IoTLab

Welcome to the IoTLab project page.

This project is the outcome of one school project and three internships at INRIA Nancy - Grand Est in France. The architecture is composed of an embedded application in sky motes, a gateway in charge of relaying collected data to the server application. The different steps to set up the server our application are described thereafter. As well as we did, you might find useful to add HTTPS or a proxy on server side. These optional steps are described at the end of the page.

Summary :

• Install Java EE platform with Glassfish 4
• Deploy our application
• Set up a certificate with HTTPS in Glassfish (Optional)
• Set up a proxy by using Apache as front-end server (Optional)
• Contributors
• Contact

To clone the repository :

$ cd your_folder/
$ git clone https://github.com/AnthonyDeroche/iotlab.git

Directories of the repository

• server/ : the JEE application (sources, libraries, binaries)
• gateway/ : the gateway relaying WSN and server (sources, libraries, binaries)
• contiki_app/ : the embedded application src/examples/ipv6/rpl-manage/ (sources)

Install Java EE platform with Glassfish 4

Our application requires Java EE 7 and that's why you need JDK 7 (or above).
Glassfish 4 with Java EE 7 environnement can be downloaded at this link : Glassfish 4. Once you have unzipped the glassfish folder, you can start the server by running :

./bin/asadmin start-domain

If the server is working, you should be able to reach the administration page at http://localhost:4848/, and the default page at http://localhost:8080/.

You should change the admin password by entering this command :

./bin/asadmin --user admin change-admin-password

If the server is on a remote machine, you may need to enable a remote access :

./asadmin enable-secure-admin
./asadmin restart-domain

Deploy our application

We use MySQL as DBMS. So if you don't have MySQL installed, open a terminal and enter the following command :

sudo apt-get install mysql-server

To manage the database, we advise you to use phpmyadmin :

sudo apt-get install apache2 php5 mysql-server phpmyadmin

The next step is to configure Glassfish to connect to the MySQL database. In our project, we use a connection pool named BoneCP. We advise you to create a specific user and database. That can be done with phpmyadmin. We provide you a resource file that can be directly imported in Glassfish via the administration interface or in command line. This file is located in server/lib/bonecp-datasource.xml. You have to change several lines to match with your user and database name.

<property name="jdbcUrl" value="jdbc:mysql://localhost:3306/iotlab"/>
<property name="user" value="admin"/>
<property name="password" value="admin"/>

To import the file, copy it, go in the glassfish folder and then the bin folder and paste the file. Enter the following command :

./asadmin add-resources bonecp-datasource.xml

The next step is to provide to Glassfish the libraries used by the application. Copy all jar files from the server/lib/ folder to glassfish4/glassfish/domains/domain1/lib/ext/.

You need now to import our tables in your database. For that, I recommend you to use phpmyadmin but if you are familiar with the MySQL command line, it also works fine. Our SQL file is located at server/sql/iotlab.sql.

By now, the server should be ready to deploy our application. You need to import the war file which is located in your git repository at server/bin/iotlab.war. This can be done via the administration interface or by entering the following command (in the bin folder) :

./asadmin deploy path_to/iotlab.war

All should be working fine. The application can be reached at http://localhost:8080/iotlab/

Set up a certificate with HTTPS in Glassfish

In this section, I suppose you already have a certificate (.crt) signed by an authority or self-signed and a private key (.key).

You can use a proxy like Apache to give it the charge of the secured traffic and pass over this part which is honestly a bit tricky and tedious. Scroll down directly to the configuration of a proxy

It's strongly advised to change your master password, because it's used to read the key store managed by Glassfish. The default password is changeit.

./asadmin change-master-password

First of all, you need to convert those files to a PKCS#12 (PFX) key store and precise an alias. This alias will be used by Glassfish. You will be asked to enter an export password.

openssl pkcs12 -export -out certificate.p12 -inkey server.key -in server.crt -certfile CACert.pem -name myAlias

In this example, CACert.pem is the name of the root certificate that was returned by the certificate authority.

The second step is to add the PKCS#12 key store to the existing key store in Glassfish located in glassfish4/glassfish/domains/domain1/config/.

keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -srcalias myAlias -destkeystore keystore.jks -deststoretype JKS -destalias myAlias

You can check out the content of the keystore by entering this following command :

keytool -list -keystore keystore.jks

In glassfish, the default http listener configured to use TLS is http-listener-2 and the default port used is 8181. You need to go in admin interface, browse to Configuartions/server-config/HTTP Service/Http Listeners/http-listener-2/ and the SSL tab. The Certificate NickName must be the alias you chose in your JKS file.

You just need to restart the domain and you're normally done.

./asadmin restart-domain

Check it at https://localhost:8181/

Finally, on the computer where the gateway is executed, it can be required to add the certificate as trusted certificate especially in case of self-signed certificate. You need to convert it in PEM file. Well-configured, it allows the gateway to connect to the server using TLS and prevents java from printing out an error due to unknown or untrusted certificate.

keytool -import -alias myAlias -file cert.pem -keystore /etc/ssl/certs/java/cacerts

cert.pem can be your self-signed certificate (converted to PEM file) or the root certificate of an authority.

Set up a proxy by using Apache as front-end server

You might find useful to use more common ports like 80 and 443 for your HTTP server Glassfish.

One solution is to change ports used by Glassfish, but it assumes you don't have already any other service using these ports.

The solution proposed below uses a frontal web server binded to the ports 80 and 443. This server is in charge to relay all the traffic to Glassfish. Using a proxy could be useful to set up a lot of useful functionalities such as load-balancing, or security purpose. In our case, we use Apache configured with HTTP and HTTPS and it allows us to pass over the previous tricky part. Indeed, configure a TLS certificate is easier with Apache than with Glassfish.

If you want to use TLS, you need a .crt file which is the certificate and a .key file which is your private key. The certificate can be signed by an authority or self-signed. In this last case, you and the users will be warned by the browser because it will legitimately be considered as an untrusted website. I suppose you already have these files, and if it isn't the case, do a search about generating self-signed certificate or certificate authorities.

The configuration of Apache proposed below is working with Apache 2.4, you might have to adapt it to your current version.

First of all, you need to enable mods required.

sudo a2enmod proxy 
sudo a2enmod proxy_http
sudo a2enmod proxy_wstunnel

If you want to use TLS :

sudo a2enmod ssl

The modifications have to be done in the configuration file concerning your virtual host. By default, it is located in the directory /etc/apache2/sites-available.

In the configuration of your virtual host you need to add these lines to both parts (normal mode and TLS mode) and replace the "path_to" by the correct values.

Redirect /path_to/iotlab /path_to/iotlab/

ProxyPreserveHost On
ProxyPass /path_to/iotlab/liveStream/ ws://localhost:8080/iotlab/liveStream/
ProxyPassReverse /path_to/iotlab/liveStream/ ws://localhost:8080/iotlab/liveStream/
ProxyPassReverseCookiePath /path_to/iotlab/liveStream/ /

ProxyPass         /path_to/iotlab/  http://localhost:8080/iotlab/ Keepalive=On
ProxyPassReverse /path_to/iotlab/ http://localhost:8080/iotlab/ Keepalive=On
ProxyPassReverseCookiePath /path_to/iotlab/ /

If you want to use TLS, don't forget to add your files in the TLS configuration part.

SSLCertificateFile /path_to/server.crt
SSLCertificateKeyFile /path_to/server.key

If you want to force the use of HTTPS, add this line to the HTTP configuration part.

Redirect / https://your_domain.com/

Finally, restart the server :

sudo service apache2 restart

If Glassfish and Apache are on the same machine, you can close both ports 8080 and 8181 with the firewall so the application is only reachable through the proxy.

iptables -A INPUT -p tcp -s localhost --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

iptables -A INPUT -p tcp -s localhost --dport 8181 -j ACCEPT
iptables -A INPUT -p tcp --dport 8181 -j DROP

Contributors and Supervisors

• Anthony Deroche (@AnthonyDeroche), TELECOM Nancy
• Thierry Duhal, TELECOM Nancy
• Arthur Garnier, IUT Nancy Charlemagne
• Thibault Cholez, Associate Professor, INRIA
• Emmanuel Nataf, Associate Professor, INRIA

Contact

• anthony.deroche@telecomnancy.eu
• thierry.duhal@telecomnancy.eu
• arthur.garnier1@etu.univ-lorraine.fr
• thibault.cholez@inria.fr
• emmanuel.nataf@inria.fr

Links

• https://www.anthonyderoche.com/telecomnancy/iotlab/
• https://github.com/AnthonyDeroche/iotlab/
• http://www.telecomnancy.eu/
• http://www.inria.fr/
• http://www.loria.fr/
• http://iut-charlemagne.univ-lorraine.fr/