Configure Rule Chains

The following describes how to configure the Rule Chains by defining Rule Nodes and relations.

For more information on Rule Chain concepts, see Rule Engine Concepts.

Configure Root Rule Chain

To configure the rule chain <PRIMEONE>Root, do the following:

  1. Click the Rule Chains menu option and select <PRIMEONE>Root to display the incoming message node where every message form the production line comes in.
  2. To filter on only incoming RPC messages, select the message type switch node in the Filter section to the left and drop it on the canvas, specify Filter RPC Message, and click Add.
  3. Drag the message arrow to the message type switch to route the incoming message to the message type.
  4. To filter the incoming messages, select a switch node in the Filter section to the left and drop it on the canvas, specify the name Message Switch and enter the following code: and click Add.

    if (msg.method === 'status_req') 
    {
        return ['status_req'];
    } else if(msg.method === 'cert_req')
    {
        return ['cert_req'];
    } else if(msg.method === 'cert_final_req')
    {
        return ['cert_final_req'];
    } else {
        return ['NO_MSG'];
    }
  5. Before clicking Add, optionally click Test Switch Function to test and debug the functionality. The Test script function panel allows you to test the script by adding a valid message in the input section and verify the output.

  6. Next, with the switch in place, add a flow between the nodes from the RPC Message to the Message Switch to define the message flow and select RPC Request from Device in the Add link panel.
  7. To complete the root workflow, call the corresponding three rule chains by searcing for Rule in at the search bar.

    • Drag a rule chain node to the canvas, select a status request in the Add rule note panel (in this example <PRIMEONE> Status_Req), and click Add.

    • Drag another rule chain node to the canvas, select a certificate request in the Add rule note panel (in this example <PRIMEONE> Cert_Req), and click Add.

    • Drag a third rule chain node to the canvas, select a final certificate request in the Add rule note panel (in this example <PRIMEONE> Cert_Final_Req), and click Add.

  8. Define the flow between the nodes:

    • Add a link from the Message Switch to the first rule chain and and select the label status_req in the Add link panel.

    • Add a link from the Message Switch to the first rule chain and and select the label cert_req in the Add link panel.
    • Add a link from the Message Switch to the first rule chain and and select the label cert_final_req in the Add link panel.

  9. Click Apply changes at the bottom right of the canvas to save the changes to the main message flow.

Configure Status Request Rule Chain

Next, do the following to generate the Status Request Rule chain:

  1. In the Rule chains overview, click <PRIMEONE>Status_Req
  2. Select a script node from the Transformation section, drag it to the canvas, and specify the name Construct response.
  3. Enter the following script to create the response message with a status code 200 that signals the client that the IdAM is idle, and then click Add.

    // --------- message ---------
    msg.params.payload = {};
    msg.params.payload.status_code = '200';
    msg.params.payload.status_message = 'Status Idle, waiting for requests.';
    return {msg: msg, metadata: metadata, msgType: msgType};
  4. To create the response, drag the rpc call reply node from the Action section, specify Status Response, and click Add.

  5. Next, to connect the nodes, add links from the to the and between the script and the Status Response and select the label status_req in the Add link panel.
  6. Add a link from the Message Switch to the first rule chain and and select the label success in the Add link panel.

Configure Certificate Request Rule Chain

To generate the Certificates Request and model the workflow for the incoming cert_req message, do the following:

  1. In the Rule chains overview, click <PRIMEONE>Cert_Req>. 
  2. To select the CA trust service to send the CMP request to, select the select CA Profile node from the Transformation section, enter the name PrimeOne TrustService, select the CA Profile Demo CA, and then click Add.
  3. Add a link between the nodes.
  4. Next, to format the CMP request message and map the data form the device to the CMP structure:
    • Drag a map DN data node from the Transaction section, specify name Enter Issuer DN and Data ID initil.
    • Click Add Mapping, and select DN Type Common Name (CN) and enter common_name for Key to map the DN type to that key.
    • Click Add Mapping, and select DN Type Unstructured Address  and enter mac_adr for Key to map the DN type to the input message field.
    • Click Add to connect the nodes of the incoming data.
  5. Once you have mapped the incoming data, select and drag the set DN data node from the Enrichment section to the canvas to specify the following settings:
    • Specify name Set DN Data and following the Certificates Profile definition, select the Organisation Name (O) and specify value PrimeOne, select Country Name and specify value DE, and then click Add.
  6. Next, define the parameters of the public key received from the device:
    • Select the set public Key parameter node from the Enrichment section, drop it on the canvas and specify the following, and then click Add:
    • Name: public key.
    • Public Key Type: Elliptic Curve Public Key.
    • Public Key Format: PEM.
    • Curve: prime256v1.
  7. Next, to map the public key that is received from the device by mapping the incoming message to field in the CMP request:
    • Select the map public key node from the Transformation section, drop it on the canvas and specify the following, and then click Add:
    • Name: Public Key.
    • Data ID: initial.
    • Public Key: pub_key.
  8. Now that all the data for the certificate request are in place, the Trust Anchor inside the IdAM will generate the CMP request:
    • Select the create certificates request node from the Action section, drop it on the canvas and specify the following, and then click Add:
      • Name: generate CMP req
      • Timeout: 30 (seconds)
  9. Then, specify the following request to be sent to the Trust-Service specified earlier:
    • Select the request certificate node from the Action section, drop it on the canvas and specify the following, and then click Add:
      • Name: TrustService Request
      • Timeout: 30 (seconds)
  10. Then, after getting the response with a valid certificate back from the Trust Service, specify the following Answer Message to be generated to reply back to the device:
    • Select the return certificates node from the Action section, drop it on the canvas, specify the name return message to device, and then click Add.

You have set up all of your nodes for the workflow, click Apply changes to save the configuration.

Next, define the direction of the positive workflow by linking the nodes to each other.

Add a link from the top node to the next, selecting the Link label Success for each of them.

Once you have defined the positive workflow, next define the error handling.

The Return Message node will generate a response either in the positive path with the given certificates or will in a case of a failure, pick up the given error value. To enable the error message, add a failure link from each of the nodes to the Return Message node.

For the last link between the Trust Service node and the Return certificate node, edit the existing Success link and add the additional Link Label Failure.

Click Apply Changes to save your changes.

Configure Certificate Final Request Rule Chain

Do the following to generate your final Certificate Final Request rule chain that requests the status from the device that has stored the certificates.

  1. In the Rule chains overview, click <PRIMEONE>Cert_Final_Req>. 
  2. To add a switch to analyze the feed back from the device, select the switch node from the Filter section, drag it to the canvas, and specify the name Error.
  3. Enter the following script to create the response message and then click Add.

    switch (msg.param.status) {
        case 'OK':
            return['Success'];
        case 'storage_error':
            return ['Failure'];
        default:
            return ['Other'];
    }
  4. Add a link to the newly created node.

  5. Then, to create a answer in the positive path, select a script node from the Transformation section, drag it to the canvas, and specify the name Positive Answer.
  6. Enter the following script to create the response message, and then click Add.

    // --------- message ---------
    msg.params.payload = {};
    msg.params.payload.status_code = '200';
    msg.params.payload.status_message = 'Status Idle, waiting for requests.';
    
    return {msg: msg, metadata: metadata, msgType: msgType}
  7. Add a link to connect the nodes and specify the label Success in the Add link panel.

  8. To allow sending the message back to the device itself, drag the rpc call reply node from the Action section, specify RESPONSE, and click Add.
  9. Add a link to connect the nodes and specify the label Success in the Add link panel.
  10. Click Apply Changes to save your configuration.

You have now created and configured all rule chains needed to model the issuing process as you have now implemented the workflows for the messages between the device and the IdAM according to the sequence diagram.

Test Workflow

To visualize and test the incoming message flow, do the following:

  1. To enable the debug mode, select for example, the Message Switch node and open it. 
  2. Enable Debug Mode and apply the changes.
  3. Click Apply Changes in the canvas and re-open the Message Switch node.
  4. Click the Events tab to view the message flow and display the incoming and outgoing messages.
  5. Select the Data column for an event to display the message that is processed within the IdAM.

  6. Select the Details tab to view the script and click Test Switch Function to open the test environment and view the last message that the script has processed.
  7. Click Test to test the script and verify the output in the Output panel.


IdAM is now ready to manage the certificates issuing process and every message sent from the device is entered into your Root rule chain.

Optionally, you can configure a rule chain to raise an alarm if triggered or to log failure to the console in case of errors. For more information, see Rule Engine Concepts.