TCP connection is ended, a new request of dynamic registration is generated based on the reconnection logic.

  5. The device uses the DeviceSecret or a combination of the ClientID and DeviceToken to re-initiate a request to establish an MQTT connection between the device and IoT Platform for message communication. For more information, see Establish MQTT connections over TCP.