Integrating your devices into a KeyScaler workflow is made simple with the use of our Python SDK. This article will walk through your first steps with our Dynamic Device Key Generator (DDKG), using the Python SDK to Register your device, check-in with KeyScaler, and receive a certificate as defined in a KeyScaler Certificate Policy.
Time to complete: 45 Minutes
Technical level: Low - You'll need to run some Python scripts, but no prior technical expertise required
DDKG Overview
The Dynamic Device Key Generator is our proprietary technology that provides a method to securely identify an IoT device. Using a challenge-response mechanism between the device and KeyScaler, the dynamic key is generated using a complex combination of device hardware attributes to ensure the device is authentic. For a deep-dive into our DDKG technology, click here.
The core library used by DDKG is cryptographically tied to a single secure KeyScaler environment. However, if you're using a KeyScaler-as-a-Service (KSaaS) Trial environment, the community DDKG library can be used for testing purposes. This is linked at the bottom of this article.
For this guide, you will need:
- An active KeyScaler environment and Admin account
- You can sign up for a free, fully-featured 30-day Trial here
- A suitable IoT device with Python3 installed
- This can be any device running a Windows or Linux-based OS
- DDKG built for your KeyScaler tenant
- OR - For a KSaaS Trial, the Community DDKG - Linked at the bottom of this article
- The DDKG Python SDK - Linked at the bottom of this article
KeyScaler Registration Record
Before any device can authenticate with KeyScaler, there needs to be a registration record available for it. Typically these are created automatically using the REST APIs, or by bulk-uploading a CSV file, but in this guide, we'll manually create a single record.
In your KeyScaler Control Panel, click the "Manage Devices" menu, and then "Provision New Device":
On the Registration Controls page, we can define what constraints to place on this particular device registration. This is a first-layer of defense against cloned devices - with some configuration, these constraints can include attributes as specific as CPU serial numbers, to ensure your device-base remains 100% genuine.
In this example, we'll create an open record, leaving all options as default and un-selected. We do need to specify an Authorization Identifier - we'll use "IoTDevice01":
Navigate to the "Manage Devices" menu again, then "Manage Pending Registrations", and you should see the new Registration Record waiting to be consumed.
Device Configuration
Now that we have a Registration Record waiting for us, we can use DDKG to authenticate and register with KeyScaler:
- Download and Install DDKG
- Download and configure the Python SDK
- Execute the register.py script
Download DDKG
If you're using a live environment, your Device Authority contact will have provided your uniquely-keyed DDKG.
If using a KSaaS Trial, download the attached Community DDKG library files, and install the appropriate version for your OS and architecture:
The KSaaSCommDDKG.zip includes the Windows and Linux-Intel DDKG Libraries.
The installation process varies by platform, but will result in the DDKG library being installed in your OS program files. We'll use the path to this library in the next step.
Python SDK
Download the Python-Samples package from the link at the bottom of this article, and in your favorite text editor, open config.py:
# The hostname of your KSaaS tenant - [TENANTNAME].sac.keyscaler.io
ks_host = "ksaasdemo.sac.keyscaler.io"
# set the authorization ID - this should match the registration control record
auth_id = "IoTDevice01"
# DDKG Location
ddkg_path = r"C:\Program Files\DeviceAuthority\ksaasdemo73008501\Dynamic Device Key Plugin\npUDADDK-ksaasdemo73008501.dll"
# location of the log file
log_file = r"C:\Users\da\Desktop\ddkg.out"
# log level
# CRITICAL = 50, ERROR = 40, WARNING = 30, INFO = 20, DEBUG = 10, NOTSET = 0
log_level = 30
# KeyScaler connection details
ks_protocol = "https"
ks_port = 443
# enable/disable TLS certificate checks (not recommended to disable in production)
verify_tls = False
# time to sleep between processing
process_sleep = 10
The values we need to update here are:
- ks_host - should use your own secure KSaaS tenant name as a prefix to ".sac.keyscaler.io"
- auth_id - this needs to match the Registration record we created earlier
- ddkg_path - should be set to the location where you installed the DDKG library
Save the file, and the Python scripts are ready to execute. Open a terminal prompt and navigate to the Python script directory, and run the registration script - reg_auth\register.py:
C:\Users\da\Downloads>cd ddkg-samples\python
C:\Users\da\Downloads\ddkg-samples\python>python reg_auth\register.py
[INFO] Loading DDKG library at filepath 'C:\Program Files\ddkg\DeviceAuthority\ksaasdemo73008501\Dynamic Device Key Plugin\npUDADDK-ksaasdemo73008501.dll'
[INFO] Checking to see if we need to register...
[INFO] Device is not registered - attempting registration
[INFO] Registration Challenge: ...
[INFO] Registration Key: ...
[INFO] Sending registration request:
...
[INFO] Successfully registered!
[INFO] DONE!
You'll now see that the device registration record has disappeared from the Control Panel interface, and instead, the device is displayed in the "Manage Devices" page. This device can now check-in with KeyScaler using the auth.py Python script, and have appropriate certificate policies applied to it.