Content

Description

This guide introduces the steps to take in purpose of connecting Milesight LoRaWAN Gateways to AWS IoT Core for LoRaWAN via Basic Station. There’s a minimal version restriction to firmware version for UG6x to achieve such connection, click here to search for latest firmware and upgrade if your gateway version does not satisfy the requirements of AWS IoT Core for LoRaWAN connection.


If you don’t have an AWS account, refer to the instructions in the guide here. The relevant sections are Sign up for an AWS account and Create a user and grant permissions.


The high-level steps to get started with AWS IoT Core for LoRaWAN are as follows:

  1. Set up Roles and Policies in IAM
  2. Add a Gateway


You can follow this vide tutorial to complete the connection. 


Besides, these steps are detailed below. For additional help, refer to the AWS LoRaWAN developer guide.


Requirement

  • An AWS account
  • Internet access
  • UG Series: UG56, UG6x
    • UG65/UG67 firmware version should be higher than 60.0.0.25
    • Regional parameter must accord to the deployed region on AWS. For example, if the gateway is deployed in a US region, the gateway must support LoRaWAN region US915.
    • Gateway EUI.


Configuration

Set up Roles and Policies in IAM

Add an IAM Role for CUPS server

Add an IAM role that will allow the Configuration and Update Server (CUPS) to handle the wireless gateway credentials. This procedure needs to be done only once, but must be performed before a LoRaWAN gateway tries to connect with AWS IoT Core for LoRaWAN.

  • Go to the Roles page on the IAM console.
  • Choose Create role.

  • On the Create Role page, choose Another AWS account.
  • For Account ID, enter your account id.

  • Choose Next: Permissions
  • In the search box next to Filter policies, enter AWSIoTWirelessGatewayCertManager.

If the search results show the policy named AWSIoTWirelessGatewayCertManager, select it by clicking on the checkbox.

If the policy does not exist, please create it as follows:

Go to the IAM console, choose Policies from the navigation pane.


Choose Create Policy. Then choose the JSON tab to open the policy editor. Replace the existing template with this trust policy document:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IoTWirelessGatewayCertManager",
"Effect": "Allow",
"Action": [
"iot:CreateKeysAndCertificate",
"iot:DescribeCertificate",
"iot:ListCertificates",
"iot:RegisterCertificate"
],
"Resource": "*"
}
]
}

Follow Next: Tags , Next: Review, Choose Review Policy to open the Review page.

For Name, enter AWSIoTWirelessGatewayCertManager. Note that do not use a different name. This is for consistency with future releases; for Description, enter a description of your choice.


Choose Create policy. You will see a confirmation message showing the policy has been created.

  • Back to the role creating tab, find AWSIoTWirelessGatewayCertManager. Choose Next: Tags, and then choose Next: Review.

  • In Role name, enter IoTWirelessGatewayCertManagerRole, and then choose Create role.

o  Note that you must not use a different name. This is for consistency with future releases.


  • In the confirmation message, choose IoTWirelessGatewayCertManagerRole to edit the role.

  • In the Summary, choose the Trust relationships tab, and then choose Edit trust relationship.

  • In the Policy Document, change the Principal property to represent the IoT Wireless service:
  • "Principal": { 
    "Service": "iotwireless.amazonaws.com"
    },
    After you change the Principal property, the complete policy document should look like this:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Principal": {
    "Service": "iotwireless.amazonaws.com"
    },
    "Action": "sts:AssumeRole",
    "Condition": {}
    }
    ]
    }


  • Choose Update Trust Policy to save your changes and exit.

At this point, you’ve created the IoTWirelessGatewayCertManagerRole and you won’t need to do this again.

NOTE – The examples in this document are intended only for dev environments. All devices in your fleet must have credentials with privileges that authorize only intended actions on specific resources. The specific permission policies can vary for your use case. Identify the permission policies that best meet your business and security requirements. For more information, refer to Example policies and Security Best practices.

 


Add IAM role for Destination to AWS IoT Core for LoRaWAN

Create a policy that gives the role permissions to describe the IoT endpoint and publish messages to AWS IoT.

  • Go to the IAM console.
  • Choose Policies from the navigation panel.

  • Choose Create Policy. Then choose the JSON tab to open the policy editor. Replace the existing template with this trust policy document:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Allow",
    "Action":
    [
    "iot:DescribeEndpoint",
    "iot:Publish"
    ],
    "Resource": "*"
    }
    ]
    }



  • Choose Review Policy to open the Review page. For Name, enter a name of your choice. For Description, enter a description of your choice.
  • Choose Create policy. You will see a confirmation message indicating that the policy has been created.

Now create the Role:

  • In the IAM console, choose Roles from the navigation pane to open the Roles page.
  • Choose Create Role.

  • In Select type of trusted entity, choose Another AWS account.
  • In Account ID, enter your AWS account ID, and then choose Next: Permissions.
  • Search for the IAM policy you just created by entering the policy name in the search bar.
  • In the search results, select the checkbox corresponding to the policy.
  • Choose Next: Tags.
  • Choose Next: Review to open the Review page.
  • For Role name, enter an appropriate name of your choice. For Description, enter a description of your choice.
  • Choose Create role. You will see a confirmation message indicating that your role has been created.


Update your role’s trust relationship to grant AWS IoT Core for LoRaWAN permission to assume this IAM role when delivering messages from devices to your account.

  • In the IAM console, choose Roles from the navigation pane to open the Roles page .
  • Enter the name of the role you created earlier in the search window, and click on the role name in the search results. This opens up the Summary page.
  • Choose the Trust relationships tab to navigate to the Trust relationships page.

  • Choose Edit trust relationship. The principal AWS role in your trust policy document defaults to root, and must be changed. Replace the existing policy with this:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Sid": "",
    "Effect": "Allow",
    "Principal": {
    "Service": "iotwireless.amazonaws.com"
    },
    "Action": "sts:AssumeRole",
    "Condition": {}
    }
    ]
    }



  • Choose Update Trust Policy. Under Trusted entities, you will see: The identity provider(s) iotwireless.amazonaws.com.


Add the Gateway to AWS IoT

To register the Gateway with AWS IoT Core for LoRaWAN, follow these steps:

  • Go to the AWS IoT console.
  • Select LPWAN devices in the navigation panel on the left.
  • Choose Get started to add a gateway or select the Gateways tab to add a gateway.

  • In the Add gateway section, fill in the GatewayEUI and Frequency band (RF Region) fields.
  • Enter a descriptive name in the Name – optional field. We recommend that you use the GatewayEUI as the name.

  • Choose Add gateway.
  • On the Configure your Gateway page, find the section titled Gateway certificate.
  • Select Create certificate.

  • Once the Certificate created and associated with your gateway message is shown, select Download certificates to download the cert (xxxxx.cert.pem) and private key (xxxxxx.private.key), which is essential for Basics Station connection with CUPS. Since Milesight gateways only accept crt file format, please change the cert suffix from "pem" to "crt".

Note: You can also download the cert file under Secure > Certificate page without any change.

  • In the section Provisioning credentials, choose Download server trust certificates to download the CUPS (cups.trust) and LNS (lns.trust) server trust certificates.

  • Copy the CUPS and LNS endpoints and save them for use while configuring the gateway.

  • Choose Submit to add the gateway.
  • When gateway is done adding, an Associated thing name is generated, on LPWAN Devices > Gateways > Gateway details, scroll down to find LoRaWAN certification section to attach certificate to the thing.

  • Choose Certificates, use copied string to look up in this section.
  • Choose the gateway’s Certificate by selecting the box left to its name, choose Action on the upper right corner, choose Attach to things.

  • In the new searching box, use gateway’s Associated thing name to locate gateway to attach the certificate to gateway.
  • Choose the gateway’s Certificate by selecting the box left to its name, choose Action on the upper right corner, choose Download.


Configure the Gateway

To register the Gateway with AWS IoT Core for LoRaWAN, follow these steps:

  • Packet forwarder is enabled by default, and the default one is its internal network server. Under Multi-Destinations, disable Milesight/Embedded NS and enable a Basic Station.

  • Fill in CUPS URI with what was copied when adding a gateway on AWS IoT for LoRaWAN.
  • Browse and import the cups.trust file that was downloaded when adding a gateway on AWS IoT for LoRaWAN.
  • Browse and import the .crt certificate that was downloaded when adding a gateway on AWS IoT for LoRaWAN or from Security > Certificates.
  • Browse and import the .key file that was downloaded when adding a gateway on AWS IoT for LoRaWAN.
  • Fill in LNS URI with what was copied when adding a gateway on AWS IoT for LoRaWAN.
  • Browse and import the lns.trust file that was downloaded when adding a gateway on AWS IoT for LoRaWAN.

  • Choose Save to store files in gateway, choose Save&Apply to start Basics Station connection. If there’s another Apply button shows on upper right, choose it to ensure other configuration is applied according to needs.

  • Switch to AWS IoT > Manage > LPWAN devices > Gateways, refresh the page to load Last uplink received time.