Description
This LwM2M Object provides the keying material of a LwM2M Client appropriate to access a specified LwM2M Server. One Object Instance SHOULD address a LwM2M Bootstrap-Server. These LwM2M Object Resources MUST only be changed by a LwM2M Bootstrap-Server or Bootstrap from Smartcard and MUST NOT be accessible by any other LwM2M Server.
Object definition
| Name | Object ID | Object Version | LWM2M Version |
| LWM2M Security | 0 | 1.1 | 1.1 |
| Object URN | Instances | Mandatory | |
| urn:oma:lwm2m:oma:0:1.1 | Multiple | Mandatory | |
Resource definitions
| ID | Name | Operations | Instances | Mandatory | Type | Range or Enumeration | Units | Description |
|---|---|---|---|---|---|---|---|---|
| 0 | LWM2M Server URI | Single | Mandatory | String | 0-255 bytes | Uniquely identifies the LwM2M Server or LwM2M Bootstrap-Server. The format of the CoAP URI is defined in Section 6 of RFC 7252. | ||
| 1 | Bootstrap-Server | Single | Mandatory | Boolean | Determines if the current instance concerns a LwM2M Bootstrap-Server (true) or a standard LwM2M Server (false) | |||
| 2 | Security Mode | Single | Mandatory | Integer | 0-4 | Determines which UDP payload security mode is used 0: Pre-Shared Key mode 1: Raw Public Key mode 2: Certificate mode 3: NoSec mode 4: Certificate mode with EST | ||
| 3 | Public Key or Identity | Single | Mandatory | Opaque | Stores the LwM2M Client’s certificate, public key (RPK mode) or PSK Identity (PSK mode). | |||
| 4 | Server Public Key | Single | Mandatory | Opaque | Stores the LwM2M Server’s, respectively LwM2M Bootstrap-Server’s, certificate, public key (RPK mode) or trust anchor certificate. The Certificate Mode Resource determines the content of this resource. | |||
| 5 | Secret Key | Single | Mandatory | Opaque | Stores the secret key or private key of the security mode. | |||
| 6 | SMS Security Mode | Single | Optional | Integer | 0-255 | Determines which SMS security mode is used: 0: Reserved for future use 1: DTLS mode (Device terminated) PSK mode assumed 2: Secure Packet Structure mode (Smartcard terminated) 3: NoSec mode 4: Reserved mode (DTLS mode with multiplexing Security Association support) 5-203 : Reserved for future use 204-255: Proprietary modes | ||
| 7 | SMS Binding Key Parameters | Single | Optional | Opaque | 6 bytes | Stores the KIc, KID, SPI and TAR. | ||
| 8 | SMS Binding Secret Key(s) | Single | Optional | Opaque | 16-32-48 bytes | Stores the values of the key(s) for the SMS binding. | ||
| 9 | LwM2M Server SMS Number | Single | Optional | String | MSISDN used by the LwM2M Client to send messages to the LwM2M Server via the SMS binding. | |||
| 10 | Short Server ID | Single | Optional | Integer | 1-65534 | This identifier uniquely identifies each LwM2M Server configured for the LwM2M Client. This Resource MUST be set when the Bootstrap-Server Resource has a value of 'false'. The values ID:0 and ID:65535 values MUST NOT be used for identifying the LwM2M Server. | ||
| 11 | Client Hold Off Time | Single | Optional | Integer | s | The number of seconds to wait before initiating a Client Initiated Bootstrap once the LwM2M Client has determined it should initiate this bootstrap mode. In case client initiated bootstrap is supported by the LwM2M Client, this resource MUST be supported. This information is relevant for use with a Bootstrap-Server only. | ||
| 12 | Bootstrap-Server Account Timeout | Single | Optional | Integer | s | The LwM2M Client MUST purge the LwM2M Bootstrap-Server Account after the timeout value given by this resource. The lowest timeout value is 1. If the value is set to 0, or if this resource is not instantiated, the Bootstrap-Server Account lifetime is infinite. | ||
| 13 | Matching Type | Single | Optional | Unsigned Integer | 0-3 | s | The Matching Type Resource specifies how the certificate or raw public key in in the Server Public Key is presented. Four values are currently defined: 0: Exact match. This is the default value and also corresponds to the functionality of LwM2M v1.0. Hence, if this resource is not present then the content of the Server Public Key Resource corresponds to this value.<br> 1: SHA-256 hash [RFC6234] 2: SHA-384 hash [RFC6234] 3: SHA-512 hash [RFC6234] | |
| 14 | SNI | Single | Optional | String | This resource holds the value of the Server Name Indication (SNI) value to be used during the TLS handshake. When this resource is present then the LwM2M Server URI acts as the address of the service while the SNI value is used for matching a presented certificate, or PSK identity. | |||
| 15 | Certificate Usage | Single | Optional | Unsigned Integer | 0-3 | s | The Certificate Usage Resource specifies the semantic of the certificate or raw public key stored in the Server Public Key Resource, which is used to match the certificate presented in the TLS/DTLS handshake. The currently defined values are 0 for "CA constraint", 1 for "service certificate constraint", 2 for "trust anchor assertion", and 3 for "domain-issued certificate". When this resource is absent, value (3) for domain issued certificate mode is assumed. More details about the semantic of each value can be found in the security consideration section of the LwM2M specification. | |
| 16 | DTLS/TLS Ciphersuite | Multiple | Optional | Unsigned Integer | When this resource is present it instructs the DTLS/TLS client to propose the indicated ciphersuite(s) in the ClientHello of the handshake. A ciphersuite is indicated as a 32-bit integer value. The IANA TLS ciphersuite registry is maintained at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml. As an example, the TLS_PSK_WITH_AES_128_CCM_8 ciphersuite is represented with the following string "0xC0,0xA8". To form an integer value the two values are concatinated. In this example, the value is 0xc0a8 or 49320. | |||
| 17 | OSCORE Security Mode | Single | Optional | Objlnk | If this resource is defined, it provides a link to the OSCORE Object Instance. |