Attention

You are viewing an older version of the documentation. The latest version is v3.3.

Intel® In-band Manageability¶

Intel® In-Band Manageability Framework is a software running on Edge IoT device, which enables an administrator to perform critical Device Management operations over-the-air (OTA) remotely from the cloud. It also facilitates publishing of telemetry and critical events and logs from the Edge IoT device to the cloud enabling the administrator to take corrective actions if and when necessary. The framework is designed to be modular and flexible ensuring scalability of the solution across preferred Cloud Service Providers (for example, Azure* IoT Central, ThingBoard.io*, and so on).

Attention

Intel® In-band Manageability is an independent product. For help and support with Intel® In-band Manageability, refer to the following:

Product page: https://www.intel.com/content/www/us/en/developer/tools/in-band-manageability/overview.html
Source repository and documentation: https://github.com/intel/intel-inb-manageability

Some of the key advantages of Intel® In-band Manageability solutions are:

Out-of-box cloud support: Azure IOT Central, ThingsBoard.io
Single interface to handle OS, FW and Application (Docker* container) updates
Scalable across Intel® x86 (Intel® Atom and Intel® Core) architectures SoCs and on Vision platforms from Intel

The following table lists the Device Management use cases covered by the Intel In-Band Manageability Framework.

Use cases	Notes
Software-over-the-air (SOTA)	OS Update
Firmware-over-the-air (FOTA)	Platform Firmware update
Telemetry	System attributes, Events, Devices States, Usage data
Power Control	System Reboot/Shutdown

Embedded within the Intel In-Band Manageability Framework are features, which ensure Security and Diagnostics aspects:

Feature	Notes
Security	ACL for trusted repositories, Mutual TLS authentication between services, TPM to store framework secrets
Diagnostics	Pre and Post OTA update checks, Periodic system checks

Install Intel® In-band Manageability¶

You can install this component from the ECI APT repository. Setup the ECI APT repository, then perform the following steps to install this component:

Intel® In-band Manageability requires the Docker* Engine. Install Docker if not already done.
Install prerequisites LXC, AppArmor, and the ECI AppArmor GRUB package to enable AppArmor at boot:
```
$ sudo apt install lxc apparmor apparmor-grub
```
Reboot the system to enable AppArmor.
```
$ reboot
```
Verify whether AppArmor is active:
```
$ sudo apparmor_status
```
The command should print apparmor module is loaded if AppArmor is active:
```
apparmor module is loaded.
...
```

Install the ECI In-Band Manageability meta-package:

$ export DEBIAN_FRONTEND=noninteractive
$ sudo -E apt install eci-infra-clients-manageability

Intel In-band Manageability User Guides¶

To manage your ECI device, the device need to be registered to a supported DMS. Refer to the following the Developer/User Guide corresponding to the desired DMS (Azure or ThingsBoard).

Document	Description
In-Band Manageability Developer Guide	Developer Guide containing info on Extending FOTA to a new platform, debug, logging, code structure, and adding a new agent to the framework.
In-Band Manageability User Guide - Azure	User guide for provisioning device to Azure and performing OTA use cases.
In-Band Manageability User Guide - ThingsBoard	User guide for provisioning device to ThingsBoard and performing OTA use cases.

Provision Intel In-band Manageability Framework without SDO¶

The following section is applicable to:

To provision the edge devices with the cloud provider of your choice, click the corresponding tab. Note that an account with the provider is needed to generate a token for provisioning.

See also

These steps are also available in the Provisioning a Device section in In-Band Manageability Framework User Guide - Azure.

Prerequisites and Assumptions

The Intel® In-Band Manageability Framework is installed on the Edge IoT device.
The date and time on the edge device needs is set correctly
Device credentials (for example, Device ID, Scope ID, SAS token) that have been obtained from the Azure® portal.

Launch the provisioning script using the following command:
```
# provision-tc
```
If the device was previously provisioned, the following message will appear. To override the previous cloud configuration, press Y:
```
A cloud configuration already exists: "Azure"
Replace configuration?
[Y/N]
```

When prompted to select a cloud service, press 1 to select Azure IoT Central, and then press Enter:

Please choose a cloud service to use:
1) Azure IoT Central
2) Thingsboard
3) UCC
4) Custom

When prompted for the Scope ID, the Device ID, and the Shared Access Key, enter the information collected from Creating a Device and Obtaining Device Credentials:
```
Please enter the device Scope ID:
dEviCeScopeID1234

Please enter the Device ID:
Device-ID-1234
```
Select the authentication mechanism:
```
Please choose provision type
1. SAS key authentication
2. X509 authentication
```
If you choose 1: SAS key authentication, you will be prompted to enter the SAS key. Enter the SAS key obtained from the steps from the Shared Access Signature (SAS) Authentication section.
Please enter the device SAS primary key (Hint: https://docs.microsoft.com/en-us/azure/iot-central/howto-generate-connection-string)
If you choose 2: X509 authentication, you will be prompted to confirm whether you have generated the device certificates:
Configuring device to X509 auth requires device certificate verification Are device certs and keys generated? [Y/N]
If you enter N, the provisioning exits stating that the device certificates are required to proceed further.

If the device certificates are already generated, enter Y, and provide the path to the certificate file.
Please enter a filename to import. Input path to Device certificate (*)
When prompted to enter the device key file, enter the path to device key file:
Input Device Key from file? [Y/N] y Please enter a filename to import Input path to Device Key file (*key.pem): /home/certs/device_key.pem
If the cloud provisioning is successful, the following will appear:
```
Successfully configured cloud service!
```
When prompted Signature checks on OTA packages cannot not be validated without provisioning a cert file. Do you wish to use a pre-provisioned cert file for signature checks for OTA packages?, select Y if FOTA or config load packages need to be verified using signature, else choose N.
```
Signature checks on OTA packages cannot be validated without provisioning a cert file. Do you wish to use a pre-provisioned cert file for signature checks for OTA packages? [Y/N]
```
The script will then start the Intel In-band Manageability services. When the script finishes, the device should be able to interact with its associated IoT Central Application. To verify whether the device is provisioned to the right device on the Azure portal, check the status of the device created Creating a Device and Obtaining Device Credentials. The device will be shown as ‘Provisioned’ on the top right corner. Refer Using the IoT Central Application.
To verify the connectivity, check if telemetry/events appear or trigger a command like Reboot; refer Using the IoT Central Application..To change or update the cloud service configuration, run this provisioning script again.

Note: If the device does not provision successfully, refer to the section Issues and Troubleshooting.

See also

These steps are also available in the Provisioning a Device section in In-Band Manageability User Guide - ThingsBoard .

Prerequisites and Assumptions

The Intel® In-Band Manageability Framework is installed on the Edge IoT device.

Run the following command:
```
# provision-tc
```
If the device was previously provisioned, the following message will appear. To override the previous cloud configuration, press Y:
```
A cloud configuration already exists: "Thingsboard"
Replace configuration?
[Y/N]
```

When prompted to select a cloud service, press 2 to select Thingsboard, and then press Enter:

Please choose a cloud service to use:
1) Azure IoT Central
2) Thingsboard
3) UCC
4) Custom

When prompted for the IP address and Port, enter the values set up in Accessing ThingBoard. To use the default port, do not enter the server port.
```
Please enter the server IP:

127.0.0.1
```
Note

The server port entry can be left empty to use the default port.
```
Please enter the server port (default 1883):

8883
```

Select the authentication mechanism for device provision type:

Please choose provision type.
1: Token authentication
2: X509 authentication

If you choose 1: Token authentication, you will be prompted to enter the token. Enter the token copied from Obtaining Device Credentials:

Please enter the device token:

An option for TLS will appear. Press :kbd:`Y` if the server was configured in `Setting up ThingsBoard TLS <https://github.com/intel/intel-inb-manageability/blob/v4.1.3/docs/In-Band%20Manageability%20User%20Guide%20-%20ThingsBoard.md#setting-up-thingsboard-tls>`_. Otherwise, press :kbd:`N` to skip the TLS configuration.

If you choose 2: X509 authentication, you will be prompted to confirm whether you have generated the device certificates and key generated as mentioned in Generating Device Keys:

Configuring device to use X509 auth requires device certificate verification.

Are device certs and keys generated?  [Y/N] Y

Input Device certificate from file? [Y/N] y

Please enter a filename to import

Input path to Device certificate file (*nopass.pem):
/home/abc/device_cert_nopass.pem

It is mandatory to have TLS configured. By default, the application proceeds with the TLS configuration.

Configure TLS? [Y/N]

Choose an input method for the \*.pub.pem file. The Absolute file path option requires a path to the file that does not include wildcards like ~. The Console input option will prompt for the file to be input into the console; note that all lines preceding a line break cannot be edited:
```
Configuring TLS.
Input ThingsBoard CA from file? [Y/N] y

Please enter a filename to import

ThingsBoard CA file (*.pub.pem):

/home/abc/mqttserver.pub.pem
```

If the cloud provisioning is successful, the following will appear:

Successfully configured cloud service!

When prompted Signature checks on OTA packages cannot not be validated without provisioning a cert file. Do you wish to use a pre-provisioned cert file for signature checks for OTA packages? [Y/N], select Y and provide the path to the OTA cert file if FOTA or config load packages need to be verified using signature, else choose N.

Signature checks on OTA packages cannot not be validated without provisioning a cert file.
Do you wish to use a pre-provisioned cert file for signature checks for OTA packages? [Y/N]

The script will then start and enable the Intel In-band Manageability services. When the script finishes, the device should be able to interact with the ThingsBoard® dashboard (refer to Setting up the Dashboards).

Enabling and starting agents...

Created symlink /etc/systemd/system/multi-user.target.wants/configuration.service → /etc/systemd/system/configuration.service.
Created symlink /etc/systemd/system/multi-user.target.wants/dispatcher.service → /etc/systemd/system/dispatcher.service.
Created symlink /etc/systemd/system/multi-user.target.wants/diagnostic.service → /etc/systemd/system/diagnostic.service.
Created symlink /etc/systemd/system/multi-user.target.wants/cloudadapter.service → /etc/systemd/system/cloudadapter.service.
Created symlink /etc/systemd/system/multi-user.target.wants/telemetry.service → /etc/systemd/system/telemetry.service.
Intel(R) In-Band Manageability Provisioning Complete

Note: If the device does not provision successfully, refer to the section Issues and Troubleshooting.