If you are in a production environment, make sure to have the following ports open:
- 5223 - TCP port used by devices to communicate to APNs servers
- 2195 - TCP port used to send notifications to APNs
- 2196 - TCP port used by the APNs feedback service
- 443 - TCP port used as a fallback on Wi-Fi, only when devices are unable to communicate to APNs on port 5223
The APNs servers use load balancing. The devices will not always connect to the same public IP address for notifications. The entire 17.0.0.0/8 address block is assigned to Apple, so it is best to allow this range in the firewall settings. - 10397 - Thrift client and server ports
- 8280, 8243 - NIO/PT transport ports
WSO2 IoT Server is configured via localhost as the product has SSO enabled by default. However, when configuring WSO2 IoT Server with iOS, you need to make it IP or hostname based instead of localhost so that the iOS agent can communicate with the Server. Follow the steps given below to configure the IP or hostname in WSO2 IoT Server.
Configuring the IP using the script
This section provides a script that automatically configures the IP address when executed. This method is recommended because manually configuring the IP address includes many steps which may cause errors if not followed carefully.
Thie script automatically configures the IP and creates the required SSL certificates for the IP or hostname. This method is recommended because manually configuring the IP address includes many steps and if you miss out on a step you will run into errors.
If you want to configure the steps manually, see Configuring the IP or hostname manually and if you want to change the default ports, see Changing the Default Ports.
- Navigate to the
<IOTS_HOME>/scripts
directory. Run the
change-ip
script.Tip: The script will find and replace the IP address given in argument1 (
localhost
) with the IP address given as argument2 (10.10.10.14
), in the necessary configuration files.Change the current IP address of the IoT Server core, broker, and analytics profile.
Enter the values for IoT Server core SSL certificate.
- Navigate to the
Navigate to the
<IOTS_HOME>/ios-configurator
directory.You will not have this directory if you did not follow the steps given in Installing iOS Features.
To configure WSO2 IoT Server with the IP, run the
ios.sh
script with the IP addresses as arguments.This part of the script creates a key pair, generates a signature, and signs the key using the signature. Next, you will be prompted for an IP address.
The script will find and replace the IP address given in argument1 (
localhost
) with the IP address given as argument2 (10.10.10.14
), in the necessary configuration files../ios.sh
Configuring the IP manually
This section provides detailed steps on how to configure the IP address manually (as an alternative to using the script given above).
Configure WSO2 IoT Server with the IP:
Open the
<IOTS_HOME>/conf/carbon.xml
file and configure the<HostName>
and<MgtHostName>
attributes with the {IoT_SERVER_HOSTNAME}
.<HostName>{IoT_SERVER_IP/HOSTNAME}</HostName> <MgtHostName>{IoT_SERVER_IP/HOSTNAME}</MgtHostName>
Open the
<IOTS_HOME>/conf/identity/sso-idp-config.xml
file, and find and replacelocalhost
with the<IoT_SERVER_IP/HOSTNAME
>
.Open the
<IOTS_HOME>/conf/api-manager.xml
file and configure the<DASServerURL>
attribute by replacing localhost with the IoT Server IP or hostname.<DASServerURL>{tcp://<IoT_SERVER_IP/HOSTNAME>t:7613}</DASServerURL>
Open the
<IOTS_HOME>/conf/etc/webapp-publisher-config.xml
file, and settrue
as the value for<EnabledUpdateApi>
.<!-- If it is true, the APIs of this instance will be updated when the webapps are redeployed --> <EnabledUpdateApi>true</EnabledUpdateApi>
If you have not started WSO2 IoT Server previously, you don't need this configuration. When the server starts for the first time it will update the APIs and web apps with the new server IP.
Make sure to configure this property back to
false
if you need to restart the server again after the configuring the IP.
By enabling the update API property, the APIs and the respective web apps get updated when the server restarts. This takes some time. Therefore, if you need to restart the server many times after this configuration or when in a production environment, you need to revert back to the default setting.Open the
<IOT_HOME>/repository/deployment/server/jaggeryapps/api-store/site/conf/site.json
file, and configure theidentityProviderUrl
attribute by replacing localhost with the IoT Server IP or hostname."identityProviderURL" : "https://<IoT_SERVER_IP/HOSTNAME>:9443/samlsso",
Open the
<IOT_HOME>/wso2/analytics/repository/deployment/server/jaggeryapps/portal/configs/designer.json
file, and configure theidentityProviderUrl
,acs
, andhost
attributes by replacinglocalhost
with the IoT Server IP or hostname and the respective profiles port."identityProviderURL": "https://<IoT_SERVER_IP/HOSTNAME>:9443/samlsso", "acs": "https://<IoT_SERVER_IP/HOSTNAME>:9445/portal/acs", "host":{"hostname":"<IoT_SERVER_IP/HOSTNAME>","port":"","protocol":""},
The default port of the WSO2 IoT Server profiles are as follows:
WSO2 IoT Server core profile 9443 WSO2 IoT Server analytics profile 9445 WSO2 IoT Server broker profile 9446 Therefore, the analytics portal needs to be assigned the 9445 port.
Open the
<IOTS_HOME>/bin/iot-server.sh
file and configure the following properties by replacing localhost with the<IoT_SERVER_IP/HOSTNAME>
. If you are running on Windows, you need to configure theiot-server.bat
file.-Diot.analytics.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.manager.host="<IoT_SERVER_IP/HOSTNAME>" \ -Dmqtt.broker.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.core.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.keymanager.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.gateway.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.apimpublisher.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.apimstore.host="<IoT_SERVER_IP/HOSTNAME>" \
Open the
<IOTS_HOME>/wso2/analytics/bin/wso2.server.sh
file and configure the following properties by replacing localhost with the<IoT_SERVER_IP/HOSTNAME>
. If you are running on Windows, you need to configure thewso2server.bat
file.-Dmqtt.broker.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.keymanager.host="<IoT_SERVER_IP/HOSTNAME>" \ -Diot.gateway.host="<IoT_SERVER_IP/HOSTNAME>" \
Open the
<IOTS_HOME>/wso2/broker/conf/broker.xml
file and configure the following properties by replacing localhost with the<IoT_SERVER_IP/HOSTNAME>
:<authenticator class="org.wso2.carbon.andes.authentication.andes.OAuth2BasedMQTTAuthenticator"> <property name="hostURL">https://<IoT_SERVER_IP/HOSTNAME>:9443/services/OAuth2TokenValidationService</property> <property name="username">admin</property> <property name="password">admin</property> <property name="maxConnectionsPerHost">10</property> <property name="maxTotalConnections">150</property> </authenticator> <authorizer class="org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.DeviceAccessBasedMQTTAuthorizer"> <property name="username">admin</property> <property name="password">admin</property> <property name="tokenEndpoint">https://<IoT_SERVER_IP/HOSTNAME>t:8243</property> <!--offset time from expiry time to trigger refresh call - seconds --> <property name="tokenRefreshTimeOffset">100</property> <property name="deviceMgtServerUrl">https://<IoT_SERVER_IP/HOSTNAME>t:8243</property> </authorizer>
Optionally, if you are using the WSO2 Android auto-enrollment feature, you need to replace all the
localhost
references to the IP or hostname in the following files that are in the<IOTS_HOME>/repository/deployment/server/synapse-configs/default/api
directory.admin--Android-Mutual-SSL-Event-Receiver.xml
admin--Android-Mutual-SSL-Device-Management.xml
admin--Android-Mutual-SSL-Configuration-Management.xml
If you are using the hostname instead of the IP, open the
<IOTS_HOME>/repository/deployment/server/jaggeryapps/devicemgt/app/conf/config.json
file and configure thehost
property."generalConfig": { "host": "<ENTER_THE_HOSTNAME>",
Run the following commands so that the self-signed certificate refers to the IP you just configured instead of
localhost
.This step is required if your devices are accessing WSO2 IoT Server from outside the server.
Navigate to the
<IOTS_HOME>/repository/resources/security
directory and run the following commands to create theclient-truststore.jks
andwso2carbon.jks
files with the new IP or hostname.keytool -delete -alias wso2carbon -keystore wso2carbon.jks keytool -genkey -alias wso2carbon -keyalg RSA -keysize 2048 -keystore wso2carbon.jks -dname "CN=<IOT_SERVER_IP/HOSTNAME>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon keytool -delete -alias wso2carbon -keystore client-truststore.jks keytool -export -alias wso2carbon -keystore wso2carbon.jks -file wso2carbon.pem keytool -import -alias wso2carbon -file wso2carbon.pem -keystore client-truststore.jks -storepass wso2carbon
Update the Identity Provider (IDP) with the new certificate:
Export wso2carbon.pem certificate that is in the binary DER format to the ASCII PEM format.
openssl x509 -inform dir -outform PEM -in wso2carbon.pem -out server.crt
Open the
server.crt
file you just generated and copy the content that is between theBEGIN CERTIFICATE
andEND CERTIFICATE
.Make sure to remove the new lines that are there in the certificate. Else, the JWT validation fails.
Open the
<IOTS_HOME>/conf/identity/identity-providers/iot_default.xml
file and replace the content that is under the<Certificate>
property with the content you just copied.
Copy the
client-truststore.jks
andwso2carbon.jks
files that you created in step 14.a to the following locations.Make sure to only copy the files. Don't remove it from the
<IOTS_HOME>/repository/resources/security
directory.<IOTS_HOME>/wso2/broker/repository/resources/security
<IOTS_HOME>/wso2/analytics/repository/resources/security
Once you are done with the above steps, restart or start the message broker, IoT Server core, and the analytics profiles in the given order. For more information, see Starting the Server.
Update the following parameters in the
ios-config
.xml
file, which is in the<IoT_HOME>/conf
directory:
Enter the server IP or the server domain name for the following parameters:iOSEnrollURL
iOSProfileURL
iOSCheckinURL
iOSServerURL
TokenURL
For example:
<?xml version="1.0" encoding="ISO-8859-1"?> <iOSEMMConfigurations> <!-- iOS MDM endpoint urls --> <iOSEnrollURL>https://10.10.10.253:8243/api/ios/v1.0/scep</iOSEnrollURL> <iOSProfileURL>https://10.10.10.253:8243/api/ios/v1.0/profile</iOSProfileURL> <iOSCheckinURL>https://10.10.10.253:8243/api/ios/v1.0/checkin</iOSCheckinURL> <iOSServerURL>https://10.10.10.253:8243/api/ios/v1.0/server</iOSServerURL> </iOSEMMConfigurations>
Open the
<IoTS_HOME>/conf/iot-api-config.xml
file and replacelocalhost
with your IP or hostname.
For example:<ServerConfiguration> <!-- IoT server host name, this is referred from APIM gateway to call to IoT server for certificate validation--> <Hostname>https://10.10.10.253:9443/</Hostname> <!--End point to verify the certificate--> <VerificationEndpoint>https://10.10.10.253:9443/api/certificate-mgt/v1.0/admin/certificates/verify/</VerificationEndpoint> <!--Admin username/password - this is to use for oauth token generation--> <Username>admin</Username> <Password>admin</Password> <!--Dynamic client registration endpoint--> <DynamicClientRegistrationEndpoint>https://10.10.10.253:9443/dynamic-client-web/register</DynamicClientRegistrationEndpoint> <!--Oauth token endpoint--> <OauthTokenEndpoint>https://10.10.10.253:9443/oauth2/token</OauthTokenEndpoint> <APIS> <ContextPath>/services</ContextPath> </APIS> </ServerConfiguration>
What's next?
Next, follow the instructions in the Configuring WSO2 IoT Server to Install iOS Applications topic.