Bootstrapping handoffs in lightweight machine to machine systems
The method addresses bootstrapping challenges in LwM2M systems by configuring utility metering devices with validated security object instances from subsequent servers, reducing server load and enhancing security while maintaining compatibility with legacy systems.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- LANDIS GYR TECH INC
- Filing Date
- 2025-12-29
- Publication Date
- 2026-07-02
AI Technical Summary
Existing LwM2M systems face challenges in efficiently bootstrapping utility metering devices due to configuration errors and security issues, leading to increased load on global bootstrap servers and potential data privacy breaches.
A method involving configuring a utility metering device client with a first bootstrap security object instance, validating and persisting higher-priority security object instances from subsequent bootstrap servers, and minimizing communication with the global bootstrap server unless necessary, thereby reducing server load and enhancing security.
This approach reduces the load on global bootstrap servers and enhances security by allowing resilient bootstrapping with minimal storage requirements, while maintaining compatibility with legacy systems.
Smart Images

Figure US2025061449_02072026_PF_FP_ABST
Abstract
Description
[0001] BOOTSTRAPPING HANDOFFS IN LIGHTWEIGHT MACHINE TO MACHINE SYSTEMS
[0002] FIELD
[0003] The invention relates to a method of managing bootstrapping of a client of a utility metering device in a Lightweight Machine to Machine (LwM2M) system.
[0004] BACKGROUND
[0005] The Open Mobile Alliance (OMA) Lightweight Machine to Machine (LwM2M) protocol is a protocol for the management and service enablement of Internet of Things (loT) devices, such as utility metering devices. Utility metering devices may comprise electricity meters, water meters, gas meters etc.
[0006] The device management capabilities provided by the LwM2M standard include the remote provisioning of security credentials to enable a device to access a LwM2M server (bootstrapping), updating the firmware of the device, fault management, remote device diagnostics and troubleshooting, and connectivity management.
[0007] Figure 1 shows a LwM2M architectural diagram. A typical LwM2M system 100 comprises a LwM2M client 102, located on a device 104, which may be a utility metering device. The LwM2M client 102 may be integrated as a software library or a built-in function of the device 104.
[0008] The LwM2M client 102 communicates with one or more LwM2M server(s). To initiate and maintain communication between the LwM2M client 102 and the one or more LwM2M server(s), the following LwM2M interfaces are defined: bootstrapping; client registration; device management and service enablement; and information reporting.
[0009] The bootstrap interface defines the set of commands that an LwM2M bootstrap server 106 uses to provision the initial configuration of the LwM2M client 102 and allow subsequent registration and communication between the LwM2M client 102 and the LwM2M server(s) 108. The LwM2M client 102 communicates with the LwM2M bootstrap server 106 during its first, or alternatively every, boot-up. The LwM2M bootstrap server 106 configures the LwM2M client 102 so that it is in an appropriate state for communication with the one or more LwM2M servers 108. This configuration may comprise the transmission of bootstrap commands from the LwM2M bootstrap server106 and to the LwM2M client 102, which causes objects and resources to be configured and / or deleted, created and / or written to the LwM2M client 102.
[0010] Each object 110a-c of the LwM2M client 102 is accessible by the one or more LwM2M servers 108, and represents a different concept of data. For example, a first object 110a may be for managing connections with the LwM2M servers 108, a second object 110b may be for providing a GPS location of the device 104, and a third object 110c may be for managing network connections. The objects 110a-c may be singleinstance or multiple-instance. Each object may comprise an object identifier and information on the number of instances (i.e. single or multiple). Each object instance of an object 110a-c comprises at least one resource comprising an item of data. For example, a location object may comprise six resources: a latitude, a longitude, an altitude, a velocity, an uncertainty and a timestamp.
[0011] To allow the LwM2M client 102 to communicate with the LwM2M bootstrap server 106 on first boot-up of the LwM2M client 102, the LwM2M client 102 needs to be preinjected with the LwM2M bootstrap server 106 details, such as a bootstrap identifier, for example a uniform resource identifier (URI). The URI may comprise a fully qualified domain name (FQDN). This may be achieved by injecting the LwM2M client 102 with a security object comprising the details of the LwM2M bootstrap server 106.
[0012] Generally, however, at the point of manufacture of devices such as metering devices, the end customer LwM2M bootstrap server details are not known, since it is not known which customer will eventually receive which device. As such, devices 104 will be pre-injected with details of a global bootstrap server. When the metering device, and therefore the LwM2M client 102, is booted up, the LwM2M client 102 will communicate with the global bootstrap server, and the global bootstrap server will configure the LwM2M client for registration and communication with the LwM2M server(s) 108.
[0013] There are a number of disadvantages of such methods however. For example, if there are any configuration errors when the LwM2M client 102 is bootstrapped, or if an LwM2M server 108 or client 102 certificate expires (such as an LwM2M registration server certificate), the LwM2M client 102 will fail to register with the LwM2M server 108. The LwM2M client 102 will then re-initiate bootstrapping with the global bootstrap server. This results in significant scale challenges for the global bootstrap server, which may be required to handle bootstrapping of new devices across the globe, as well as bootstrapping of known devices which experience configuration errors.
[0014] Furthermore, security and privacy issues may arise, due to the storage of customer data at the global bootstrap server.There exists a need to provide an alternative method of efficiently bootstrapping devices in an LwM2M system.
[0015] SUMMARY
[0016] Various aspects of the present invention are defined in the independent claims. Some preferred features are defined in the dependent claims.
[0017] According to a first aspect of the present disclosure there is provided a method of managing bootstrapping of a client of a utility metering device in a Lightweight Machine to Machine (LwM2M) system, wherein bootstrapping comprises configuring the client for connection and registration with one or more device management servers, the method comprising: configuring the client with a security object comprising a first bootstrap security object instance associated with a first bootstrap server, the first bootstrap security object instance comprising data for use by the client in establishing communication with the first bootstrap server; establishing, by the client and with the first bootstrap server, communication using the first bootstrap security object instance; configuring the client, by the first bootstrap server, with one or more further security object instances; validating, by the client, the one or more further security object instances; persisting, by the client, when the one or more further security object instances are validated, the one or more further security object instances in place of the first bootstrap security object instance.
[0018] Optionally, validating, by the client, the one or more further security object instances comprises at least one of: determining, by the client, that the one or more further security object instances comprise at least one valid security object instance; determining, by the client, that the one or more further security object instances comprise a plurality of further security object instances; determining, by the client, that the one or more further security object instances comprise a plurality of bootstrap security object instances; and determining, by the client, that one of the one or more further security object instances matches the first bootstrap security object instance.
[0019] Optionally, determining, by the client, that one of the one or more further security object instances matches the first bootstrap security object instance may comprise comparing data comprised in each of the one or more further security object instances with data comprised in the first bootstrap security object instance. Validation may be successful if the data comprised in one of the one or more further security object instances matches the data comprised in the first bootstrap security object instance which may be within a predetermined error threshold.Optionally, if the client is unable to validate the one or more further security object instances, the method further comprises initiating communication between the client and the first bootstrap server for reconfiguration of the client by the first bootstrap server and / or alerting, by the client, a third party device or service to initiate a remote and / or local diagnostic process and / or on-site visit. The client may wait a predetermined delay period before initiating communication between the client and the first bootstrap server and / or alerting a third party device or service.
[0020] Optionally, reconfiguration of the client by the first bootstrap server comprises configuring the client with updated one or more further security object instances.
[0021] Optionally, the one or more further security object instances comprise: a final bootstrap security object instance associated with a final bootstrap server and comprising data for use by the client in establishing communication with the final bootstrap server, the final bootstrap server for configuring the client for connection and registration with one or more device management servers; and a further first bootstrap security object instance, the further first bootstrap security object instance comprising data for use by the client in establishing communication with the first bootstrap server, and the method further comprises: establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance; configuring the client, by the final bootstrap server, with a device management security object instance associated with the one or more device management servers and comprising data for use by the client in connecting and / or registering with the one or more device management servers; persisting, by the client, the device management security object instance in place of the further first bootstrap security object instance.
[0022] Optionally, if the client is unable to establish communication with the final bootstrap server, the method further comprises: reattempting establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance; and / or initiating communication between the client and first bootstrap server for reconfiguration of the client by the first bootstrap server; and / or alerting, by the client, a third party device or service to initiate a remote and / or local diagnostic process and / or on-site visit.
[0023] The client may wait a predetermined delay period before reattempting establishing communication with the final bootstrap server and / or before initiating communication between the client and the first bootstrap server and / or before alerting a third party device or service. The client may reattempt establishing communication with the final bootstrap server a predetermined number of times before initiatingcommunication between the client and the first bootstrap server and / or alerting a third party device or service.
[0024] Optionally, the method further comprises connecting and / or registering, by the client and with the one or more device management servers, using the device management security object instance, wherein if the client is unable to connect and / or register with the one or more device management servers, the method further comprises: reattempting connecting and / or registering, by the client and with the one or more device management servers, using the device management security object instance; and / or initiating communication between the client and the final bootstrap server for reconfiguration of the client by the final bootstrap server for a subsequent connection and / or registration attempt with the one or more device management servers.
[0025] Optionally, the reconfiguration of the client by the final bootstrap server comprises configuring the client with an updated device management security object instance.
[0026] Optionally, the first bootstrap server configures clients of a plurality of utility metering devices, and a / the final bootstrap configures clients of a subset of the plurality of utility metering devices.
[0027] Optionally, the one or more further security object instances comprise: an intermediate bootstrap security object instance associated with an intermediate bootstrap server and comprising data for use by the client in establishing communication with the intermediate bootstrap server, the intermediate bootstrap server for configuring the client for configuration by a final bootstrap server; and a further first bootstrap security object instance, the further first bootstrap security object instance comprising data for use by the client in establishing communication with the first bootstrap server, and the method further comprises: establishing, by the client and with the intermediate bootstrap server, communication using the intermediate bootstrap security object instance; configuring the client, by the intermediate bootstrap server, with a final bootstrap security object instance associated with a final bootstrap server and comprising data for use by the client in establishing communication with the final bootstrap server, the final bootstrap server for configuring the client for connection and registration with one or more device management servers, and a further intermediate bootstrap security object instance, the further intermediate security object instance comprising data for use by the client in establishing communication with the intermediate bootstrap server; validating, by the client, the final bootstrap security object instance and the further intermediate bootstrap security object instance; and persisting, by the client, when the final bootstrap security object instance and the further intermediate bootstrap security object instance arevalidated, the final bootstrap security object instance and the further intermediate bootstrap security object instance in place of the intermediate bootstrap security object instance and the further first bootstrap security object instance.
[0028] Optionally, if the client is unable to establish communication with the intermediate bootstrap server, the method further comprises: reattempting establishing, by the client and with the intermediate bootstrap server, communication using the intermediate bootstrap security object instance; and / or initiating communication between the client and first bootstrap server for reconfiguration of the client by the first bootstrap server and / or alerting, by the client, a third party device or service to initiate a remote and / or local diagnostic process and / or on-site visit.
[0029] The client may wait a predetermined delay period before reattempting establishing communication with the intermediate bootstrap server and / or before initiating communication between the client and the first bootstrap server and / or before alerting a third party device or service. The client may reattempt establishing communication with the intermediate bootstrap server a predetermined number of times before initiating communication between the client and the first bootstrap server and / or alerting a third party device or service.
[0030] Optionally, the method further comprises: establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance; configuring the client, by the final bootstrap server, with a device management security object instance associated with the one or more device management servers and comprising data for use by the client in connecting and / or registering with the one or more device management servers; and persisting, by the client, the device management security object instance in place of the further intermediate bootstrap security object instance.
[0031] Optionally, if the client is unable to establish communication with the final bootstrap server, the method further comprises: reattempting establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance; and / or initiating communication between the client and the intermediate bootstrap server for reconfiguration of the client by the intermediate bootstrap server; and / or alerting, by the client, a third party device or service to initiate a remote and / or local diagnostic process and / or on-site visit.
[0032] The client may wait a predetermined delay period before reattempting establishing communication with the final bootstrap server and / or before initiating communication between the client and the intermediate bootstrap server and / or beforealerting a third party device or service. The client may reattempt establishing communication with the final bootstrap server a predetermined number of times before initiating communication between the client and the intermediate bootstrap server and / or alerting a third party device or service.
[0033] Optionally, the first bootstrap server configures clients of a plurality of utility metering devices, the intermediate bootstrap server configures clients of a subset of the plurality of utility metering devices, and a / the final bootstrap server configures clients of at least one of the subset of the plurality of metering devices.
[0034] Optionally, if the final bootstrap security object instance comprises data indicating that an enrollment over secure transport, EST, certificate is needed for registration with the one or more device management servers, the method further comprises:
[0035] sending, by the client and to an EST server, an EST certificate request; receiving, by the client and from the EST server, the EST certificate; and using the EST certificate for connection and / or registration with the one or more device management servers.
[0036] Optionally, the first bootstrap server is configured to configure the client on a first boot-up of the client.
[0037] According to a second aspect of the present disclosure there is provided a computer program product comprising a set of computer readable instructions or process protocols or computer code configured such that, when implemented or processed on a processing system, permit, control or cause the processing system, or provide instructions or data for the processing system, to perform the method of the first aspect.
[0038] According to a third aspect of the present disclosure there is provided A utility metering device comprising a processing system when programmed with the computer program product of the second aspect, the processing system comprising a processor for processing the computer program product and the processing system comprising or being configured to access at least one data storage or memory on which the computer program is stored.
[0039] According to a fourth aspect of the present disclosure there is provided A Lightweight Machine to Machine (LwM2M) system comprising: at least one utility metering device according to the third aspect; and a first bootstrap server configured to configure the client for communication with a final bootstrap server and / or an intermediate bootstrap server.
[0040] Optionally, the system further comprises at least one of: an intermediate bootstrap server configured to configure the client for communication with the final bootstrap server; a final bootstrap server configured to configure the client for connectionand registration with one or more device management servers; and one or more device management servers.
[0041] Optionally, the system further comprises an EST server, the EST server configured to send an EST certificate to the client in response to receiving an EST certificate request from the client.
[0042] The above summary is intended to be merely exemplary and non-limiting. The disclosure includes one or more corresponding aspects, embodiments or features in isolation or in various combinations whether or not specifically stated (including claimed) in that combination or in isolation. It should be understood that features defined above in accordance with any aspect of the present disclosure or below relating to any specific embodiment of the disclosure may be utilized, either alone or in combination with any other defined feature, in any other aspect or embodiment or to form a further aspect or embodiment of the disclosure.BRIEF DESCRIPTION OF THE DRAWINGS
[0043] These and other aspects of the present disclosure will now be described, by way of example only, with reference to the accompanying Figures, in which:
[0044] Figure 1 is an example Lightweight Machine to Machine (LwM2M) architecture;
[0045] Figure 2 is an example device comprising an LwM2M client;
[0046] Figure 3 is a schematic view of an example security object instance;
[0047] Figure 4 is an example sequence diagram;
[0048] Figure 5 is an example sequence diagram;
[0049] Figure 6 is a table illustrating security object instances during the sequence of Figure 4;
[0050] Figure 7 is a table illustrating security object instances during the sequence of Figure 5
[0051] Figure 8 is a flowchart illustrating an example client validation process.
[0052] In the Figures, like parts are denoted by like reference numerals.
[0053] It will be appreciated that the drawings are for illustration purposes only and are not drawn to scale.DETAILED DESCRIPTION OF THE DRAWINGS
[0054] Generally disclosed herein is a method of managing bootstrapping of a client of a utility metering device in a Lightweight Machine to Machine (LwM2M) system. As used herein, “bootstrapping” refers to the process of configuring a client of a device for connection and registration with one or more servers, which may be device management servers. Bootstrapping may comprise provisioning the client with the information / data and credentials needed to allow the client to connect with the one or more servers.
[0055] The method comprises injecting, or providing, the client of a utility metering device with an identifier (for example, a URI) associated with a first bootstrap server, such that the client initiates data communication with the first bootstrap server on the first boot-up of the client. The first bootstrap server may be a global bootstrap server configured to communicate with a large number of utility metering device clients on their first boot-ups, regardless of who the intended end customer of the utility metering device is or of where the intended installation location is. Providing the client with the details of the first bootstrap server may comprise configuring the client with a security object comprising a first security object instance associated with the first bootstrap server. The client may also be initially configured with a further security object instance comprised in the security object which, before the first boot-up of the client may contain default values or be considered or referred to herein as ‘empty’ or ‘uninitialized’.
[0056] In response to receiving the communication from the client on the first boot-up of the client, the first bootstrap server configures the client with a bootstrap security object instance associated with a further bootstrap server, and a bootstrap security object instance associated with the first bootstrap sever. The further bootstrap server may be a final bootstrap server for configuring the client for connection and registration with the one or more device management servers, and the security object instance associated with the further bootstrap sever may be a security object instance associated with the final bootstrap server.
[0057] The client validates the security object instance associated with the further bootstrap server and the security object instance associated with the first bootstrap sever received from the first bootstrap server. In this example, validation by the client comprises comparing the security object instances received from the first bootstrap server to the security object instance associated with the first bootstrap server already stored in the client. If one of the received security object instances ‘matches’ the security object instance associated with the first bootstrap server stored in the client e.g. theconfigured credentials are the same, validation is considered to be successful. If there is no match, validation is considered to be unsuccessful.
[0058] If validation is successful, the client will persist the security object instances received from the first bootstrap sever, overwriting the first security object instance and the further security object instance initially stored in the client security object. Following successful validation the security object instance associated with the further bootstrap server may be considered ‘higher priority’ than the security object instance associated with the first bootstrap server, which may be considered ‘lower priority’.
[0059] If validation is unsuccessful, the client will not persist the security object instances received from the first bootstrap server. The client may re-initiate communication with the first bootstrap server after a period of time e.g. a predetermined period of time. If validation continues to be unsuccessful e.g. after a predetermined number of attempts, the client may be configured to alert a third party device or service to initiate a remote and / or local diagnostic process and / or on-site visit.
[0060] If validation is successful, the client then initiates communication with the higher priority security object instance, in this example a security object instance associated with the final bootstrap server. In response to receiving the communication from the client, the final bootstrap server configures the client with a device management security object instance associated with the one or more device management servers, and a security object instance associated with the final bootstrap server. Following configuration of the client by the final bootstrap server, the client persists the security object instances received from the final bootstrap server, overwriting the security object instances previously stored in the client security object. The client then communicates with the one or more device management servers for connection and registration using the device management security object instance.
[0061] Alternatively, the further bootstrap server may be associated with an intermediate bootstrap server. The intermediate bootstrap server may, for example, be a regional bootstrap server for configuring a subset of the devices served by the first (e.g. global) bootstrap server. The subset of devices served by the intermediate bootstrap server may be determined based on location and / or intended end customer.
[0062] In this example, the first bootstrap server configures the client with a security object instance associated with the intermediate bootstrap server, and a security object instance associated with the first bootstrap sever. If validated by the client, as described above, the client will persist the security object instances received from the first bootstrapserver, overwriting the first security object instance and the further security object instance initially stored in the client security object.
[0063] The client then communicates with the intermediate bootstrap server. The intermediate bootstrap server configures the client with a security object instance associated with the final bootstrap server, and a security object instance associated with the intermediate bootstrap server.
[0064] The client validates the security object instance associated with the final bootstrap server and the security object instance associated with the intermediate bootstrap sever received from the intermediate bootstrap server. In this example, validation by the client comprises comparing the security object instances received from the intermediate bootstrap server to the higher priority security object instance already stored in the client i.e. the security object instance associated with the intermediate bootstrap server. If one of the received security object instances ‘matches’ the security object instance associated with the intermediate bootstrap server stored in the client e.g. the configured credentials are the same, validation is considered to be successful. If there is no match, validation is considered to be unsuccessful.
[0065] If validation is successful, the client will persist the security object instances received from the intermediate bootstrap sever, overwriting the security object instances previously stored in the client security object. Following successful validation, the security object instance associated with the final bootstrap server may be considered ‘higher priority’ than the security object instance associated with the intermediate bootstrap server, which may be considered ‘lower priority’.
[0066] If validation is unsuccessful, the client will not persist the security object instances received from the intermediate bootstrap server. The client may re-initiate communication with the intermediate bootstrap server after a period of time e.g. a predetermined period of time. If validation continues to be unsuccessful e.g. after a predetermined number of attempts, the client may be configured to alert a third party device or service to initiate a remote and / or local diagnostic process and / or on-site visit.
[0067] If validation is successful, the client then initiates communication with the higher priority security object instance, in this example a security object instance associated with the final bootstrap server. This allows the client to communicate with the final bootstrap server (as described above) for configuration of the client for connection and registration with the one or more device management servers..
[0068] The skilled person will appreciate that there may be one or more intermediate bootstrap servers that the client communicates with in sequence before the finalbootstrap server (for example a customer bootstrap server specific to a particular customer or supplier) and a similar process will apply.
[0069] The client is configured such that if the client is unable to connect and / or register with the one or more device management servers, which may occur if a certificate of the one or more device management servers expires for example, the method further comprises initiating communication between the client and the final bootstrap server for reconfiguration of the client by the final bootstrap server for a subsequent connection and / or registration attempt..
[0070] Advantageously, therefore, in the method proposed by the invention, communication between the client and the first bootstrap server (which serves the largest number of clients) is avoided unless necessary. Communication with the first bootstrap server is only initiated at first boot-up of the client, or if communication with the ‘next’ bootstrap server in the chain (e.g. the final bootstrap server or an intermediate bootstrap server) is unsuccessful, for example if the response from the bootstrap server cannot be validated by the client. This reduces the load placed on the first bootstrap server and therefore ameliorates scaling and load issues associated with the first bootstrap server.
[0071] Furthermore, as the security object instances stored in the client are overwritten (i.e. persist) each time the client validates the security object instances received from the respective bootstrap server, the method may be achieved using only two security object instances irrespective of the number of intermediate bootstrap servers. The proposed method therefore provides resilient client confirmable method of bootstrapping a client device, whilst minimising the amount of storage space required to store client and / or server data.
[0072] The skilled person will appreciate that not all bootstrap servers will support the configuration of a client with multiple bootstrap security object instances as described in the above examples. For example, a legacy bootstrap server may only configure a single bootstrap security object instance in response to the client initiating communication with the legacy bootstrap server. The legacy bootstrap server may alternatively or additionally configure a device management security object instance. For this purpose, when the client receives only one bootstrap security object instance from a bootstrap server, the client may be configured to persist the received bootstrap security object instance and / or device management security object instance without validation. In this case the bootstrap security object instance received from the legacy bootstrap server may be considered a ‘higher priority’ instance for the purposes of the above examples. Following receipt from the legacy bootstrap server, the client therefore may initiate communication with thishigher priority bootstrap security object instance, for example a security object instance associated with the final bootstrap server.
[0073] In this way the proposed method may beneficially be used in networks (e.g. regional or customer areas) that comprise both bootstrap servers that support the validation requirements, and legacy bootstrap servers which do not fully support the validation requirements e.g. bootstrap servers which only configure a single bootstrap security object instance in response to communication from the client. This therefore provides a flexible improved method of bootstrapping a client device which can be easily integrated into existing networks comprising legacy bootstrap servers.
[0074] Figure 2 shows a schematic representation of a device 104 for use in a LwM2M communications system. The device 104 may be a utility metering device, such as a gas, water or electricity metering device. The device 104 may comprise a LwM2M client 102 (referred to hereafter as a client) integrated as a software library or a built-in function of the device 104. The LwM2M client may communicate with one or more bootstrap servers and one or more device management servers, as will be outlined in more detail below.
[0075] The device 104 may comprise a communications module 112. The communications module 112 may be configured to facilitate communications with the one or more bootstrap servers and one or more device management servers. The communications module 112 may use wireless communication such as wireless local area network (Wi-Fi) communications, Bluetooth®, cellular communications such as 3G or 4G, or radio frequency (RF) communications. This skilled person will appreciate that these communications techniques are exemplary only and other communications may be used in alternative arrangements. The device 104 may use any suitable protocols for communicating with the one or more bootstrap servers and the one or more device management servers. For example, Constrained Application Protocol (CoAP). In particular, the device 104 may communicate with the one or more bootstrap servers and the one or more device management servers using protocols compliant with the OMA LWM2M specification.
[0076] The device 104 may further comprise a memory 114 and a processor 116. The memory 114 may comprise a non-volatile memory and / or a volatile memory. The memory 114 may have a computer program 118 stored therein. The computer program 118 may comprise instructions for performing the methods disclosed herein. The computer program 118 may be loaded in the memory 114 from a non-transitory computer readable medium 120, on which the computer program is stored. The processor 116 isconfigured by the computer program 118 to perform one or more of the functions of the client 102.
[0077] The memory 114 may also be configured to store credential data, such as a certificate, security key or other identifier. The credential data may be used by the device 104 to authenticate with and allow connection to and / or registration with one or more bootstrap servers and / or data management servers.
[0078] Each of the client 102, communications module 112, memory 114, processor 116 is in data communication with the other components 102, 112, 114, 116 of the device 104. The device 104 can be implemented as a combination of computer hardware and software. The memory 114 stores the various programs / executable files that are implemented by a processor 116, and also provides a storage unit for any required data.
[0079] As outlined above, Figure 1 shows an example architecture which illustrates the relationship between a device 104 comprising a client 102, such as an LwM2M client, and one or more servers, which comprise LwM2M bootstrap server(s) 106, referred to as bootstrap servers hereafter, and LwM2M device management server(s) 108, referred to as device management servers hereafter.
[0080] The client 102 may comprise a security object. The security object may comprise the details and credentials for the client 102 to communicate and / or register with bootstrap servers and / or device management servers. The security object may comprise one or more security object instances, wherein each security object instance is associated with a respective server (e.g. a bootstrap server or a device management server). The bootstrap servers disclosed herein are each configured to provision (or configure) the client with one or more security object instances. Each security object instance may comprise a plurality of resources, wherein each of the resources comprises an item of data.
[0081] Figure 3 shows an example security object instance 300, which may be provisioned to the client 102 by a bootstrap server.
[0082] The security object instance 300 may comprise an object identifier 302. In this case, the object identifier indicates that the security object instance is associated with a security object. The object identifier 302 may comprise a single number. Conventionally, LwM2M security objects are assigned an identifier of “0”.
[0083] The security object instance 300 may comprise an object instance identifier 304. The first security object instance may be provided with an identifier of “0” (as shown in Figure 3). As will be described in more detail below, subsequent security object instanceswill be assigned identifiers that increase numerically, i.e. the next security object instance will be assigned an identifier of 1 , the next an identifier of 2 and so on.
[0084] The security object instance 300 may comprise a plurality of resources 306a-n, each comprising an item of data. The plurality of resources 306a-n may each comprise a resource identifier 308. The first resource 306a of the security object instance 300 may be provided with an identifier of “0” (as shown in Figure 3). Subsequent resources 306b-306n may be assigned identifiers that increase numerically, i.e. the next resource may be assigned an identifier of 1 , the next an identifier of 2 and so on.
[0085] The objects, object instances and resources may be accessed using a URI, for example in the form: / {Object ID} / {Object lnstance} / {Resource ID}.
[0086] Each security object instance may be associated with a bootstrap server or a device management server. That is, each security object instance may comprise data (in the form of resources) for facilitating communication between the client 102 and the bootstrap server or device management server that the security object instance is associated with. The data for facilitating the communication is stored within the resources 306a-n of the security object instance 300.
[0087] The example security object instance 300 comprises a server identifier resource, or server URI, 306a. The server identifier resource may comprise the URI, or another identifier, of a bootstrap server or a device management server, to allow the client 102 to communicate with the bootstrap server or the device management server.
[0088] The example security object instance 300 may comprise a resource 306b comprising an indication of whether the server associated with the security object instance 300 is a bootstrap server or not. The indication may comprise a true / false indication, wherein if the associated server is a bootstrap server, the resource 306b indicates “true” and if the associated server is not a bootstrap server (e.g. if it is a device management server) the resource 306b indicates “false”.
[0089] The example security object instance 300 may comprise a security mode resource 306c indicating which security mode should be used when establishing communications between the client 102 and the server associated with the security object instance 300. For example, the security mode resource 306c may indicate that one of a pre-shared key mode, a raw public key mode, a certificate mode, a certificate mode with EST or no certificate mode should be used. The skilled person will appreciate that alternative security modes to those listed herein may also be used, and the above list is example only.At least some of the resources 306a-n may be populated in dependence on the security mode specified within the security mode resource 306c. For example, in the preshared key mode, communication is encrypted and authenticated using a secret key shared between the client 102 and the server. As such, for this mode a secret key may be stored in the secret key resource 306f. In the certificate mode, certificates are generated for both the client 102 and the server associated with the security object instance 300, and the certificates are stored in client certificate and server certificate resources 306d, 306e respectively. A secret key resource 306f comprises the client private key. The client and server certificates and the secret key may be used to authenticate connection and communication between the client 102 and the server associated with the security object instance 300. The skilled person will appreciate that in different security modes, the data stored within the resources 306a-n may differ in dependence on the specified security mode.
[0090] The example security object instance 300 may comprise a short server identifier resource 306n. The short server identifier resource 306n uniquely identifies each device management server configured for the client 102. The short server identifier resource 306n is populated when the bootstrap server identifier resource 306b indicates that the associated server is not a bootstrap server (i.e. recites “false”).
[0091] The skilled person will understand that the security object instance shown in Figure 3 is exemplary only, and that further and / or different resources may be contained within alternative security object instances.
[0092] An example method of managing bootstrapping of a client of a utility metering device in a Lightweight Machine to Machine (LwM2M) system will now be described with reference to Figures 4 and 5.
[0093] 400: After, or during, manufacture of a device 104, which comprises a client 102, and which may be a utility metering device, the device 104 is provided with a first bootstrap server identifier. The first bootstrap server identifier is configured to allow the client 102 to communicate with a first bootstrap server 106a and may comprise a URI, or any other identifier to allow the device 104 to communicate with a first bootstrap server 106a.
[0094] The first bootstrap server 106a may comprise a global bootstrap server configured to provision clients of a plurality of devices. The plurality of devices may comprise a large number of devices, and in some instances, may compriseall devices manufactured and provided by a single company regardless of the end customer or installation location. In alternative arrangements, the plurality of devices may include devices manufactured by multiple companies.
[0095] Providing the device 104 with the first bootstrap server identifier may comprise provisioning the client 102 with a security object comprising a first security object instance associated with the first bootstrap server 106a. The first security object instance may be the security object instance 300 and comprise one or more of an object ID 302, an object instance ID 304 and a plurality of resources 306a-n with associated resource IDs 308.
[0096] In this example, the object ID 302 is “0”, which as outlined above, is conventional for LwM2M security objects. The first object instance ID 304 is “0”. The client 102 may also be provisioned with a further security object instance which is not associated with any bootstrap server e.g. an uninitialized security object instance. The further security object instance may also be the security object instance 300 wherein the object instance ID 304 is “1”.
[0097] The first security object instance may comprise resources 306a-n comprising data for use by the client 102 to establish communication with the first bootstrap server 106a. For example, the first security object instance may comprise one or more of: a server identifier resource 306a comprising the URI of the first bootstrap server 106a; a bootstrap server indication resource 306b indicating that the first bootstrap server 106a is a bootstrap server; a security mode resource 306c indicating which security mode should be used to authenticate communications (e.g. a certificate mode or a certificate mode with EST etc.); client and server certificate resources 306d, 306e comprising the client and first bootstrap server certificates respectively, and a secret key resource 306f comprising the secret key.
[0098] As shown in the table of Figure 6, following the provisioning of step 400, the client 102 comprises a security object comprising a first security object instance with an object instance ID 304 of “0” comprising credential data associated with the first bootstrap server 106a, and a further security object instance with an object instance ID 304 of “1” which does not comprise any credential data associatedwith any server and may therefore be considered and referred to as “empty” or “uninitialized”.
[0099] : Using the first security object instance, which as explained above is associated with the first bootstrap server 106a, the client 102 sends a request to the first bootstrap server 106a for bootstrapping. In response to the request, the first bootstrap server 106a bootstraps the client 102.
[0100] Bootstrapping the client 102 comprises the first bootstrap server 106a configuring the client 102 with first and second further security object instances, which may be substantially the same in structure as the example security object instance 300 shown in Figure 3.
[0101] In the particular example shown in Figure 4, the first further security object instance is a final bootstrap security object instance associated with a final bootstrap server 106b, which may be referred to as a “higher priority” instance. The second further security object instance is a first bootstrap security object instance associated with the first bootstrap server 106a, which may be referred to as a “lower priority” instance. However as will be explained in more detail below, this may not be the case in all methods, and alternative methods may involve the first bootstrap server configuring the client 102 with first and second further security object instances associated with an intermediate bootstrap server and the first bootstrap server 106a respectively.
[0102] The final bootstrap security object instance may comprise resources 306a-n comprising data for use by the client 102 to establish communication with the final bootstrap server 106b. For example, the final bootstrap security object instance may comprise one or more of: a server identifier resource 306a comprising the URI of the final bootstrap server 106b; a bootstrap server indication resource 306b indicating that the final bootstrap server is a bootstrap server (i.e. indicating a “true” condition); a security mode resource 306c indicating which security mode should be used to authenticate communications (e.g. a certificate mode or a certificate with EST mode etc.); client and server certificate resources 306d, 306e comprising the client and final bootstrap server certificates respectively, and a secret key resource 306f comprising the secret key.The client 102 then validates the first and second further security object instances configured by the first bootstrap server 106a, as described in more detail below. If validated, the client 102 will persist the first and second further security objects, overwriting the first security object instance and the further security object instance previously comprised in the client security object.
[0103] As shown in the table of Figure 6, following the bootstrapping of step 402, the client 102 comprises a security object comprising a first security object instance with an object instance ID 304 of “0” comprising credential data associated with the first bootstrap server 106a, and a further security object instance with an object instance ID 304 of “1 ” comprising credential data associated with the final bootstrap server 106b.
[0104] 404: Using the final bootstrap security object instance, which as explained above is associated with the final bootstrap server 106b, the client 102 sends a request to the final bootstrap server 106b for bootstrapping. In response to the request, the final bootstrap server 106b bootstraps the client 102.
[0105] As used herein, the term “final bootstrap server” means the bootstrap server configured to provision (or configure) the client 102 for communication with one or more device management servers 108.
[0106] The final bootstrap server 106b may configure a subset of the devices configured by the first bootstrap server 106a. For example, the first bootstrap server 106a may be a global bootstrap server for configuring all devices from a particular manufacturer, while the final bootstrap server 106b may be configured to provision a subset of those devices based on, for example, on which end customer the devices are used by. As such, the final bootstrap server 106b is responsible for configuring a smaller number of devices than the first bootstrap server 106a.
[0107] The final bootstrap server 106b configures the client 102 to enable the client 102 to register and connect with one or more device management servers 108. Configuring the client 102 for registration and connection with the one or moredevice management servers 108 comprises configuring the client with a device management security object instance associated with the one or more device management servers 108. The final bootstrap server 106b also configures the client 102 with a further security object instance associated with the final bootstrap server 106b. The device management security object instance and the further security object instance may be substantially the same in structure as the example security object instance 300 shown in Figure 3.
[0108] The device management security object instance may comprise resources 306a-n comprising data for use by the client to establish communication with the one or more device management servers 108. For example, the device management security object instance may comprise one or more of: a server identifier resource 306 comprising the URI of the one or more device management servers 108; a bootstrap server indication resource 306b indicating that the one or more device management servers 108 are not bootstrap servers (i.e. indicating a “false” condition); a security mode resource 306c indicating that which security mode should be used to authenticate communications (e.g. certificate mode or certificate with EST mode); client and server certificate resources 306d, 306e comprising the client and the one or more device management server certificates respectively; and a secret key resource 306f comprising the secret key. The device management security object instance may further comprise a short server ID resource 306n comprising identifiers for each of the one or more device management servers configured for the client 102.
[0109] In example arrangements, the final bootstrap security object instance may comprise a security mode resource 306c indicating that a certificate mode with Enrollment over Secure Transport, EST, should be used. If the security mode is a certificate mode with EST, after the final bootstrap server 106b has finished bootstrapping the client 102, the client 102 is configured to initiate communication with an EST server and send an EST certificate enrollment request to the EST server. In response to the EST certificate enrollment request, the EST server may send the client 102 an EST certificate for authentication of the client 102 and the device management servers 108. The EST certificate may be stored and used by the client 102 to register and connect with the device management servers 108.As shown in the table of Figure 6, following the bootstrapping of step 404, the client 102 comprises a security object comprising a security object instance with an object instance ID 304 of “0” comprising credential data associated with the final bootstrap server 106b, and a device management security object instance with an object instance ID 304 of “1” comprising credential data associated with the one or more device management servers 108.
[0110] Bootstrapping by the final bootstrap server 106b may further comprise configuring the client with a server object instance comprising resources comprising data relating to the one or more device management servers 108. The server object instance may comprise a server identifier resource identifying the one or more device management servers 108 and a short server ID of the one or more device management servers 108, similar to the device management security object instance. The server object instance may further comprise a lifetime resource and / or a notification storing when disabled or offline recourse. The skilled person will appreciate that the server object instance may comprise further resources. The server object instance and the device management security object instance may both be used by the client 102 to connect and register to the one or more device management servers 108.
[0111] : Using the device management security object instance, which as explained above is associated with the one or more device management servers 108, the client 102 sends a registration request to the one or more device management servers 108.
[0112] If the client 102 successfully registers with the one or more device management servers 108, the client 102 is able to receive commands from the one or more device management servers 108 on the device management and service enablement interface and the information reporting interface, and therefore assist in managing the device 104.
[0113] In some instances however, the registration process fails. The registration process may fail, for example, if one or more of the client and device management server certificates have expired, or because the device 104 has notyet been registered with the one or more device management servers 108 as a valid device.
[0114] : If the registration process fails, or the client 102 loses connection with the one or more device management servers 108 following registration, the client 102 may be configured to initiate communication with the final bootstrap server106b for reconfiguration.
[0115] If registration or connection of the client 102 with the one or more device management severs 108 fails, the client 102 is able to initiate communications with the final bootstrap server 106b for reconfiguration because the client comprises security object instances associated with the final bootstrap server 106b, in addition to the one or more device management servers 108, as outlined above. This is in contrast to prior art arrangements, in which the client comprises only a single security object instance associated with the first bootstrap server. As such, in prior art arrangements, if the registration process fails, the client is only able to initiate communications with the first bootstrap server 106a, which as outlined above, typically serves significantly more devices than the final bootstrap server 106b, leading to load and scaling issues at the first bootstrap server 106a. As the client 102 only ever comprises two security object instances which are only persisted if validated by the client 102, the resilient client confirmable bootstrapping and registration process can also be completed with relatively low memory storage requirements.
[0116] The client 102 may be configured to initiate communication with the final bootstrap server 106b for reconfiguration, if the number of attempts of the client 102 to register with the one or more device management servers 108 exceeds a threshold. This ensures that the client 102 does not communicate with the final bootstrap server 106b for reconfiguration in the event of an anomalous failure to register or maintain connection with the device management servers 108, or an unrelated failure (such as a server failure), which reconfiguration would not fix. The threshold may be set at substantially any number based on the system and / or customer requirements.In example methods, if the number of attempts of the client 102 to register with the one or more device management servers 108 exceeds the threshold, the client 102 may be further configured to only initiate communication with the final bootstrap servers 106b for reconfiguration upon expiry of predefined backoff period. The predefined backoff period may be, for example, 1 hour, 2 hours, 10 hours, 24 hours. Advantageously, this allows time for the final bootstrap server 106b to be updated to provision the client 102 with updated security object instances on receipt of a reconfiguration request from the client 102, in the event the registration failure is caused by certificate expiry, or else time for the device 104 to be registered with the one or more device management servers 108 as a valid device.
[0117] 410: The client 102 initiates communication with the final bootstrap sever 106b for reconfiguration, for a subsequent attempt at registration / connection with the one or more device management servers 108.
[0118] In example methods, the client 102 may initiate communication with the final bootstrap server 106b if the number of attempts of the client 102 to register with the one or more device management servers 108 exceeds the threshold, and optionally the back-off period expires.
[0119] In response to the reconfiguration request received from the client 102, the final bootstrap server 106b reconfigures the client 102. Reconfiguring may comprise updating the device management security object instance associated with the one or more device management servers 108 and / or updating the server object associated with the one or more device management servers 108. For example, one or more resources of the device management security object instance and / or the server object associated with the one or more device management servers 108 may be updated. This may occur, for example, if one or more of the previous client or server certificates have expired, and therefore new client and / or server certificates now apply. In such a case, the client and / or server resources 306d, 306e of the device management security object instance would be updated. Theskilled person will understand that in alternative cases one or more of the other resources may be updated (or alternatively no resources may be updated if there have been no configuration changes).
[0120] 412: Following the reconfiguration of the client 102 by the final bootstrap server 106b, the client 102 attempts registration and / or connection with the one or more device management servers 108. If the registration and connection attempt is successful, no further action is taken and the client 102 communicates with the one or more device management servers 108 on the device management and service enablement interface and the information reporting interface.
[0121] 414: The client 102 may still be unable to register and / or connect with the one or more device management servers 108 following the reconfiguration of the client 102 by the final bootstrap server 106b in step 410. This may be as a result of a failure or error unrelated to the certificates or configurations, for example a server failure. In such instances, the client 102 may be configured to re-attempt registration after a predefined back-off period. Alternatively, or additionally, the client 102 may be configured to send an alert to a third party device or service that registration has failed. This may allow a developer to look further into the problem and fix the server error, for example or to initiate an on-site engineer visit to the server and / or client location.
[0122] The skilled person will appreciate that the above-described method advantageously ensures that requests for reconfiguration are not directed towards the first bootstrap server 106a. As mentioned above, typically the first bootstrap server 106a is responsible for a larger number of devices than the final bootstrap server (which typically is responsible for a subset of the devices served by the first bootstrap server). By ensuring that the final bootstrap server 106b, which is responsible for the smaller number of devices, reconfigured the client 102, the load placed on the first bootstrap server 106a is reduced. Furthermore, as the client 102 only ever comprises two security object instances which are only persisted if validated by the client 102, the registration process can also be completed with relatively low memory storage requirements.
[0123] The skilled person will appreciate that in alternative arrangements further bootstrap servers may be used. For example, in some arrangements, the first bootstrap server may provision a plurality of devices for communication with an intermediatebootstrap server, which provisions a subset of the plurality of devices for communication with the final bootstrap server. The final bootstrap server then provisions one or more of the devices provisioned by the intermediate bootstrap server for registration and connection with the one or more device management servers.
[0124] An example method of managing bootstrapping of a client of a utility metering device in a Lightweight Machine to Machine (LwM2M) system comprising an intermediate bootstrap server 106c will now be described with reference to Figure 5.
[0125] 500: The same process outlined above in respect of step 400 (Figure 4) is followed here and not repeated in detail. The client 102 is provided with a security object comprising at least a first security object instance associated with the first bootstrap server 106a. The first security object instance may comprise an object instance identifier 304 of “0”. The features outlined in step 400 in respect of the first bootstrap server 106a and the first security object instance apply here.
[0126] As shown in the table of Figure 7, following the provisioning of step 500, the client 102 comprises a security object comprising a first security object instance with an object instance ID 304 of “0” comprising credential data associated with the first bootstrap server 106a, and a further security object instance with an object instance ID 304 of “1” which does not comprise any credential data associated with any server and may therefore be considered and referred to as “empty” or “uninitialized”.
[0127] 502: Using the first security object instance, which as explained above is associated with the first bootstrap server 106a, the client 102 sends a request to the first bootstrap server 106a for bootstrapping. In response to the request, the first bootstrap server 106a bootstraps the client 102.
[0128] Bootstrapping the client 102 comprises the first bootstrap server 106a configuring the client 102 with first and second further security object instances, which may be substantially the same in structure as the example security object instance shown in Figure 3.
[0129] In the particular example shown in Figure 5, the first further security object instance is an intermediate bootstrap security object instance associated with an intermediate bootstrap server 106c, which may be referred to as a “higher priority”instance. The second further security object instance is a first bootstrap security object instance associated with the first bootstrap server 106a, which may be referred to as a “lower priority” instance.
[0130] The intermediate bootstrap security object instance may comprise resources 306a-n comprising data for use by the client 102 to establish communication with the intermediate bootstrap server 106c. For example, the intermediate bootstrap security object instance may comprise one or more of: a server identifier resource 306a comprising the URI of the intermediate bootstrap server 106c; a bootstrap server indication resource 306b indicating that the intermediate bootstrap server 106c is a bootstrap server (i.e. indicating a “true” condition); a security mode resource 306c indicating which security mode should be used to authenticate communications (e.g. a certificate mode or certificate with EST mode); client and server certificate resources 306d, 306e comprising the client and intermediate bootstrap server certificates respectively, and a secret key resource 306f comprising the secret key.
[0131] The client 102 then validates the first and second further security object instances configured by the first bootstrap server 106a. If validated the client 102 will persist the first and second further security objects, overwriting the first security object instance and the further security object instance previously comprised in the client security object.
[0132] As shown in the table of Figure 7, following the bootstrapping of step 502, the client 102 comprises a security object comprising a first bootstrap security object instance with an object instance ID 304 of “0” comprising credential data associated with the first bootstrap server 106a, and a further security object instance with an object instance ID 304 of “1” comprising credential data associated with the intermediate bootstrap server 106c.
[0133] : Using the intermediate bootstrap security object instance, which as explained above is associated with the intermediate bootstrap server 106c, the client 102 sends a request to the intermediate bootstrap server 106c for bootstrapping. In response to the request, the intermediate bootstrap server 106c bootstraps the client 102.The intermediate bootstrap server 106c may configure a subset of the devices configured by the first bootstrap server 106a. For example, the first bootstrap server 106a may be a global bootstrap server for configuring all devices from a particular manufacturer, while the intermediate bootstrap server 106c may be a regional bootstrap server configured to provision a subset of the devices based on, for example, the geographical region that the device is to be installed in.
[0134] The intermediate bootstrap server 106c may configure the client 102 with the final bootstrap security object instance and an intermediate bootstrap security object instance associated with the intermediate bootstrap server 106c. The final bootstrap security object instance may comprise resources 306a-n comprising data for use by the client 102 to establish communication with the final bootstrap server 106b, as explained in step 402 above. The features outlined in step 402 in respect of the final bootstrap server 106b and the final bootstrap security object instance apply here, and are not repeated.
[0135] The client 102 then validates the first and second further security object instances configured by the intermediate bootstrap server 106c. If validated the client 102 will persist the first and second further security objects, overwriting the first security object instance and the further security object instance previously comprised in the client security object.
[0136] As shown in the table of Figure 7, following the bootstrapping of step 504, the client 102 comprises a security object comprising a bootstrap security object instance with an object instance ID 304 of “0” comprising credential data associated with the intermediate bootstrap server 106b, and a further security object instance with an object instance ID 304 of “1” comprising credential data associated with the final bootstrap server 106b.
[0137] : Using the final bootstrap security object instance, which as explained above is associated with the final bootstrap server 106b, the client 102 sends a request to the final bootstrap server 106b for bootstrapping. In response to the request, the final bootstrap server 106b bootstraps the client 102.The final bootstrap server 106b may configure a subset of the devices configured by the intermediate bootstrap server 106c. For example, the final bootstrap server 106b may be a customer bootstrap server for configuring all devices managed by a particular customer.
[0138] As described above in respect of step 404 (Figure 4), the final bootstrap server 106b configures the client 102 to enable the client 102 to register and connect with one or more device management servers 108. Configuring the client 102 for registration and connection with one or more device management servers 108 comprises configuring the client with a device management security object instance associated with the one or more device management servers 108. The final bootstrap server 106b also configures the client 102 with a final bootstrap security object instance associated with the final bootstrap server 106b. The device management security object instance and the final bootstrap security object instance may be substantially the same in structure as the example security object instance 300 shown in Figure 3.
[0139] The device management security object instance may comprise resources 306a-n comprising data for use by the client 102 to establish communication with the final bootstrap server 106b, as explained in step 404 above. The features outlined in step 404 in respect of the device management servers and the device management security object instance apply here, and are not repeated.
[0140] The bootstrapping by the final bootstrap server 106b may further comprise configuring the client with a server object instance, as described above in respect of step 404 (Figure 4).
[0141] As shown in the table of Figure 7, following the bootstrapping of step 506, the client 102 comprises a security object comprising a bootstrap security object instance with an object instance ID 304 of “0” comprising credential data associated with the final bootstrap server 106b, and a device management security object instance with an object instance ID 304 of “1” comprising credential data associated with the one or more device management servers 108.508: Using the device management security object instance, which as explained above is associated with the one or more device management servers 108, the client 102 sends a registration request to the one or more device management servers 108.
[0142] If the client 102 successfully registers with the one or more device management servers 108, the client 102 is able to receive commands from the one or more device management servers 108 on the device management and service enablement interface and the information reporting interface, and therefore assist in managing the device 104.
[0143] If the registration process fails, or the client 102 loses connection with the one or more device management servers 108 following registration, the client 102 may be configured to initiate communication with the final bootstrap server 106b for reconfiguration and / or a subsequent attempt at registration / connection with the one or more device management servers 108 as described above. The features outlined in steps 408 to 414 of Figure 4 apply here in respect of steps 510 to 516 of Figure 5, and are not repeated.
[0144] Figure 8 is a flowchart illustrating an example client validation process 800, which may be used by a client in a bootstrapping process, such as the process of Figure 4, Figure 5, or any other applicable bootstrapping process.
[0145] Referring to Figure 8, at step 810 the client sends a request to a bootstrap server such as a first or intermediate bootstrap server as described above. Before sending the request, the client may only comprise credential data enabling the client to communicate with the bootstrap server i.e. the client may not comprise any additional information regarding the specific configuration of the bootstrap server.
[0146] In response to the request from the client, the bootstrap server attempts to bootstrap the client. This may comprise the bootstrap server configuring the client with one or more security object instances as described above in relation to Figures 4 and 5. Each security object instance may be associated with either a bootstrap sever (which may be the bootstrap server which is attempting to bootstrap the client) or one or more device management servers.
[0147] At step 820, the client determines how many security object instances the bootstrap server is attempting to configure as part of the bootstrapping process. If the bootstrap server is only configuring a single security object instance, e.g. if the bootstrapserver is a bootstrap server which does not support configuring multiple security object instances, the single security object instance, which may be associated with either a bootstrap server or one or more device management servers, may then be persisted by the client without further validation steps (step 824). The received single security object instance may be considered a higher priority’ instance and the credentials stored therein may be used by the client for the next step of the overall bootstrapping process.
[0148] If the client determines that no security object instance has been configured, e.g. an error has occurred during configuration of the security object instance by the bootstrap server or the security object instance is corrupted to such a degree that it cannot be recognised by the client, the bootstrapping process will be cancelled (step 828). At this point the client may make a further reconfiguration request to the same bootstrap server, may request reconfiguration from a different bootstrap server e.g. the bootstrap server associated with a ‘lower priority’ instance stored in the client, may alert a third part device or service to the error and / or the like.
[0149] If the client determines that the bootstrap server is attempting to configure more than a single security object instance, e.g. two security object instances, the client then determines how many of the security object instances are associated with a bootstrap server (step 830). In examples including security object instances which comprise substantially the same in structure as the example security object instance 300 shown in Figure 3, the client may check the state (i.e. “true” or “false”) of resource 306b. Resource 306b of security object instance 300 indicates whether the server associated with the security object instance is a bootstrap server or not. It will be appreciated that in other cases other means of determining bootstrap security object instances may be used.
[0150] If the client determines that the bootstrap server is configuring less than two bootstrap security object instances (i.e. zero or one bootstrap security object instance), the security object instances configured by the bootstrap server may then be persisted by the client without further validation steps (step 834).
[0151] In examples, such as step 404 of Figure 4 and step 506 of Figure 5, when the bootstrap server is a final bootstrap server, the bootstrap server may only configure one bootstrap security object instance in addition to a device management security object instance enabling the client to register and connect with one or more device management servers. In this case the device management security object instance may be considered a ‘higher priority’ instance than the bootstrap security object instance which may be considered a ‘lower priority’ instance. The client may be configured to attempt configuration and / or registration using the higher priority instance before the lowerpriority instance e.g. after a predetermined period of time and / or number of attempts at using the credentials of the higher priority instance.
[0152] If the client determines that the bootstrap server is configuring more than one bootstrap security object instance e g. two security object instances, the client will then compare the contents (e.g. the credentials and / or the like) of each of the configured security object instances to the contents of the last confirmed successfully used bootstrap security object instance (step 840).
[0153] If none of the security object instances configured by the bootstrap server ‘matches’ the last confirmed bootstrap security object instance, e.g. is the same as or is within a predetermined threshold or allowed error rate, the bootstrapping process will be cancelled (step 844). At this point the client may make a further reconfiguration request to the same bootstrap server, may request reconfiguration from a different bootstrap server e.g. the bootstrap server associated with a ‘lower priority’ instance stored in the client, and / or may alert a third part device or service to the error.
[0154] If one of the security object instances configured by the bootstrap server ‘matches’ the last confirmed bootstrap security object instance, e.g. is the same as or is within a predetermined threshold or allowed error rate, the security object instances configured by the bootstrap server may then be persisted by the client without further validation steps (step 848).
[0155] It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the invention. The word “exemplary” is used herein to mean “an example”. Any embodiment described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments.
[0156] A computer program may be configured to provide any of the above described methods. The computer program may be provided on a computer readable medium. The computer program may be a computer program product. The product may comprise a non-transitory computer usable storage medium. The computer program product may have computer-readable program code embodied in the medium configured to perform the method. The computer program product may be configured to cause at least one processor to perform some or all of the method.
[0157] Various methods and apparatus are described herein with reference to block diagrams or flowchart illustrations of computer-implemented methods, apparatus (systems and / or devices) and / or computer program products. It is understood that a block of the block diagrams and / or flowchart illustrations, and combinations of blocks inthe block diagrams and / or flowchart illustrations, can be implemented by computer program instructions that are performed by one or more computer circuits. These computer program instructions may be provided to a processor circuit of a general purpose computer circuit, special purpose computer circuit, and / or other programmable data processing circuit to produce a machine, such that the instructions, which execute via the processor of the computer and / or other programmable data processing apparatus, transform and control transistors, values stored in memory locations, and other hardware components within such circuitry to implement the functions / acts specified in the block diagrams and / or flowchart block or blocks, and thereby create means (functionality) and / or structure for implementing the functions / acts specified in the block diagrams and / or flowchart block(s).
[0158] Computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instructions which implement the functions / acts specified in the block diagrams and / or flowchart block or blocks.
[0159] A tangible, non-transitory computer-readable medium may include an electronic, magnetic, optical, electromagnetic, or semiconductor data storage system, apparatus, or device. More specific examples of the computer-readable medium would include the following: a portable computer diskette, a random access memory (RAM) circuit, a readonly memory (ROM) circuit, an erasable programmable read-only memory (EPROM or Flash memory) circuit, a portable compact disc read-only memory (CD-ROM), and a portable digital video disc read-only memory (DVD / Blu-ray).
[0160] The computer program instructions may also be loaded onto a computer and / or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer and / or other programmable apparatus to produce a computer-implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions / acts specified in the block diagrams and / or flowchart block or blocks.
[0161] Accordingly, the invention may be embodied in hardware and / or in software (including firmware, resident software, micro-code, etc.) that runs on a processor, which may collectively be referred to as "circuitry," "a module" or variants thereof.
[0162] It should also be noted that in some alternate implementations, the functions / acts noted in the blocks may occur out of the order noted in the flowcharts. For example, twoblocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality / acts involved. Moreover, the functionality of a given block of the flowcharts and / or block diagrams may be separated into multiple blocks and / or the functionality of two or more blocks of the flowcharts and / or block diagrams may be at least partially integrated. Finally, other blocks may be added / inserted between the blocks that are illustrated.
Claims
CLAIMS:1 . A method of managing bootstrapping of a client of a utility metering device in a Lightweight Machine to Machine (LwM2M) system, wherein bootstrapping comprises configuring the client for connection and registration with one or more device management servers, the method comprising:configuring the client with a security object comprising a first bootstrap security object instance associated with a first bootstrap server, the first bootstrap security object instance comprising data for use by the client in establishing communication with the first bootstrap server;establishing, by the client and with the first bootstrap server, communication using the first bootstrap security object instance;configuring the client, by the first bootstrap server, with one or more further security object instances;validating, by the client, the one or more further security object instances; persisting, by the client, when the one or more further security object instances are validated, the one or more further security object instances in place of the first bootstrap security object instance.
2. A method according to claim 1 wherein validating, by the client, the one or more further security object instances comprises at least one of:determining, by the client, that the one or more further security object instances comprise a plurality of further security object instances;determining, by the client, that the one or more further security object instances comprise a plurality of bootstrap security object instances; and determining, by the client, that one of the one or more further security object instances matches the first bootstrap security object instance.
3. A method according to claim 1 or claim 2 wherein if the client is unable to validate the one or more further security object instances, the method further comprises initiating communication between the client and the first bootstrap server for reconfiguration of the client by the first bootstrap server.
4. A method according to claim 3 wherein reconfiguration of the client by the first bootstrap server comprises configuring the client with updated one or more further security object instances.
5. A method according to any preceding claim wherein:the one or more further security object instances comprise:a final bootstrap security object instance associated with a final bootstrap server and comprising data for use by the client in establishing communication with the final bootstrap server, the final bootstrap server for configuring the client for connection and registration with one or more device management servers; anda further first bootstrap security object instance, the further first bootstrap security object instance comprising data for use by the client in establishing communication with the first bootstrap server, andthe method further comprises:establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance;configuring the client, by the final bootstrap server, with a device management security object instance associated with the one or more device management servers and comprising data for use by the client in connecting and / or registering with the one or more device management servers;persisting, by the client, the device management security object instance in place of the further first bootstrap security object instance.
6. A method according to claim 5 wherein if the client is unable to establish communication with the final bootstrap server, the method further comprises:reattempting establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance; and / or initiating communication between the client and first bootstrap server for reconfiguration of the client by the first bootstrap server.
7. A method according to claim 5 or claim 6, further comprising connecting and / or registering, by the client and with the one or more device management servers, using the device management security object instance,wherein if the client is unable to connect and / or register with the one or more device management servers, the method further comprises:reattempting connecting and / or registering, by the client and with the one or more device management servers, using the device management security object instance; and / orinitiating communication between the client and the final bootstrap server for reconfiguration of the client by the final bootstrap server for a subsequent connection and / or registration attempt with the one or more device management servers.
8. A method according to claim 7, wherein the reconfiguration of the client by the final bootstrap server comprises configuring the client with an updated device management security object instance.
9. A method according to any preceding claim, wherein the first bootstrap server configures clients of a plurality of utility metering devices, and wherein a / the final bootstrap configures clients of a subset of the plurality of utility metering devices.
10. A method according to any one of claims 1 to 4 wherein:the one or more further security object instances comprise:an intermediate bootstrap security object instance associated with an intermediate bootstrap server and comprising data for use by the client in establishing communication with the intermediate bootstrap server, the intermediate bootstrap server for configuring the client for configuration by a final bootstrap server; anda further first bootstrap security object instance, the further first bootstrap security object instance comprising data for use by the client in establishing communication with the first bootstrap server, andthe method further comprises:establishing, by the client and with the intermediate bootstrap server, communication using the intermediate bootstrap security object instance;configuring the client, by the intermediate bootstrap server, with a final bootstrap security object instance associated with a final bootstrap server and comprising data for use by the client in establishing communication with the final bootstrap server, the final bootstrap server for configuring the client forconnection and registration with one or more device management servers, and a further intermediate bootstrap security object instance, the further intermediate security object instance comprising data for use by the client in establishing communication with the intermediate bootstrap server;validating, by the client, the final bootstrap security object instance and the further intermediate bootstrap security object instance; andpersisting, by the client, when the final bootstrap security object instance and the further intermediate bootstrap security object instance are validated, the final bootstrap security object instance and the further intermediate bootstrap security object instance in place of the intermediate bootstrap security object instance and the further first bootstrap security object instance.
11. A method according to claim 10 wherein if the client is unable to establish communication with the intermediate bootstrap server, the method further comprises:reattempting establishing, by the client and with the intermediate bootstrap server, communication using the intermediate bootstrap security object instance; and / orinitiating communication between the client and first bootstrap server for reconfiguration of the client by the first bootstrap server.
12. A method according to claim 10 or claim 11 , further comprising:establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance;configuring the client, by the final bootstrap server, with a device management security object instance associated with the one or more device management servers and comprising data for use by the client in connecting and / or registering with the one or more device management servers; and persisting, by the client, the device management security object instance in place of the further intermediate bootstrap security object instance.
13. A method according to claim 12 wherein if the client is unable to establish communication with the final bootstrap server, the method further comprises:reattempting establishing, by the client and with the final bootstrap server, communication using the final bootstrap security object instance; and / orinitiating communication between the client and the intermediate bootstrap server for reconfiguration of the client by the intermediate bootstrap server.
14. A method according to any one of claims 10 to 13, wherein the first bootstrap server configures clients of a plurality of utility metering devices, the intermediate bootstrap server configures clients of a subset of the plurality of utility metering devices, and a / the final bootstrap server configures clients of at least one of the subset of the plurality of metering devices.
15. A method according to any preceding claim, wherein if the final bootstrap security object instance comprises data indicating that an enrollment over secure transport, EST, certificate is needed for registration with the one or more device management servers, the method further comprises:sending, by the client and to an EST server, an EST certificate request; receiving, by the client and from the EST server, the EST certificate; and using the EST certificate for connection and / or registration with the one or more device management servers.
16. A method according to any preceding claim, wherein the first bootstrap server is configured to configure the client on a first boot-up of the client.
17. A computer program product comprising a set of computer readable instructions or process protocols or computer code configured such that, when implemented or processed on a processing system, permit, control or cause the processing system, or provide instructions or data for the processing system, to perform the method of any of claims 1 to 16.
18. A utility metering device comprising a processing system when programmed with the computer program product of claim 17, the processing system comprising a processor for processing the computer program product and the processing system comprising or being configured to access at least one data storage or memory on which the computer program is stored.
19. A Lightweight Machine to Machine (LwM2M) system comprising:at least one utility metering device according to claim 18; anda first bootstrap server configured to configure the client for communication with a final bootstrap server and / or an intermediate bootstrap server.
20. A system according to claim 19 further comprising at least one of:an intermediate bootstrap server configured to configure the client for communication with the final bootstrap server;a final bootstrap server configured to configure the client for connection and registration with one or more device management servers; andone or more device management servers.
21. A system according to claim 19 or claim 20 further comprising an EST server, the EST server configured to send an EST certificate to the client in response to receiving an EST certificate request from the client.