IAM interactions
The main functions of IAM are to provide identification information, keys, and certificates for different system components. For automotive systems, IAM uses the VIS identifier (visidentifier). For other systems, IAM uses the file identifier to provide identification information.
Typical IAM certificate storage configuration looks as follows:
loading...Here:
- iam – IAM certificate storage
- online – online certificate storage used by SM to communicate with AosCloud
- offline – offline certificate storage used by SM to decrypt services, updates, and other offline operations
- cm – CM certificate storage
- sm – SM certificate storage
- um – UM certificate storage
iam, sm, um and online certificate storages use ECC algorithm to create keys and have a maximum of one certificate. offline certificate storage uses the RSA algorithm to create keys and is limited to four items.
loading...Initially, all IAM certificate storages are empty. The provisioning script generates keys, certificates for each certificate storage during the provisioning procedure. If the IAM certificate storage is empty IAM starts its servers in insecure mode to allow the provisioning script to connect to it. Once the provisioning is finished, IAM restarts and uses a secure connection for all its servers. See Provisioning script interaction for detail.
SM uses IAM to retrieve information about online, offline certificate locations, renew certificates in different storages. See Communication Manager interaction for detail. SM uses IAM to register service permissions. See Service Manager interaction for details. FS uses IAM to get service permissions. See Functional server interaction for detail.
- Communication Manager
- Functional servers
- Provisioning script
- Service Manager
CM uses IAM to get system identification, online key and certificate to connect to the cloud, and offline key and certificate to decrypt services, updates, etc. The communication sequence looks as follows:
AosCloud can initiate the renewal of expiring certificates. This is done through CM. In this case, CM creates keys and applies certificate APIs as follows:
Functional servers (FS) use IAM to retrieve service permissions and check if the services are allowed to access selected functions.
On the unprovisioned unit, IAM's on the main and remote nodes are launched in provisioning mode. In this mode IAM enables IAMProvisioningService and is ready to receive commands from the provisioning script.
The provisioning script connects to IAM using an insecure connection. It uses the protected IAMProvisioningService gRPC service to perform the provisioning procedure, IAMPublicIdentityService service to get sytem information and IAMCertificateService to create keys and apply certificates.
Initially, the provisioning script gets the identification information and the list of all system nodes. Then it gets the list of certificate storages on each node. After that, it clears all storages and owns them. The script performs EncryptDisk command for all storages with type diskencryption. Then it generates keys and applies certificates for all storages on main and remote nodes. Once it is done, it calls FinishProvisioning command for remote nodes and then main node at the end. Once, provisioning is finished, IAM is restarted in normal mode. In this mode IAMProvisioningService is disabled in IAM and further provisioning is impossible.
On service start, SM registers service permissions if defined and unregisters them on service stop: