If a device is directly connected to IoT Platform, you can dynamically register the device by using the MQTT protocol. You can use the unique-certificate-per-product authentication method to connect the device with IoT Platform. The device establishes a Transport Layer Security (TLS) connection with IoT Platform to obtain the information that is required for a TCP connection. Then, the device ends the TLS connection and establishes the TCP connection for communication. This article describes the dynamic registration process.

Prerequisites

The following steps that are specified in the Unique-certificate-per-product authentication topic are performed:
  1. Create a product.
  2. Enable dynamic registration.
  3. Add a device.
  4. Burn the device certificate to the device.

Dynamic registration process

Process
  1. The device sends a CONNECT message that includes dynamic registration parameters to establish a connection.
    Note Dynamic registration supports only TLS-based connections. It does not support direct TCP connections. During dynamic registration, IoT Platform does not verify the keep-alive time of the MQTT connection. Therefore, you do not need to set the keep-alive time.
    • MQTT endpoint:
      • The endpoint of a public instance is ${YourProductKey}.iot-as-mqtt. ${YourRegionId}.aliyuncs.com:1883.
        • Replace the ${YourRegionId} variable with your region ID. For more information about region IDs, see Regions and zones.
    • Dynamic registration parameters of the CONNECT message:
      • If the device belongs to an Enterprise Edition instance and uses the preregistration-free Unique-certificate-per-product authentication method, the dynamic registration parameters in the following example are used:
        mqttClientId: clientId+"|securemode=-2,authType=xxxx,random=xxxx,signmethod=xxxx,instanceId=xxxx|"
        mqttUserName: deviceName+"&"+productKey
        mqttPassword: sign_hmac(productSecret,content) 
      • If the device belongs to a public instance and uses the pre-registration Unique-certificate-per-product authentication method, the dynamic registration parameters in the following example are used:
        mqttClientId: clientId+"|securemode=2,authType=xxxx,random=xxxx,signmethod=xxxx|"
        mqttUserName: deviceName+"&"+productKey
        mqttPassword: sign_hmac(productSecret,content) 

      Parameters:

      • mqttClientId

        The following table describes the parameters that are included in the mqttClientId parameter.

        Parameter Description
        clientId The ID of the client. The client ID must be 1 to 64 characters in length. We recommend that you use the MAC address or serial number (SN) of the device as the client ID.
        securemode The mode of security. Valid values:
        authType The authentication method. Different parameters are returned based on the authentication method. Valid values:
        • register: the pre-registration unique-certificate-per-product authentication method. For more information, see Unique-certificate-per-product authentication. If you set the parameter to this value, DeviceSecret is returned.
        • regnwl: the preregistration-free unique-certificate-per-product authentication method. For more information, see Unique-certificate-per-product authentication. If you set the parameter to this value, DeviceToken and ClientID are returned.
        random The random number. You can specify a random number.
        signMethod The signature algorithm. Valid values: hmacmd5, hmacsha1, and hmacsha256.
        instanceId The ID of the instance. You can log on to the IoT Platform console console, and view the instance ID on the Instance Overview page.
      • mqttUserName

        Format: deviceName+"&"+productKey

        Example: device1&al123456789

      • mqttPassword

        Calculation method: sign_hmac(productSecret,content)

        The value of the content parameter is a concatenated string of the parameters and their values that must be submitted to IoT Platform. These parameters include the deviceName, productKey, and random. These parameters are sorted in alphabetical order and concatenated without using concatenation operators. Then, the value of the content parameter is encrypted based on the algorithm that is specified by signMethod in the mqttClientId parameter. The ProductSecret of the product is used as the secret key of the algorithm.

        Example: hmac_sha1(h1nQFYPZS0mW****, deviceNamedevice1productKeyal123456789random123)

  2. IoT Platform returns a CONNECT ACK message.

    If 0 is returned, the connection is established and the dynamic registration is successful.

    If the connection fails, you must identify the cause based on the error code that is returned in the ACK message.

    The following table describes the response codes that may be returned after the device sends a connection request to IoT Platform.

    Response code Message Description
    0 CONNECTION_ACCEPTED The dynamic registration is successful.
    2 IDENTIFIER_REJECTED One or more parameters are invalid. This error may occur due to one of the following causes:
    • One or more required parameters are not specified or are in invalid formats.
    • You have established a direct TCP connection for registration. Dynamic registration supports only TLS-based connections.
    3 SERVER_UNAVAILABLE An error has occurred in IoT Platform. Try again later.
    4 BAD_USERNAME_OR_PASSWORD Dynamic registration has failed. The device is not authenticated.

    Check whether the values of the mqttUserName and mqttPassword input parameters are valid.

  3. After the connection is established, IoT Platform uses the /ext/register topic to return different authentication parameters based on the authType parameter in the CONNECT message.
    Note The device does not need to subscribe to the topic that is used to push the certificate.
    • If you set the authType parameter to register, DeviceSecret is returned.

      The message payload that is pushed by IoT Platform is in the following format:

      {
        "productKey" : "xxx",
        "deviceName" : "xxx",
        "deviceSecret" : "xxx"
      }
    • If you set the authType parameter to regnwl, ClientID and DeviceToken are returned.

      The message payload that is pushed by IoT Platform is in the following format:

      {
        "productKey" : "xxx",
        "deviceName" : "xxx",
        "clientId" : "xxx",
        "deviceToken" : "xxx"
      }
  4. The device receives and saves the DeviceSecret or a combination of ClientID and DeviceToken, and ends the current MQTT connection.

    The device can end the current connection by sending a DISCONNECT message or directly ending the TCP connection.

    If the device does not end the connection, IoT Platform disconnects the device after 15 seconds.

    If you are using the Eclipse Paho MQTT client, use the MqttConnectOptions.setAutomaticReconnect(false) function to disable automatic reconnection. Otherwise, after the registration succeeds and the TCP connection is ended, a new request of dynamic registration is generated based on the reconnection logic.

  5. The device uses the DeviceSecret or a combination of ClientID and DeviceToken to re-initiate a request to establish an MQTT connection between the device and IoT Platform for message communication. For more information, see Establish MQTT connections over TCP.