Offline authentication with extended time using clientDeviceTrustDurationMinutes is not working
0
Hi,
I have a greengrass core that gets disconnected from the internet for periods of 10-20 min that can happen multiple times per day and the same happens with the client devices.
Here is the experiment I did and didn't work as expected. I set security->clientDeviceTrustDurationMinutes variable to 10 minutes, deployed the new config for the Client Device Auth component, and made sure the deployment was successful, then I turned off the internet from the Core only (the client device can access the internet) and now the device is connected to the Core via ethernet and the IPDetector detected the static IP of the Core device. I started the connection right away from the client device to the Core and it worked fine for 5 min (sending msgs and processing them at the core) then the device disconnected from the mqtt connection established with the core (disconnect_future = mqtt_connection.disconnect()) and tried to reconnect again to the core's mqtt via python SDK 2 but I keep getting "Connection failed with exception AWS_IO_TLS_ERROR_NEGOTIATION_FAILURE: TLS (SSL) negotiation failed" How can I keep connecting/disconnecting to the core in this 10 min duration with successful offline authentication?
Hi, assuming that your configuration was set correctly and that your client device was connected to the core device at least once before core device disconnecting from the internet, core device will be able to cache the client device credentials for the duration set in the config.
If the client device connection was last active before 5 minutes of core device disconnection, the core device will have the device credentials in the cache after disconnection for 5 more minutes only. i.e the cache duration is calculated from the time when the client device last operation to the core was made when core was online.
To rule out some of the assumptions here, please share the greengrass log file and config.tlog file.
Thanks a lot.
It is now working. However, once the mqtt connection is established it can keep sending msgs to the core even after the client device cred. should be expired. i.e. if clientDeviceTrustDurationMinutes is set to 10 min. the client device can keep sending msgs to the core for 20 min. , the initial connection started with no internet. Is this normal? if not, how to make sure that the max. allowed duration for sending msgs is =< clientDeviceTrustDurationMinutes
AWS OFFICIALUpdated 7 months ago
Hi, assuming that your configuration was set correctly and that your client device was connected to the core device at least once before core device disconnecting from the internet, core device will be able to cache the client device credentials for the duration set in the config.
If the client device connection was last active before 5 minutes of core device disconnection, the core device will have the device credentials in the cache after disconnection for 5 more minutes only. i.e the cache duration is calculated from the time when the client device last operation to the core was made when core was online.
To rule out some of the assumptions here, please share the greengrass log file and
config.tlogfile.Thanks a lot. It is now working. However, once the mqtt connection is established it can keep sending msgs to the core even after the client device cred. should be expired. i.e. if clientDeviceTrustDurationMinutes is set to 10 min. the client device can keep sending msgs to the core for 20 min. , the initial connection started with no internet. Is this normal? if not, how to make sure that the max. allowed duration for sending msgs is =< clientDeviceTrustDurationMinutes
Can you share the greengrass logs to investigate further? You can also open a support ticket if you prefer that.