Skip to content

6.2 Information needed for M2M Service Layer operation

6.2.1 Introduction

The Configuration AE provisions the <mgmtObj> resource types in the IN-CSE and the IN-CSE then interacts with the DM Server, ADN or ASN/MN node or Configuration IPE in order to configure the AE or CSE on the nodes.

6.2.2 Information elements required for M2M Service Layer operation

6.2.2.1 Introduction

The ASN/MN and ADN in the Field Domain should support the capability to be configured or pre-provisioned with the information elements of mgmtObj resource types defined in the present document prior to initial registration with a registrar CSE (enrolment phase). When the AE or CSE has established M2M Service Layer operation with a Registrar CSE (operational phase), the AE or CSE shall provide the capability to be configured with the information elements of mgmtObj resource types defined in the present document.

6.2.2.2 M2M Service Layer registration information elements

The information elements used for CSE or AEs to register with a Registrar CSE shall include the following information which depends on the M2M Service Provider:

  • PoA information of Registrar CSE.
  • Protocol binding to be used between AE or CSE and the Registrar CSE.
  • CSE-ID of the CSE hosted on the ASN/MN.
  • AE-ID of an AE hosted on an ASN/MN or ADN.

This set of information elements may be linked to a set of authentication profile information elements (see clause 6.2.2.4) providing the configuration for security association establishment with the Registrar CSE.

6.2.2.3 Application configuration information elements

In order for an AE to operate, the AE may need to know the resource location within the Hosting CSE to maintain its resource structure. In addition, for resources that are frequently provided by the AE to the Hosting CSE, the AE may be configured with information that defines how frequently the AE collects or measures the data as well as the frequency at which that the data is transmitted to the Hosting CSE.

When the Hosting CSE is not the Registrar CSE of the AE, then this set of information elements may be linked to a set of authentication profile information elements (see clause 6.2.2.4) providing the configuration for establishing End-to-End Security of Primitives (ESPrim) with the Hosting CSE.

6.2.2.4 Authentication profile information elements

Authentication profile information elements may be required to establish mutually-authenticated secure communications.

The applicable security framework is identified via a Security Usage Identifier (SUID). Where the security framework uses TLS or DTLS, a set of permitted TLS cipher suites may be provided. Then the applicable credentials are identified - with the allowed type of credentials dictated by the SUID.

A security framework can use a pre-provisioned or remotely provisioned symmetric key for establishing mutuallyauthenticated secure communications. In both cases, the identifier for the symmetric key is provided. If a symmetric key is remotely provisioned, then a Remote Security Provisioning Framework (RSPF) should be used as described in clause 8.3 of oneM2M TS-0003 [3]. Alternatively, the value of the symmetric key may be configured as an information element of the authentication profile.

Certificate-based security frameworks may use one or more trust anchor certificates (also known as "root CA Certificates" or "root of trust certificates"). Information about trust anchor certificates is provided in the child trust anchor credential information elements (see clause 6.2.2.5) of the authentication profile.

MAF-based security frameworks use a MAF to facilitate establishing a symmetric key to be used for mutual authentication. The MAF Client registration configuration credential information elements enable a MAF Client to perform MAF procedures with the MAF.

6.2.2.5 My certificate file credential information elements

A security framework can use a certificate to authenticate the intended security principal in the Managed Entity to other security principals, as part of establishing mutually-authenticated secure communications. The certificate can be preprovisioned or remotely provisioned, as discussed in oneM2M TS-0003 [3]. If a certificate is remotely provisioned, then a Remote Security Provisioning Framework (RSPF) should be used as described in clause 8.3 of oneM2M TS0003 [3], or my certificate file credential information elements may be configured to the Managed Entity as described in the present specification.

My certificate file credential information elements include the media type of file containing the certificate, the file containing the certificate, and a list of Security Usage Identifiers (SUID) for which the certificate may be used.

6.2.2.6 Trust anchor credential information elements

A security framework can use one or more trust anchor certificates (also known as "root Certificate Authority certificates" or" root of trust certificates"). These trust anchor certificates are used by a security principal on the Managed Entity for validating certificates of other security principals as part of establishing mutually-authenticated secure communications.

The trust anchor credential information elements include a hash-value-based identifier of the trust anchor certificate, along with a URL from which the trust anchor certificate can be retrieved. The Managed Entity can compute the hash value for the locally stored trust anchor certificates to determine if there is a match with the hash value in the information elements. If there is no match for the trust anchor certificates in local storage, then the Managed Entity retrieves the trust anchor certificate from the URL, and verifies that the hash value of the retrieved trust anchor certificate is a match for the hash value in the information elements.

6.2.2.7 MAF Client registration configuration information elements

A security framework can use a MAF to establish symmetric key in a security principal in the Managed Entity and one or more other security principals, with the symmetric key used for establishing mutually-authenticated secure communications between the security principals. In this case, the security principals are MAF Clients. The security principal in the Managed Entity shall perform the MAF Client registration procedure, described in clause 8.8.2.3 of oneM2M TS-0003 [3] before the MAF facilitates establishing the symmetric keys.

The MAF Client registration configuration information elements configure the security principal in the Managed Entity for the MAF Client registration procedure, as described in clause 8.8.3.2 of oneM2M TS-0003 [3].

6.2.2.8 MEF Client registration configuration information elements

A security framework can use a MEF to provision credentials to a security principal (an MEF Client) in the Managed Entity for establishing mutually-authenticated secure communications between the security principal and another entity such as a security principal or MAF or MEF or device management server. The security principal in the Managed Entity shall perform the MEF Client registration procedure, described in clause 8.3.5.2.3 of oneM2M TS-0003 [3] before the MEF provisions credentials.

The MEF Client registration configuration information elements configure the security principal in the Managed Entity for the MEF Client registration procedure, as described in clause 8.3.7.2 of oneM2M TS-0003 [3].